After messing with my new Rockstor install and re-installing a few times I have decided to reach out to see if anyone knows how to help; A little bit of background: my old Rockstor install was offline for a while because the machine was in storage while I was re-arranging things. I found that 3.9 was no longer supported and there were SSL certificate issues, so I installed 4.5.8 and imported my pools into that. So after all is said and done I wanted to rejoin it to my home lab domain so that I could access shares without having to worry about user management and this is where I started having problems.
I configured the NTP and Samba service just fine, configured the network connection to point to my DNS servers (the domain controllers) and to have a static ip. Then I used the Active Directory service to join the domain. I get an error that the NAS is already a member of the domain (even though itās not) and the service immediately disables itself. Iāve checked the domain controllers and they do not have an active directory object for the NAS anywhere in active directory. I tried āsudo realm join --membership-software=samba --client-software=winbind SANDOM(dot)COM -U Administratorā on the command line and experience the same issue, claiming the domain was already joined. If I join the domain with only āsudo realm join SANDOM(dot)COM -U Administratorā the join works and an object is created in Active Directory. I can then turn on the Active Directory service, however no users or groups are ever enumerated into rockstor and other communication issues seem to occur.
Leaving the realm with āsudo realm leave SANDOM(dot)COM -removeā does remove the machine from active directory however samba and winbind seem to still think they are joined to the domain, as joining with with the --membership-software and --client-software arguments does not work, claiming once more that they are already domain joined. Rejoining the domain without the arguments works fine, but again no groups or users are ever enumerated.
I have a ubuntu docker server joined to the domain by hand with SSSD with no issues. Iām not familiar with OpenSUSE or that familiar with Rockstor even, but I checked the configuration files in SSSD and Samba between the two different systems and everything seems correct.
I really want to continue to use Rockstor instead of switching NAS solutions, especially since itās hardware requirements are more reasonable than anything that uses ZFS. Does anyone know the best way to proceed to resolve this issue?
Edit: I had to replace the dot in dot com on this post because it thinks I was trying to add URLS, and as a new user I canāt add more than two; so ignore that. In the actual config files everything is normal.
@ocelot11 welcome to the rockstor community.
I donāt have much Active Directory experience (other than a frustrated business user when it doesnāt work on my domain machine).
My understanding is that there are 2 options to run with the Active Directory, either via sssd or via winbind, but not both (based on this):
so your āsimulationā via the command line is probably more closely related to the second realm join command you posted. Did you then manually also maintain the sssd.conf file to contain the explicit enumeration option?
I assume, aside from the messages youāre not seeing anything in the logs thatās related to the service attempting to start, discover, etc.?
Sorry, not of very much help but wanted to see whether there is even more info you can possibly tease out and post for others with AD experience to follow-up on.
Actually you were a big help. Adding āenumerate = trueā to /etc/sssd/sssd.conf fixed the problem! I didnāt even think to check because I had the option ticked in the web gui! Thanks!
Oh I spoke too soon. Users appear now but whenever I try and assign them to a share I receive this error:
Traceback (most recent call last):
File ā/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.pyā, line 41, in _handle_exception
yield
File ā/opt/rockstor/src/rockstor/storageadmin/views/samba.pyā, line 239, in put
self._set_admin_users(admin_users, smbo)
File ā/opt/rockstor/src/rockstor/storageadmin/views/samba.pyā, line 141, in _set_admin_users
auo.smb_shares.add(smb_share)
UnboundLocalError: local variable āauoā referenced before assignment
Interesting. Seems that something goes wrong in this method here:
in the last line (line 141) when it tries to add the smb share
@phillxnet, @Flox Iām out of my depth here, since I would have expected that a failure to create the auo object earlier in the method would be caught by the except construct ā¦ Is it that the finally block is run regardless, so since the save is in there, it will try execute that line and hence run into the above error message?
Of course, the underlying question is why there are issues assigning the auo ā¦
Thanks a lot @Hooverdan for taking the time to get us that farā¦ It seems we do have some issue with fetching an SSSD user there.
@ocelot11, Iāll have to have a better look at that but Iām unfortunately too short on time for tonight. Iāll try to refresh myself on that area of Rockstor tomorrow if I can get some free time; Iām under quite a workload at work for the moment but Iāll do my best to have at least a better look at how we are fetching admin users in samba.
