Failed to Join AD Domain

Brief description of the problem

I’m trying to join Rockstor to my AD domain, but it is erroring out.

Detailed step by step instructions to reproduce the problem

I filled out my Active Directory configuration on the services page and then clicked to start the service. I then get the below error.

Web-UI screenshot

Capture

Error Traceback provided on the Web-UI

Traceback (most recent call last): File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception yield File "/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py", line 213, in post smb_config = self._get_config(smbo) File "/opt/rockstor/src/rockstor/smart_manager/views/base_service.py", line 43, in _get_config return json.loads(service.config) File "/usr/lib64/python2.7/json/__init__.py", line 339, in loads return _default_decoder.decode(s) File "/usr/lib64/python2.7/json/decoder.py", line 364, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) TypeError: expected string or buffer

I enabled SAMBA and NTP and now I’m getting the following error:

Traceback (most recent call last):
File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py”, line 255, in post
run_command(cmd)
File “/opt/rockstor/src/rockstor/system/osi.py”, line 166, in run_command
raise Exception(“Exception while running command({}): {}”.format(cmd, e))
Exception: Exception while running command([’/usr/sbin/authconfig’, ‘–enablewinbind’, ‘–enablewins’, ‘–enablewinbindauth’, ‘–smbsecurity’, ‘ads’, ‘–smbrealm’, ‘LOCAL.EXAMPLE.NET’, ‘–krb5realm=LOCAL.EXAMPLE.NET’, ‘–enablewinbindoffline’, ‘–enablewinbindkrb5’, ‘–winbindtemplateshell=/bin/sh’, ‘–update’, ‘–enablelocauthorize’]): [Errno 2] No such file or directory

