Active Directory Issues

After messing with my new Rockstor install and re-installing a few times I have decided to reach out to see if anyone knows how to help; A little bit of background: my old Rockstor install was offline for a while because the machine was in storage while I was re-arranging things. I found that 3.9 was no longer supported and there were SSL certificate issues, so I installed 4.5.8 and imported my pools into that. So after all is said and done I wanted to rejoin it to my home lab domain so that I could access shares without having to worry about user management and this is where I started having problems.

I configured the NTP and Samba service just fine, configured the network connection to point to my DNS servers (the domain controllers) and to have a static ip. Then I used the Active Directory service to join the domain. I get an error that the NAS is already a member of the domain (even though itā€™s not) and the service immediately disables itself. Iā€™ve checked the domain controllers and they do not have an active directory object for the NAS anywhere in active directory. I tried ā€˜sudo realm join --membership-software=samba --client-software=winbind SANDOM(dot)COM -U Administratorā€™ on the command line and experience the same issue, claiming the domain was already joined. If I join the domain with only ā€˜sudo realm join SANDOM(dot)COM -U Administratorā€™ the join works and an object is created in Active Directory. I can then turn on the Active Directory service, however no users or groups are ever enumerated into rockstor and other communication issues seem to occur.

Leaving the realm with ā€˜sudo realm leave SANDOM(dot)COM -removeā€™ does remove the machine from active directory however samba and winbind seem to still think they are joined to the domain, as joining with with the --membership-software and --client-software arguments does not work, claiming once more that they are already domain joined. Rejoining the domain without the arguments works fine, but again no groups or users are ever enumerated.

I have a ubuntu docker server joined to the domain by hand with SSSD with no issues. Iā€™m not familiar with OpenSUSE or that familiar with Rockstor even, but I checked the configuration files in SSSD and Samba between the two different systems and everything seems correct.

I really want to continue to use Rockstor instead of switching NAS solutions, especially since itā€™s hardware requirements are more reasonable than anything that uses ZFS. Does anyone know the best way to proceed to resolve this issue?

Edit: I had to replace the dot in dot com on this post because it thinks I was trying to add URLS, and as a new user I canā€™t add more than two; so ignore that. In the actual config files everything is normal.

1 Like

@ocelot11 welcome to the rockstor community.
I donā€™t have much Active Directory experience (other than a frustrated business user :slight_smile: when it doesnā€™t work on my domain machine).

My understanding is that there are 2 options to run with the Active Directory, either via sssd or via winbind, but not both (based on this):

From the Rockstor documentation, we are relying on sssd for AD:
https://rockstor.com/docs/interface/system/services.html#active-directory-ad

so your ā€œsimulationā€ via the command line is probably more closely related to the second realm join command you posted. Did you then manually also maintain the sssd.conf file to contain the explicit enumeration option?

[domain/<domainname>]
enumerate = true

following the FAQs here:
https://docs.pagure.org/sssd.sssd/users/faq.html#when-should-i-enable-enumeration-in-sssd-or-why-is-enumeration-disabled-by-default

I assume, aside from the messages youā€™re not seeing anything in the logs thatā€™s related to the service attempting to start, discover, etc.?

Sorry, not of very much help but wanted to see whether there is even more info you can possibly tease out and post for others with AD experience to follow-up on.

2 Likes

Actually you were a big help. Adding ā€œenumerate = trueā€ to /etc/sssd/sssd.conf fixed the problem! I didnā€™t even think to check because I had the option ticked in the web gui! Thanks!