In the meantime, you seem to have encountered a few issues that shouldnāt have appeared so Iāll try to look at those too. Thus, to make sure I understood correctly:
you did check the enumerate checkbox in the UI but when visiting the users page you couldnāt see any domain users? Same with groups?
the domain users do show as options when exporting a Samba share; it just gives you the error you pasted when submitting the formā¦ Is that correct?
Donāt hesitate to ping this thread again if you donāt hear back from me tomorrow (US eastern time). As mentioned, I should be rather swamped at work but Iām hoping to be able to get some time to spend on this.
Thanks @Flox and @Hooverdan too. Iām afraid Iām a bit out of my depth here too. Yes thats correct. They only appeared after manually changing the sssd config, the enumeration checkbox did not work. They appear in both users/groups and when exporting a samba share, however the export fails with the error above.
I think I have an inkling as to what is happening here. To confirm, you can edit that samba export without problem if you do not add an admin user, or if you choose a ālocalā (non AD) user as admin user, is that correct?
My apologies on the delay here, but thank you for your understanding. It has been really busy at work for me lately so I didnāt have time to get my AD test server back in shape until yesterday.
That being said, it means I finally have all I need to try and reproduce your issue here so Iāll get on that as soon as I can.
Sorry again for the delay, and thank you for your patience, I appreciate it.
I finally could take the time to try joining an AD and it worked for me without the errors you described.
As a result, my best guess so far is that there must be some conflict that appeared after the different attempts you had to make. We could try to troubleshoot that part for you, but I think the most important thing is that I can reproduce the error you have above when creating a new Samba export:
[11/Apr/2023 17:40:47] ERROR [storageadmin.util:45] Exception: local variable 'auo' referenced before assignment
Traceback (most recent call last):
File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
yield
File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 191, in create_samba_share
self._set_admin_users(admin_users, smb_share)
File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 141, in _set_admin_users
auo.smb_shares.add(smb_share)
UnboundLocalError: local variable 'auo' referenced before assignment
[11/Apr/2023 17:40:47] DEBUG [storageadmin.util:46] Current Rockstor version: 4.5.8-0
Now that I have that, I can try to see what is going on here.
Sorry for not yet having a fix, but at least Iām now setup to try to figure it out.
Iāve now narrowed it down to an issue similar to what surfaced shortly after we implemented SSSD for this and was fixed then:
Similar to what is described in that resolved issue, a first workaround is to either restart the rockstor service (systemctl restart rockstor) or reboot the Rockstor machine and then you should be able to create a Samba export using an AD user as admin user. Can you confirm that this workaround work for you?
Iāll get on to getting a proper fix in the meantime.
I have now created an issue on our Github repository:
We already fixed a very similar issue so we can follow the same approach to fix this one but itāll need a bit more verification before committing. Iāll update that Github issue accordingly.
@ocelot11,
A corresponding PR to fix that issue has now been submitted:
Weāll update this post accordingly.
I also wanted to thank again that report as it has not only highlighted a couple bits such as these that could be made more robust, but it also led us to uncover two others small upstream issues. One of them has already been fixed by upstream SSSD in their more recent releases. The other relates to the specific packaging of realmd in openSUSE, and we have now submitted a bug and a fix upstream. A good example of how a bug report has the potential to benefit not only other Rockstor users, but also our upstream packages . So thanks again, @ocelot11!
Not at all, I should be thanking you, the community, and especially the folks who are patching this! Sorry for the late reply, life got hectic for a bit, but I will be keeping my eye out for the fix! If I experience any other issues Iāll be sure to report it. Thank you!
Iāve updated the system and since I can add users to shares, however now whenever I try and access the shares on the boxes I get the error āThere are currently no logon servers available to service the logon requestā. In the samba log file I can see that it fails to contact the domain controller due to some kind password issue with the machine account, if Iām understanding this correctly.
Using sssctl i can see the domain info is set correctly and it shows the connection as online. Iām not savvy in the lower-level workings of these packages or the OS, but I did read the github issues you raised and shared and Iām wondering if this is related to those issues. Either way, if you need any logs or config files or anything I can send them over. Just let me know. Thanks!