Rockstor Logs:

``` [22/Oct/2020 23:57:41] ERROR [storageadmin.util:45] Exception: Exception while running command(['/usr/sbin/authconfig', '--enablewinbind', '--enablewins', '--enablewinbindauth', '--smbsecurity', 'ads', '--smbrealm', 'LOCAL.EXAMPLE.NET', '--krb5realm=LOCAL.EXAMPLE.NET', '--enablewinbindoffline', '--enablewinbindkrb5', '--winbindtemplateshell=/bin/sh', '--update', '--enablelocauthorize']): [Errno 2] No such file or directory Traceback (most recent call last): File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception yield File "/opt/rockstor/src/rockstor/smart_manager/views/active_directory.py", line 255, in post run_command(cmd) File "/opt/rockstor/src/rockstor/system/osi.py", line 166, in run_command raise Exception("Exception while running command({}): {}".format(cmd, e)) Exception: Exception while running command(['/usr/sbin/authconfig', '--enablewinbind', '--enablewins', '--enablewinbindauth', '--smbsecurity', 'ads', '--smbrealm', 'LOCAL.EXAMPLE.NET', '--krb5realm=LOCAL.EXAMPLE.NET', '--enablewinbindoffline', '--enablewinbindkrb5', '--winbindtemplateshell=/bin/sh', '--update', '--enablelocauthorize']): [Errno 2] No such file or directory ```
1 Like

Confirmed, there is no authconfig file located in the /usr/sbin directory.

Also to note, I am running the OpenSUSE 4.0.4-0 version of Rockstor. Is active directory even functional yet in this version?

Hi @HB7,

First of all, I would like to present to you my apologies for not getting back to you earlier; it has been an extremely busy time for everyone and I unfortunately didn’t have time at all for the past few days. I’d like to bring a few elements of answers and discussions to the issue you raised, though.

Thanks a lot for bringing our attention to this one. I believe this is a CentOS-ism that has slipped through and remained in our transition to our “Built on openSUSE”. authconfig is a remnant of how AD/LDAP integration was done in CentOS (our old base) but is not present in our new openSUSE base.

The AD/LDAP integration in Rockstor has actually been something on our list of things to revamp and I personally have been interested in getting to it for a little while; yet time has not been kind to me and I was not able to look at it just yet. Let me point you towards a very useful explanation by @phillxnet below:

As you can see in posts linked above, we are planning on re-doing how AD/LDAP are integrated by switching to SSSD and thus greatly improve it. I’m afraid this is all I can bring at the moment, but I’m personally hoping to find some time to look into it. For those interesting in improving this aspect of Rockstor, the post by @phillxnet linked above is a great starting point for pointers and resources.

Hope this helps, nonetheless.

1 Like

Hello, i’m facing this very issue right now and found a solution, my setup is an OpenSuse 15.2 with Rockstor rpm testing branch v. 4.0.4-0

For me what resolved the problem is configuring SSSD Yast side to authenticate to my Active Directory before deploying Rockstor, leaving the user import duty to the OpenSuse itself and assigning ACL’s based on my needs.

I’ve found that if the domain is joined OS side with only SSSD before attempting to configure it via the Rockstor web gui, the “Active Directory” button in the “System / Services” menù is DISABLED, but users are populated into the “System / Identity” menù.

2 Likes

Thanks!

I figured this was likely the case. Also, I’m all for the move to SSSD, it is a much better solution than the old Winbind option.

2 Likes

I can certainly give this a try. I have connected several other Linux servers to Active Directory, using SSSD, in the past. So, I am familiar with the process. My only concern is how this will affect things down the road, when Rockstor does officially support AD joins with SSSD. Any thoughts on how badly future Rockstor updates might affect this?

Welcome to the community @Lorez85, and thanks a lot for your feedback and solution. It’s normal for the “Active Directory” button in Rockstor’s webUI to be on the “OFF” position as the state of this service is determined by whether or not Rockstor has a configuration for it in its database. As you configured the Active Directory manually without using the webUI (understandably), Rockstor believes it’s off.

Great! In this case, I would agree with @Lorez85’s feedback and suggestion to manually configure it, especially if you’re already familiar with doing so.

It’s hard for me to predict exactly how it’ll be, unfortunately. Based on how other services are implemented, however, I would hope we would be able to manually shut it down, reconfigure the service from Rockstor’s webUI, and then turn it back ON using Rockstor’s webUI. Of course, that would be the best case scenario and I can’t guarrantee it will actually be like that, even if it would be close to the goal. I haven’t looked at what changes would be necessary to config files, for instance, and that’s where we can hit some conflicts as Rockstor will expect some specific content that might not be there if said files were manually edited.
That being said, I personally still believe it is worth going the manual way for you at the moment if you need AD as I can’t promise when we would have an implenentation that will be satisfying for everybody. As explained it the post by @phillxnet to which I linked above, the move to SSSD seemed to have caused issues for some at the time. Things have changed a lot since, probably, but you never know. This is definitely something that will be tried at the very least.

For all these reasons and more, thanks a lot for your understanding and support for the move to SSSD, it is always extremely helpful to get feedback and very motivating to! I had a quick look at it today, but although I’m now comfortable with implementing it in Rockstor, I’m personally not familiar with AD so I’ll need to get that sorted first. I had a look at it earlier today but still need to figure out a way to get a reliable test AD server that I could use to establish the proper steps to implement into Rockstor. If anyone has some pointers on how to setup an AD for testing purposes, that would be extremely helpful.

Sorry for all the extra rambling, and thank you @Lorez85 and @HB7 for all your feedback… Hopefully we’ll be able to get things moving forward on this in a timely manner.

1 Like

I want to add that during my tests the mere SSSD isn’t enough to consistently authenticate AD users to Samba shares, i’ve also had to configure Windows Domain Membership over Yast.

This is the stable workflow, given a clean OpenSuse and an already existing AD, that i followed:

  • Configure the OS, Network, DNS, name resolution and so on;
  • Configure SSSD for user import from the Yast menù “Network Services / User Logon”: in my scenario had implemented “Allow Domain User Logon” and choose from “Enable domain data source” the fields “Users”, “Group” and MS-PAC. For the domain options i’ve choosed my DC fqdn for “ad_server”, “ad” as “auth_provider” and “id_provider” and lastly the flag “true” for “cache_credentials”, “case_sensitive” and “enumerate”.
  • Configure “Windows Domain Membership” from the Yast menù “Network Services / Windows Domain Membership”: i’ve enabled the flags “Use SMB information for authentication” and "offline authentication"in the main page; under the “expert settings” i’ve only enabled “ad” as backend.

Please note that this configuration worked in my setup , is valid for my needs and allowed me to activate the “Active Ditectory” in the webgui after configuring the “NTP” and “Samba”, allowing the authentication to the shares i’ve created.

I wanted to add this post as a followup and trail if someone in the future may need it, hope it will be useful!

best wishes

2 Likes

@HB7, @Lorez85, note that I started looking into this and have created a corresponding issue in our Github repo:

1 Like

@HB7, @Lorez85, and anyone with SSSD + AD experience, I took some time for experimentation, trying to pinpoint the exact procedure we would need Rockstor to follow. I wasn’t experienced in the field before that, so I wrote down my notes in the Github issue linked above.

In particular, I wrote down what we seem to need to in the following comment:

As I’m not an expert in the field, I would appreciate if anyone who has experience in the domain (pun unintended) could have a look and provide feedback on these.

Note that I would like to offer some sssd.conf customization options during the AD service configuration dialog window (similar to what we do for the Samba service), so that we can implement the customizations listed by @Lorez85.

1 Like

I made progress on testing further share via Samba and it seems that we also need to have the winbind service running so that it can take care of the id mapping, for which SSSD seems to be insufficient. See the comment below for further details:

All from Rockstor webUI, I am now able to have the following:

  • join/leave and Active Directory domain
  • fetch all users from the domain and surface them in Rockstor webUI
  • share a Rockstor share owned by a AD user
  • access this share as the AD user from a separate client, and read/write files on it

@HB7, @Lorez85, thanks for letting me know if that fits your needs, as I’m nearing submission of the corresponding PR pending a few further tests on my end.

2 Likes

Another brief progress update:
While the fix for joining an AD seems found and implemented, it also appeared that our LDAP implementation was broken for the same reason our AD one was: it was relying on CentOS-specific tools. We thus need to also migrate our LDAP implementation to SSSD.

I could get a working setup in my test environment so I’ll start working on implementing this into Rockstor now. For details of the configuration that will be implemented, see the Github post below:

As usual, I would greatly appreciate if users with experiences or specific requirements related to LDAP would provide feedback so that we can implement what is really needed by our users.

Thanks a lot in advance, for any feedback!

2 Likes