2 Likes

Oh I spoke too soon. Users appear now but whenever I try and assign them to a share I receive this error:
Traceback (most recent call last):
File ā€œ/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.pyā€, line 41, in _handle_exception
yield
File ā€œ/opt/rockstor/src/rockstor/storageadmin/views/samba.pyā€, line 239, in put
self._set_admin_users(admin_users, smbo)
File ā€œ/opt/rockstor/src/rockstor/storageadmin/views/samba.pyā€, line 141, in _set_admin_users
auo.smb_shares.add(smb_share)
UnboundLocalError: local variable ā€˜auoā€™ referenced before assignment

1 Like

Interesting. Seems that something goes wrong in this method here:

in the last line (line 141) when it tries to add the smb share

@phillxnet, @Flox Iā€™m out of my depth here, since I would have expected that a failure to create the auo object earlier in the method would be caught by the except construct ā€¦ Is it that the finally block is run regardless, so since the save is in there, it will try execute that line and hence run into the above error message?

Of course, the underlying question is why there are issues assigning the auo ā€¦

2 Likes

Thanks a lot @Hooverdan for taking the time to get us that farā€¦ It seems we do have some issue with fetching an SSSD user there.

@ocelot11, Iā€™ll have to have a better look at that but Iā€™m unfortunately too short on time for tonight. Iā€™ll try to refresh myself on that area of Rockstor tomorrow if I can get some free time; Iā€™m under quite a workload at work for the moment but Iā€™ll do my best to have at least a better look at how we are fetching admin users in samba.

In the meantime, you seem to have encountered a few issues that shouldnā€™t have appeared so Iā€™ll try to look at those too. Thus, to make sure I understood correctly:

  • you did check the enumerate checkbox in the UI but when visiting the users page you couldnā€™t see any domain users? Same with groups?
  • the domain users do show as options when exporting a Samba share; it just gives you the error you pasted when submitting the formā€¦ Is that correct?

Donā€™t hesitate to ping this thread again if you donā€™t hear back from me tomorrow (US eastern time). As mentioned, I should be rather swamped at work but Iā€™m hoping to be able to get some time to spend on this.

3 Likes

Thanks @Flox and @Hooverdan too. Iā€™m afraid Iā€™m a bit out of my depth here too. Yes thats correct. They only appeared after manually changing the sssd config, the enumeration checkbox did not work. They appear in both users/groups and when exporting a samba share, however the export fails with the error above.

3 Likes

Hi @ocelot11,

I think I have an inkling as to what is happening here. To confirm, you can edit that samba export without problem if you do not add an admin user, or if you choose a ā€œlocalā€ (non AD) user as admin user, is that correct?

2 Likes

Yes, thatā€™s correct.

2 Likes

Hey @Flox, was just wondering if you had any updates on figuring out what the issue was. No problem if your busy! I appricaited the support!

Hi @ocelot11 ,

My apologies on the delay here, but thank you for your understanding. It has been really busy at work for me lately so I didnā€™t have time to get my AD test server back in shape until yesterday.
That being said, it means I finally have all I need to try and reproduce your issue here so Iā€™ll get on that as soon as I can.

Sorry again for the delay, and thank you for your patience, I appreciate it.

2 Likes

Hi @ocelot11 ,

I finally could take the time to try joining an AD and it worked for me without the errors you described.
As a result, my best guess so far is that there must be some conflict that appeared after the different attempts you had to make. We could try to troubleshoot that part for you, but I think the most important thing is that I can reproduce the error you have above when creating a new Samba export:

[11/Apr/2023 17:40:47] ERROR [storageadmin.util:45] Exception: local variable 'auo' referenced before assignment
Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 191, in create_samba_share
    self._set_admin_users(admin_users, smb_share)
  File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 141, in _set_admin_users
    auo.smb_shares.add(smb_share)
UnboundLocalError: local variable 'auo' referenced before assignment
[11/Apr/2023 17:40:47] DEBUG [storageadmin.util:46] Current Rockstor version: 4.5.8-0

Now that I have that, I can try to see what is going on here.

Sorry for not yet having a fix, but at least Iā€™m now setup to try to figure it out.

2 Likes

@ocelot11:

Iā€™ve now narrowed it down to an issue similar to what surfaced shortly after we implemented SSSD for this and was fixed then:

Similar to what is described in that resolved issue, a first workaround is to either restart the rockstor service (systemctl restart rockstor) or reboot the Rockstor machine and then you should be able to create a Samba export using an AD user as admin user. Can you confirm that this workaround work for you?

