Active Directory Issues

I haven’t tried any actions to resolve the issue yet; I haven’t restarted any services or the NAS, I haven’t left and tried to re-join the domain, etc. I figured I would await instruction from someone wiser than me. If you want me to try anything out to help you figure out the issue, let me know and I can try it to the best of my ability.

2 Likes

Was there any update on a fix for this?

Hi there,

The fix is in and it will come with the release of the new rockstor version 4.5.9-0 (RC6).
The release is coming soon.

1 Like

Thank you for the headsup! Ill keep my eyes out and switch my security back to user from ads for now in my smb.conf.

1 Like

and the new release just landed, as if @aremiaskfa was clairvoyant :slight_smile:

3 Likes

Not to necro an old post, but I swear I had seen someone else having AD issues and I was tagged in the topic. I don’t see it anymore, so maybe my imagination, but I’m having strange issues with AD again and figured I’d post to see if anyone could help get to the bottom of it.

I’ve been neck deep into other projects lately and wanted to store an extra copy of some files and figured id continue to take advantage of my NAS setup. I recalled a post saying that it was fixed under 5.0.1 but when trying to connect to the share my AD credentials wern’t working. Checking in the users I could see that AD was still enumerating to rockstor, and unfortunately due to some over-zealous troubleshooting I never found out why samba was rejecting my credentials.

I decided to just remove and re-add the machine to the domain however upon trying to re-join I received an error that the machine was still domain joined. I cleaned the old account out of AD just incase, however the error continued. I saw that the SSSD config still contained the old information, as did my samba config. I thought perhaps re-installing samba and sssd would purge the old config with a new one, unfortunately doing so somehow borked the entire installation. At this point, I decided to reinstall and re-import my disks. That went OK. I updated the system to 4.6.1. That went OK. I renamed it the same as the old system, set its static IP and DNS info, and samba workgroup and that was all fine.

Then I tried to rejoin the domain. Again it said the domain was already joined, which should be impossible since this was a completely new install and despite having the same name, I purged the old account out of AD so it shouldn’t be picking up on that. I have to assume some left over object is left in AD which rockstor or sssd or samba is looking at instead of the machine account? Unfortunately I’m far from a master when it comes to the inner workings of AD or any of this linux software to know where to look from here. Later I plan on re-naming the NAS to see if that solves my issue. However, a few other issues seemed to have cropped up from this. Because the box is mostly brand new, I don’t know what could have gone catastrophically wrong.

I poked around somewhat in the command line and tried “sudo sssd realm discover” which failed. So out of curiosity I did a “sudo realm discover myrealm.realm” and it succeeded. Trying to join the realm with “sudo realm join myrealm.realm” fails, telling me the domain is joined. Checking systemctl it says SSSD is not running. If I try and start it, it fails with exit code 4 and for whatever reason the SSSD config still has the default configuration despite rockstor supposedly having tried to join the domain. I change the samba workgroup to “WORKGROUP” and then back, but SSSD is still throwing a fit. I’ll post what logs I can below.

This is the error in the dialog (I’ve replaced the user account and domain info for privacy reasons:

Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U user DOMAIN.SITE. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']
Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py", line 195, in post
    join_domain(config, method=method)
  File "/opt/rockstor/src/rockstor/system/directory_services.py", line 270, in join_domain
    return run_command(cmd, input=("{}\n".format(config.get("password"))), log=True)
  File "/opt/rockstor/src/rockstor/system/osi.py", line 251, in run_command
    raise CommandException(cmd, out, err, rc)
system.exceptions.CommandException: Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U user DOMAIN.SITE. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']

This was the text from the shell when trying to start the SSSD service:

ocelot11-nas:~ # sudo systemctl start sssd
Job for sssd.service failed because the control process exited with error code.
See "systemctl status sssd.service" and "journalctl -xeu sssd.service" for details.
ocelot11-nas:~ # sudo systemctl status sssd
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)                                             
        CPU: 77ms                                                                     

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...  
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
lines 1-12/12 (END)...skipping...
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)
        CPU: 77ms

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
...skipping...
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)
        CPU: 77ms

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
...skipping...
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)                                             
        CPU: 77ms                                                                     

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...  
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
...skipping...
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)                                             
        CPU: 77ms                                                                     
                                                                                      
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...  
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
set mark: ...skipping...
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)                                             
        CPU: 77ms                                                                     
                                                                                      
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...  
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
~                                                                                     
set mark: ...skipping...
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib
/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)
        CPU: 77ms

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration databas>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exit>
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Dae>
~
~
~
~
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)
        CPU: 77ms

Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Daemon.
~
~
~
~
~
~
~
~
~
~
~
~
~
~
byte 1146/1146 (END)...skipping...
× sssd.service - System Security Services Daemon
     Loaded: loaded (;;file://ocelot11-nas/usr/lib/systemd/system/sssd.service/usr/lib/systemd/system/sssd.service;;; disabled; preset: disabled);;
     Active: failed (Result: exit-code) since Mon 2023-07-24 19:54:19 EDT; 1min 1s ago
    Process: 9824 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited, status=4)
   Main PID: 9824 (code=exited, status=4)                                                                                                                                                        
        CPU: 77ms                                                                                                                                                                                
                                                                                                                                                                                                 
