Before you setup AD authentication PLEASE READ!!!

Discussion in 'User Authentication' started by Cwhitmore, Sep 20, 2011.

  1. Cwhitmore New Member

    Member Since:
    Sep 17, 2011
    Message Count:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Cwhitmore, Sep 20, 2011

    I made the mistake of entering my PDC in the space where the NAS server name should have gone in Active Directory settings. After rebooting my NAS I started getting calls about Windows users who couldn't access network resources.

    This mistake caused my PDC to stop authenticating. Please read SourceForge post before you start messing with AD settings in FreeNAS:

    http://sourceforge.net/apps/phpbb/freenas/viewtopic.php?f=75&t=11612
  2. Milkwerm Member

    Member Since:
    Jun 26, 2011
    Message Count:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Occupation:
    Sys Admin.
    Location:
    Wellington, New Zealand
    Milkwerm, Sep 21, 2011

    I had the same thing. used ADSI edit as per sourceforge posts to reset to domain controller, also had to reset the secure channel key for the 2k8r2 DC as well (NLTEST & NETDOM reset commands). Posted an earlier thread about it here.
  3. mr_mike_m New Member

    Member Since:
    Jul 22, 2011
    Message Count:
    16
    Likes Received:
    0
    Trophy Points:
    0
    mr_mike_m, Sep 21, 2011

    Me too!

    I also did the same thing... That box's description isn't clear enough!
  4. James FreeNAS Core Team

    Member Since:
    May 24, 2011
    Message Count:
    298
    Likes Received:
    21
    Trophy Points:
    18
    Occupation:
    iXsystems, Inc.
    Location:
    San Jose, CA
    Home page:
    James, Sep 22, 2011

    Just to be clear for the docs: which field should you not enter the PDC name into? The Domain Controller Name field or the Host Name field?
  5. Cwhitmore New Member

    Member Since:
    Sep 17, 2011
    Message Count:
    7
    Likes Received:
    0
    Trophy Points:
    0
    Cwhitmore, Sep 22, 2011

    The AD settings are under Services -> Active Directory, it's third box down (Host Name).

    I've also attached a screen shot.

    Attached Files:

  6. mr_mike_m New Member

    Member Since:
    Jul 22, 2011
    Message Count:
    16
    Likes Received:
    0
    Trophy Points:
    0
    mr_mike_m, Sep 22, 2011

    If you could change the pop-up to read something like "the hostname of this freenas server", I think that would do it.

    If you put a domain controller in there, very bad things happen to the real DC!:eek:
  7. LinuxTracker New Member

    Member Since:
    Oct 28, 2011
    Message Count:
    2
    Likes Received:
    0
    Trophy Points:
    0
    LinuxTracker, Oct 28, 2011

    I'll resurrect this thread to mention that I was another user caught in this trap.
    Your instructions were vital, but I had some other hoops to jump through on my Server 2008 R2.

    I'll detail them here in case it helps someone else out.

    I had originally created a FreeNAS entry in the Active Directory Computers and in WINS.
    I deleted them both.

    I was getting the following errors in the Event Logs
    That certainly sounds like a corrupted SCK.
    Unfortunately, I wasn't able to use Netdom to reset the Secure Channel Key.

    The Command:
    Code (text):
    1. netdom resetpwd /s:server /ud:domainname\username /pd:*
    Gave me:
    Code (text):
    1. The machine account password for the local machine could not be reset.
    2. Logon Failure: The target account name is incorrect.
    3. The command failed to complete successfully.
    (I had entered my correct servername, username and password BTW)

    After trying a whole lot of other stuff, I came across a post where someone had substituted their 2008 server's IP for the servername.

    DoH! said I. Why didn't I think of that?

    This time, the command:
    Code (text):
    1. netdom resetpwd /s:192.168.100.1 /ud:domainname\username /pd:*
    gave me:
    Code (text):
    1. The machine account password for the local machine has been successfully reset.
    2. The command completed successfully.
    Ah HA!
    I was certain before that DNS wasn't an issue - Looks like that wasn't the case

    I checked out my DNS zones and discovered that the _msdcs record was corrupted in my DNS server's forward lookup zone.
    The icon was grey and had a single text record as an entry. It wasn't a folder icon and had no subfolders under it.