Iā€™ll get on to getting a proper fix in the meantime.

1 Like

I have now created an issue on our Github repository:

We already fixed a very similar issue so we can follow the same approach to fix this one but itā€™ll need a bit more verification before committing. Iā€™ll update that Github issue accordingly.

2 Likes

@ocelot11,
A corresponding PR to fix that issue has now been submitted:

Weā€™ll update this post accordingly.

I also wanted to thank again that report as it has not only highlighted a couple bits such as these that could be made more robust, but it also led us to uncover two others small upstream issues. One of them has already been fixed by upstream SSSD in their more recent releases. The other relates to the specific packaging of realmd in openSUSE, and we have now submitted a bug and a fix upstream. A good example of how a bug report has the potential to benefit not only other Rockstor users, but also our upstream packages :slight_smile: . So thanks again, @ocelot11!

2 Likes

Not at all, I should be thanking you, the community, and especially the folks who are patching this! Sorry for the late reply, life got hectic for a bit, but I will be keeping my eye out for the fix! If I experience any other issues Iā€™ll be sure to report it. Thank you!

3 Likes

Iā€™ve updated the system and since I can add users to shares, however now whenever I try and access the shares on the boxes I get the error ā€œThere are currently no logon servers available to service the logon requestā€. In the samba log file I can see that it fails to contact the domain controller due to some kind password issue with the machine account, if Iā€™m understanding this correctly.

  Connecting to 172.16.0.20 at port 389
[2023/04/19 19:42:42.724167,  3] ../../source3/libads/ldap.c:762(ads_connect)
  Connected to LDAP server Ocelot11-Ark.O11LAN.NET
[2023/04/19 19:42:42.726008,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2023/04/19 19:42:42.726063,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2023/04/19 19:42:42.726076,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2023/04/19 19:42:42.726088,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2023/04/19 19:42:42.726100,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2023/04/19 19:42:42.727950,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2023/04/19 19:42:42.728062,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2023/04/19 19:42:42.728077,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2023/04/19 19:42:42.728090,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'spnego' registered
[2023/04/19 19:42:42.728104,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'schannel' registered
[2023/04/19 19:42:42.728117,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2023/04/19 19:42:42.728131,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2023/04/19 19:42:42.728144,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2023/04/19 19:42:42.728157,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2023/04/19 19:42:42.728170,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_basic' registered
[2023/04/19 19:42:42.728183,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2023/04/19 19:42:42.728200,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2023/04/19 19:42:42.728213,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'krb5' registered
[2023/04/19 19:42:42.728226,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2023/04/19 19:42:42.729236,  1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2023/04/19 19:42:42.729311,  1] ../../source3/libads/sasl.c:644(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ocelot11-ark.o11lan.net with user[OCELOT11-NAS$] realm=[O11LAN.NET]: Cannot read password
[2023/04/19 19:42:42.729335,  3] ../../source3/printing/nt_printing_ads.c:756(check_published_printers)
  ads_connect failed: Cannot read password
[2023/04/19 19:42:42.729644,  0] ../../source3/printing/nt_printing.c:233(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2023/04/19 19:42:42.729733,  3] ../../source3/printing/queue_process.c:359(start_background_queue)
  start_background_queue: Starting background LPQ thread
[2023/04/19 19:42:42.859684,  1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh)
  Failed to fetch record!
[2023/04/19 19:42:42.859773,  2] ../../source3/smbd/server.c:1364(smbd_parent_loop)
  waiting for connections
[2023/04/19 19:42:48.250431,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)
1 Like

Using sssctl i can see the domain info is set correctly and it shows the connection as online. Iā€™m not savvy in the lower-level workings of these packages or the OS, but I did read the github issues you raised and shared and Iā€™m wondering if this is related to those issues. Either way, if you need any logs or config files or anything I can send them over. Just let me know. Thanks!