Jul 24 19:54:18 ocelot11-nas systemd[1]: Starting System Security Services Daemon...                                                                                                             
Jul 24 19:54:19 ocelot11-nas sssd[9824]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Main process exited, code=exited, status=4/NOPERMISSION                                                                                   
Jul 24 19:54:19 ocelot11-nas systemd[1]: sssd.service: Failed with result 'exit-code'.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Failed to start System Security Services Daemon.
ocelot11-nas:~ # sudo journalctl -xe
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit sssd.service has finished with a failure.
░░
░░ The job identifier is 2530 and the job result is failed.
Jul 24 19:54:19 ocelot11-nas systemd[1]: Reached target User and Group Name Lookups.                                                                                                             
░░ Subject: A start job for unit nss-user-lookup.target has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit nss-user-lookup.target has finished successfully.
░░
░░ The job identifier is 2649.
Jul 24 19:54:19 ocelot11-nas sudo[9818]: pam_unix(sudo:session): session closed for user root                                                                                                    
Jul 24 19:55:20 ocelot11-nas sudo[10284]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/systemctl status sssd                                                                  
Jul 24 19:55:20 ocelot11-nas sudo[10284]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)                                                                             
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Created slice User Background Tasks Slice.                                                                                                           
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has finished successfully.
░░
░░ The job identifier is 16.
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Starting Cleanup of User's Temporary Files and Directories...                                                                                        
░░ Subject: A start job for unit UNIT has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has begun execution.
░░
░░ The job identifier is 15.
Jul 24 19:58:09 ocelot11-nas systemd[9255]: Finished Cleanup of User's Temporary Files and Directories.                                                                                          
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░
░░ A start job for unit UNIT has finished successfully.
░░
░░ The job identifier is 15.
Jul 24 19:58:44 ocelot11-nas sudo[10284]: pam_unix(sudo:session): session closed for user root                                                                                                   
Jul 24 19:58:55 ocelot11-nas sudo[12623]:     root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/journalctl -xe                                                                         
Jul 24 19:58:55 ocelot11-nas sudo[12623]: pam_unix(sudo:session): session opened for user root(uid=0) by root(uid=0)                                                                             
lines 3310-3352/3352 (END)
1 Like

This was the sssd config file located at /etc/sssd/sssd.conf:

[sssd]
config_file_version = 2                                                                                                                                                                          
services = nss, pam                                                                                                                                                                              
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP                                                                                                                                                                                 
                                                                                                                                                                                                 
[nss]
                                                                                                                                                                                                 
[pam]
                                                                                                                                                                                                 
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap                                                                                                                                                                             
; auth_provider = ldap                                                                                                                                                                           
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307                                                                                                                                                                          
; ldap_uri = ldap://ldap.mydomain.org                                                                                                                                                            
; ldap_search_base = dc=mydomain,dc=org                                                                                                                                                          
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false                                                                                                                                                                              
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true                                                                                                                                                                       
                                                                                                                                                                                                 
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]                                                                                                                                                                                    
; id_provider = ldap                                                                                                                                                                             
; auth_provider = krb5                                                                                                                                                                           
; chpass_provider = krb5                                                                                                                                                                         
;
; ldap_uri = ldap://your.ad.example.com                                                                                                                                                          
; ldap_search_base = dc=example,dc=com                                                                                                                                                           
; ldap_schema = rfc2307bis                                                                                                                                                                       
; ldap_sasl_mech = GSSAPI                                                                                                                                                                        
; ldap_user_object_class = user                                                                                                                                                                  
; ldap_group_object_class = group                                                                                                                                                                
; ldap_user_home_directory = unixHomeDirectory                                                                                                                                                   
; ldap_user_principal = userPrincipalName                                                                                                                                                        
; ldap_account_expire_policy = ad                                                                                                                                                                
; ldap_force_upper_case_realm = true                                                                                                                                                             
;                                                                                                                                                                                                
; krb5_server = your.ad.example.com                                                                                                                                                              
; krb5_realm = EXAMPLE.COM                                                                                                                                                                       
                                                                                                                                                                                                 
1 Like

@ocelot11 btw, this is where I had tagged you:

1 Like

Update: Decided to poke around more when I had time and I had an epiphany. I left the realm realm via ‘realm leave’ command which seemed to clean up whichever issue was happening, then rejoined with ‘realm join’ and suddenly everything seems to be mostly working again. Users have yet to enumerate but I can see group objects enumerating, so I’m sure in some time users will appear as well. not sure if the GUI join would have worked, its something I will test when I have time.

2 Likes

Unfortunately users arn’t enumerating unless I try and log onto the box with them, which fails. Also samba appears to be failing to actually validate users against AD. Unfortunately I don’t have time to poke around more. I’’ have to rely on guest access for now and hide the shares via browsability. Not ideal, but nothing on the NAS is ultra-critical. Plus as I mentioned I don’t know too much about the inner workings of linux in general, so unfortunately all’s I can do is test and report what I find when I have time. If nobody else is having this issue It could be my setup at this point. I’m not entirely sure.

2 Likes