Active Directory troubleshooting

wgs · September 5, 2016, 11:42pm

I have just installed Rockstor and am trying to integrate it with Active Directory. I am running AD on Samba4 and have configured NIS. When I join rockstor to the AD, I am able to see the groups that have been added to the NIS domain. I am not able to see any of the users. when I run getent group from the console I am able to see the AD groups, but getent passwd only returns local users. Since I can see the groups, I believe that I am properly joined, but don’t know what to check in order to see the users. Any ideas?
Thanks,
Bill

Flyer · September 6, 2016, 7:20am

Hi @wgs and welcome to Rockstor Community!

Here I am with the same config, join AD on Samba4, and how I had it work:

set ntp on Rockstor
join your domain
restart samba service
check your users / groups list

If this fails try a Rockstor reboot and check again.
How many users on your AD??? (maybe a long users list taking a while to get in sync)

Flyer/Mirko

wgs · September 7, 2016, 1:26am

Thanks @Flyer ! I have followed the steps that you outlined. My first step was to point the NTP at the Samba4 AD and the join appears to have worked. I only have a few users (this is a home/lab environment) I can’t figure out why I can see the groups and not the users. I have tried reboots and have even rebuilt the server a few times with the same results every time. I am starting to think it’s something on the DC rather than rockstor, but I’m not sure where to look. Any other sugggestions?

-Bill

Flyer · September 7, 2016, 7:18am

Hi @wgs it’s something really weird.

We assume your AD join is ok (can you check it via RSAT Tools tools??) so let’s check your current samba config file ( /etc/samba/smb.conf ): can you post it here?? Pls note it may have some credentials inside, remove them

Flyer

wgs · September 7, 2016, 12:54pm

Here’s what I see in RSAT:

rockstor is joined.
Here is the smb.conf:
[root@rockstor ~]# cat /etc/samba/smb.conf
[global]
workgroup = AD
log file = /var/log/samba/log.%m
security = ads
realm = ad.xxxxxxxxxxxx.net
template shell = /bin/sh
kerberos method = secrets and keytab
winbind use default domain = false
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
idmap config * : backend = tdb
idmap config * : range = 1000000 - 1999999
idmap config AD : backend = ad
idmap config AD : range = 10000 - 999999
idmap config AD : schema_mode = rfc2307
winbind nss info = rfc2307
log level = 3
load printers = no
cups options = raw
printcap name = /dev/null

####BEGIN: Rockstor SAMBA CONFIG####
[media]
    root preexec = "/opt/rockstor/bin/mnt-share media"
    root preexec close = yes
    comment = Samba-Export
    path = /mnt2/media
    browseable = yes
    read only = no
    guest ok = no
    admin users = admin 
####END: Rockstor SAMBA CONFIG####

Do you see anything amiss?

Flyer · September 7, 2016, 2:41pm

Hi @wgs, if you’re sure about rfc2307 running on your ad that’s ok.

Can you check if removing rfc2307 flag from Active Directory config on Rockstor solves?

BR
Mirko

philipp · September 8, 2016, 3:25pm

Hello!
We’ve installed Rockstor and try to integrate it in our very old AD (two DCs running on Win server 2003/32bit). We can’t join it, the switch for the “Active Directory” service flips always back to off.

Feedback says:
Traceback (most recent call last):
File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 40, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 219, in post
workgroup = self._domain_workgroup(domain, method=method)
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 86, in _domain_workgroup
o, e, rc = run_command(cmd)
File “/opt/rockstor/src/rockstor/system/osi.py”, line 98, in run_command
raise CommandException(cmd, out, err, rc)
CommandException: Error running a command. cmd = [’/usr/bin/net’, ‘ads’, ‘workgroup’]. rc = 255. stdout = [’’]. stderr = [‘ads_connect: No logon servers’, ‘ads_connect: No logon servers’, “Didn’t find the cldap server!”, ‘’]

Same with LDAP.
But we can ping the rockstor server by (fixed) IP and by host name, and I can ping the DC server from rockstor shell also.
Any suggestions? Thanks a lot! Philipp

Flyer · September 8, 2016, 5:33pm

Hi @philipp,
can you please post your AD Join configuration from Rockstor page ?? (without admin & pass, obviously)
Did you used your.domain or just domain ?? Please use FQDN
Is your Rockstor dns = to domain ip?