2 Likes

Mmmā€¦ There is one thing about which I was wondering but I have not yet seen its consequences. I this wonder if that is it.
Would you mind sharing your /etc/sssd/sssd.conf file? As I know you initially had issues with turning the AD service on and had to do some things manually, I would like to verify a few things.
A paste of your smb.conf file as well could prove useful. You can of course anonymize anything youā€™d like.

2 Likes

Hi @Flox, sorry for the wait.

This is my SSSD (interestingly, I was able to use smbclient to dump these onto the AD server with little issue. I donā€™t know if that info helps.):

[sssd]
config_file_version = 2
services = nss, pam
domains = O11LAN.NET
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP

[nss]

[pam]

# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM

[domain/O11LAN.NET]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = O11LAN.NET
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = O11LAN.NET
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
enumerate = True
simple_allow_groups = %domain admins@O11LAN.NET %domain users@O11LAN.NET

And here is my smb.conf (Note I blocked out users and names for privacy, but I left my domain name so there is no confusion when trying to debunk the problem.)

[global]
    log level = 3
    map to guest = Bad User
    cups options = raw
    log file = /var/log/samba/log.%m
    printcap name = /dev/null
    load printers = no

####BEGIN: Rockstor SAMBA GLOBAL CUSTOM####
    workgroup = O11LAN
####END: Rockstor SAMBA GLOBAL CUSTOM####

####BEGIN: Rockstor ACTIVE DIRECTORY CONFIG####
    security = ads
    realm = O11LAN.NET
    kerberos method = secrets and keytab
    client signing = yes
    client use spnego = yes
####END: Rockstor ACTIVE DIRECTORY CONFIG####

####BEGIN: Rockstor SAMBA CONFIG####
[------.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share ------.Share"
    root preexec close = yes
    comment = Person's NAS Share
    path = /mnt2/------.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = --------------@O11LAN.NET -------- --------------@O11LAN.NET 
    shadow:format = .BAG__%Y%m%d%H%M
    shadow:basedir = /mnt2/------.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.BAG_*/
[Video.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Video.Share"
    root preexec close = yes
    comment = Movies and Shows
    path = /mnt2/Video.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ----------------@O11LAN.NET ------------@O11LAN.NET -----------------@O11LAN.NET -----------------@O11LAN.NET ------------------@O11LAN.NET -------------@O11LAN.NET -------------------@O11LAN.NET -----------------@O11LAN.NET 
    shadow:format = .VID__%Y%m%d%H%M
    shadow:basedir = /mnt2/Video.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.VID_*/
[Recording.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Recording.Share"
    root preexec close = yes
    comment = OBS and Recordings
    path = /mnt2/Recording.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = ----------------@O11LAN.NET -----------------@O11LAN.NET --------- --------------@O11LAN.NET 
    shadow:format = .REC__%Y%m%d%H%M
    shadow:basedir = /mnt2/Recording.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.REC_*/
[Public.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Public.Share"
    root preexec close = yes
    comment = Public Files and Documents
    path = /mnt2/Public.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .PUB__%Y%m%d%H%M
    shadow:basedir = /mnt2/Public.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.PUB_*/
[Music.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Music.Share"
    root preexec close = yes
    comment = Songs and Music Videos
    path = /mnt2/Music.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .MUS__%Y%m%d%H%M
    shadow:basedir = /mnt2/Music.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.MUS_*/
[Game.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Game.Share"
    root preexec close = yes
    comment = Game Files and Saves
    path = /mnt2/Game.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .GME__%Y%m%d%H%M
    shadow:basedir = /mnt2/Game.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.GME_*/
[------.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share -------.Share"
    root preexec close = yes
    comment = Person's NAS Share
    path = /mnt2/------.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = -----------------@O11LAN.NET -----------------@O11LAN.NET ------ ------------@O11LAN.NET 
    shadow:format = .AMS__%Y%m%d%H%M
    shadow:basedir = /mnt2/------.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.AMS_*/
####END: Rockstor SAMBA CONFIG####
3 Likes