Mmmā¦ There is one thing about which I was wondering but I have not yet seen its consequences. I this wonder if that is it.
Would you mind sharing your /etc/sssd/sssd.conf file? As I know you initially had issues with turning the AD service on and had to do some things manually, I would like to verify a few things.
A paste of your smb.conf file as well could prove useful. You can of course anonymize anything youād like.
This is my SSSD (interestingly, I was able to use smbclient to dump these onto the AD server with little issue. I donāt know if that info helps.):
[sssd]
config_file_version = 2
services = nss, pam
domains = O11LAN.NET
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
[pam]
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM
[domain/O11LAN.NET]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = O11LAN.NET
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = O11LAN.NET
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
enumerate = True
simple_allow_groups = %domain admins@O11LAN.NET %domain users@O11LAN.NET
And here is my smb.conf (Note I blocked out users and names for privacy, but I left my domain name so there is no confusion when trying to debunk the problem.)
[global]
log level = 3
map to guest = Bad User
cups options = raw
log file = /var/log/samba/log.%m
printcap name = /dev/null
load printers = no
####BEGIN: Rockstor SAMBA GLOBAL CUSTOM####
workgroup = O11LAN
####END: Rockstor SAMBA GLOBAL CUSTOM####
####BEGIN: Rockstor ACTIVE DIRECTORY CONFIG####
security = ads
realm = O11LAN.NET
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
####END: Rockstor ACTIVE DIRECTORY CONFIG####
####BEGIN: Rockstor SAMBA CONFIG####
[------.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share ------.Share"
root preexec close = yes
comment = Person's NAS Share
path = /mnt2/------.Share
browseable = no
read only = no
guest ok = no
admin users = --------------@O11LAN.NET -------- --------------@O11LAN.NET
shadow:format = .BAG__%Y%m%d%H%M
shadow:basedir = /mnt2/------.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.BAG_*/
[Video.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Video.Share"
root preexec close = yes
comment = Movies and Shows
path = /mnt2/Video.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ----------------@O11LAN.NET ------------@O11LAN.NET -----------------@O11LAN.NET -----------------@O11LAN.NET ------------------@O11LAN.NET -------------@O11LAN.NET -------------------@O11LAN.NET -----------------@O11LAN.NET
shadow:format = .VID__%Y%m%d%H%M
shadow:basedir = /mnt2/Video.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.VID_*/
[Recording.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Recording.Share"
root preexec close = yes
comment = OBS and Recordings
path = /mnt2/Recording.Share
browseable = no
read only = no
guest ok = no
admin users = ----------------@O11LAN.NET -----------------@O11LAN.NET --------- --------------@O11LAN.NET
shadow:format = .REC__%Y%m%d%H%M
shadow:basedir = /mnt2/Recording.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.REC_*/
[Public.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Public.Share"
root preexec close = yes
comment = Public Files and Documents
path = /mnt2/Public.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .PUB__%Y%m%d%H%M
shadow:basedir = /mnt2/Public.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.PUB_*/
[Music.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Music.Share"
root preexec close = yes
comment = Songs and Music Videos
path = /mnt2/Music.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .MUS__%Y%m%d%H%M
shadow:basedir = /mnt2/Music.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.MUS_*/
[Game.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share Game.Share"
root preexec close = yes
comment = Game Files and Saves
path = /mnt2/Game.Share
browseable = yes
read only = no
guest ok = yes
admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET
shadow:format = .GME__%Y%m%d%H%M
shadow:basedir = /mnt2/Game.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.GME_*/
[------.Share]
root preexec = "/opt/rockstor/.venv/bin/mnt-share -------.Share"
root preexec close = yes
comment = Person's NAS Share
path = /mnt2/------.Share
browseable = no
read only = no
guest ok = no
admin users = -----------------@O11LAN.NET -----------------@O11LAN.NET ------ ------------@O11LAN.NET
shadow:format = .AMS__%Y%m%d%H%M
shadow:basedir = /mnt2/------.Share
shadow:snapdir = ./
shadow:sort = desc
shadow:localtime = yes
vfs objects = shadow_copy2
veto files = /.AMS_*/
####END: Rockstor SAMBA CONFIG####