Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U administrator DIGIXXXXX.LOCAL. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']

mjulioscar · January 19, 2024, 11:46am

Brief description of the problem

Pressing on to Active Directory service i get error ‘realm: Already joined to this domain’

Detailed step by step instructions to reproduce the problem

Configured samba and ntp services. Trying to join Active Directory (samba ad dc)

Web-UI screenshot

Error Traceback provided on the Web-UI


            Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py", line 195, in post
    join_domain(config, method=method)
  File "/opt/rockstor/src/rockstor/system/directory_services.py", line 270, in join_domain
    return run_command(cmd, input=("{}\n".format(config.get("password"))), log=True)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/src/rockstor/system/osi.py", line 263, in run_command
    raise CommandException(cmd, out, err, rc)
system.exceptions.CommandException: Error running a command. cmd = /usr/sbin/realm join --membership-software=samba -U administrator DIGIXXXXX.LOCAL. rc = 1. stdout = ['']. stderr = ['realm: Already joined to this domain', '']

###Debug i have done below:
If i run realm list i see that rockstor is joined to domain(client-software: winbind), even i have error when enabling service.
Realm list gives client-software: winbind as joined.
I realm leave client-software: winbind and realm list is empty afterwards.
When i press again button(WebUI) to start active Directory service i get error of already joined and realm list brings again realm joined by client-software: winbind.
If i realm join manually with --membership-software=samba , join is successful by sssd. if i try to start service from WebUI, i get already joined and now realm list has 2 joined winbind and sssd.

Rockstor Version 5.0.6-0
Initial installation from iso 4.5.8.0
Regards,
Julio

Hooverdan · January 22, 2024, 8:04pm

@mjulioscar welcome to the Rockstor community.

Not that I have a solution for your issue, but did you set up the Active Directory piece on the stable installation version and then upgraded to 5.0.6 and then ran into issue activating the AD service? Or are you trying to set it up for the first time after the system was upgraded to 5.0.6?

Just want to make sure, it’s not related to the upgrade vs. an issue in the current test channel version.

mjulioscar · January 22, 2024, 8:05pm

Hi @Hooverdan

I tried first time, after upgraded to new version (5.0.6)

Hooverdan · January 22, 2024, 8:38pm

It is very curious that you’re seeing a winbind connection, since the default is supposed to be run via sssd.

@Flox did a rewrite from using winbind to sssd based AD joining some time ago, so maybe he can shed some more light on this.

If I interpret the source code correctly, even when using sssd winbind is still needed when the option of ID mapping is activated.
Again, not sure whether that’s having an impact, but can you share how you configured your AD service in the WebUI?

Finally, another shot in the dark, do you have any additional samba configuration you’ve maintained, that could inadvertently conflict with the AD process?

mjulioscar · January 22, 2024, 8:54pm

I look at py files also and i saw that method sssd is hardcoded and it seems method windbind is never used.
Well AD service has
realm name :XXXX.LOCAL
username: administrator
password: XXXXXX
Allow enumeration: Tried on and off

Samba config was only configured from WebUI, to test a shared folder.

I also remember doing a manual realm join for test, but before activating service from WebUI, running realm list command gives empty result.

I could try with a fresh installation(4.8.0) though and then upgrade to 5.0.6.

mjulioscar · January 23, 2024, 1:55pm

I installed again from iso 4.5.8 and i directly tried to enable AD service.
First try with no errors and service status become ON.
Navigating away from services and going again shows service status OFF. Second try gives same error “Already joined”
Realm list, shows windbind and sssd joined.

mjulioscar · January 23, 2024, 5:48pm

I have more info to provide.
Using as Domain/Realm Name a Domain controller (“dc1.xxxx.com”), ON switch gives no error and i can run command "id user@xxxx.com), but WebUI can’t enumerate groups or users.
Still refreshing services page, show AD service OFF.
If i change below line in file /etc/sssd/sssd.conf to False WebUI enumerates groups.
use_fully_qualified_names = True

I’ve searched but i can’t find where to change that config, so rockstor when creates sssd.conf file, leave it as False.

The thing is even AD works service always shows OFF. In which case service stays ON?

Also if i don’t refresh services page and i press ON (to disable AD), it gives error that can’t realm leave cause “dc01.xxxx.xxx” is not a realm. If i run “realm leave” from terminal, i can press again service and join realm again…