BR
Flyer

wgs · September 8, 2016, 7:42pm

I’ve tried with and without the rfc2307 flag and still am not able to enumerate the users. As a last ditch effort I reinstalled Rockstor and now get this when I attempt to turn on AD:

        Traceback (most recent call last):

File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 40, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 198, in post
smb_config = self._get_config(smbo)
File “/opt/rockstor/src/rockstor/smart_manager/views/base_service.py”, line 40, in _get_config
return json.loads(service.config)
File “/usr/lib64/python2.7/json/init.py”, line 338, in loads
return _default_decoder.decode(s)
File “/usr/lib64/python2.7/json/decoder.py”, line 365, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
TypeError: expected string or buffer

Should I reinstall again?

philipp · September 9, 2016, 11:07am

Hi Flyer, thanks for feedback!

First attempt to join rockstor to the domain “cad-labor” with server name:

Came message: DNS doesn’t work.

And the errlog said:
Traceback (most recent call last):
_File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 51, in resolve_check
res = socket.gethostbyname(domain)
gaierror: [Errno -2] Name or service not known

Then i tried join with the static IP of domain controler:

Didn’t work either, perhaps because of DNS server. Errlog said:
Traceback (most recent call last):
_ File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 40, in handle_exception
_ yield_
_ File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 219, in post_
_ workgroup = self.domain_workgroup(domain, method=method)
_ File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 86, in domain_workgroup
_ o, e, rc = run_command(cmd)_
_ File “/opt/rockstor/src/rockstor/system/osi.py”, line 98, in run_command_
_ raise CommandException(cmd, out, err, rc)_
CommandException: Error running a command. cmd = [‘/usr/bin/net’, ‘ads’, ‘workgroup’]. rc = 255. stdout = [‘’]. stderr = [‘ads_connect: No logon servers’, ‘ads_connect: No logon servers’, “Didn’t find the cldap server!”, ‘’]

Then i checked (as you’ve proposed) the DNS config on the two network-adapters of the rockstor system:

There is a third RJ-45-plug at the hardware’s (Intel R1304SPOSHBN) back, for remote server administration. I was insecure: Is our DNS really running on the DC? So i checked from second DC “server-b” (static IP=32):

Finally i ask you to have a look at my attempts to configure ldap:

Thanks a lot for your time!
Philipp

Flyer · September 9, 2016, 12:09pm

Hi @philipp,
looking to the first image (‘Configure Active Directory’):
your domain / realm name is cad-labor.local, not server-a.cad-labor.

Try with that and let us know

philipp · September 9, 2016, 2:15pm

Eureka, Flyer, you got it!!! Great!

Strange, but it was not possible with administrator-account - i could join it to my AD only by using a poweruser-account. Thank you!
Philipp

Flyer · September 9, 2016, 2:55pm

back to you @wgs, after @philipp checks:

your samba conf file has a ad.xxxsomething.net realm, but your realm is ad.t (looking to your ADUC screenshot)

Can you check it?
thanks
Flyer

wgs · September 12, 2016, 2:43pm

I finally have everything working. I removed the rfc2307 flag and still could not enumerate the users. I decided to reinstall Rockstor and did not select rfc2307 when I joined the domain and now can see my users. I definitely think the rfc2307 was the issue, but simply unchecking it did not seem to make a difference. Thanks for all of your help!
-Bill

Flyer · September 13, 2016, 5:27am

Hi @wgs thanks for your reply.
I’m happy cos’ you solved it, but I don’t like you had to have a new clean install ( I think it’s something related to samba Rockstor module, going to check it )

Flyer

philipp · September 13, 2016, 3:41pm

Hi Flyer!
Great, now we can use our rockstor-share from a win-workstations!
Another question: Our aim was to use the rockstor to save home and profile data of our AD-users. So we need various permissions on different folder on the same share (NTFS provides this). Is this possible with rockstor using BTRFS and Samba, too? Or is it generally not possible?
Thank you! Philipp

Flyer · September 13, 2016, 4:15pm

Hi @philipp, three words answer:
Yes you can!

This is how I had my office AD (+50 users) happily working:

Create a samba share on Rockstor with Root / Domain Users ( or your domain group )
Open RSAT and create a Folder Redirection for Desktop, Documents, etc etc to Rockstor Share

On the first logon of every user right folders will be created on Rockstor.

Important notes:
remember gpupdate on every client to force GPO sync
NEVER NEVER sync AppData folder (if your users have local mail with an outlook pst file they will flood your lan with tons of packets)

Final:
Create a snapshot task for user profiles and enjoy Rockstor btrfs