    I've run into that problem before. The solution is to right-click the _msdcs entry and delete it.
    Next - restart the Netlogon service. After that restart the DNS Server (or DNS Server Service) and _msdcs is recreated properly (subfolders and all).

    By this time the event log errors had ceased; likely when I was finally able to recreate the Secure Channel Key.

    I wiped and reloaded FreeNAS as well. Time to see if I can finally get a list of usernames from the AD controller.

    Thanks much for pointing me in the right direction.

    (Any hope of the Devs assigning a better descriptor to that field?)
  8. justchil New Member

    Member Since:
    Mar 2, 2012
    Message Count:
    2
    Likes Received:
    0
    Trophy Points:
    0
    justchil, Mar 2, 2012

    Greetings!

    I did this very same thing today and I can't figure out how to get it fixed. Can someone please help?

    my userAccountControl was set to 69632 by FreeNas. I changed this to 532480 and rebooted. Still having the problem and DNS zones are missing/wont load.

    This is 2003 server. We only have 1 domain controller.
  9. justchil New Member

    Member Since:
    Mar 2, 2012
    Message Count:
    2
    Likes Received:
    0
    Trophy Points:
    0
    justchil, Mar 2, 2012

    Whew! Lessons learned the hard way. Had to reset the secure channel key as mentioned above and a few other random things.

    Wasted 4 hours I could have been using to play with Freenas :p I won't make that mistake again ;)
  10. tcrichton New Member

    Member Since:
    Apr 18, 2012
    Message Count:
    1
    Likes Received:
    0
    Trophy Points:
    0
    tcrichton, Apr 18, 2012

    Thanks for putting together this post... I made this mistake and luckily with your notes I managed to get the DC back into its usual role nice and quick.

    Then came the DNS and thanks to LinuxTracker for taking the time to detail his fixes for that...

    A quick reboot out of hours and it seems everything is back to normal!

    I won't be making that mistake again!
  11. tmstone835 New Member

    Member Since:
    Aug 8, 2011
    Message Count:
    5
    Likes Received:
    0
    Trophy Points:
    1
    tmstone835, Jun 15, 2012

    More than one DC entry?

    This seems to be a serious flaw in this design. I am surprised that this only authenticates to a single domain controller. What if that goes offline for maintenance or a reboot? No one can access the NAS via AD authentication.
  12. noprobs Member

    Member Since:
    Aug 12, 2012
    Message Count:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Yorkshire, UK
    noprobs, Aug 25, 2012

    I agree this is a significant issue. I just rebooted freeNAS when the listed DC was down for maintenance and the startup stalled. Recommended best practice is to have multiple DCs - is there any way to set multiple DCs in FreeNAS (i tried adding a comma between DCs in FreeNAS - this didn't generate any errors in 8.3-beta1 however it also did not work).

    Jon
  13. ServerBabon New Member

    Member Since:
    Apr 9, 2012
    Message Count:
    1
    Likes Received:
    0
    Trophy Points:
    1
    ServerBabon, Aug 26, 2012

    I have put the domain name in the dc box which seems to work, although I haven't got around to shutting down a dc and rebooting yet, I still get my ldap cache rebuilding after a reboot. The dns servers will round robin an ip address of a DC to a request for the domain name. Not sure of SAMBA's requirements for Global Catalogues but in my small home domain with all my domain controllers are Global Catalogs anyway, this doesn't seem to be the issue it once was.

    This isn't the ideal solution as Freenas is not trying DC's in a list but it increases the probability of finding a working DC.
  14. aae New Member

    Member Since:
    Jan 2, 2013
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    aae, Jan 2, 2013

    i just did this! hosed an SDC

    problem is, i can't get to the sourceforge post to see what i'm supposed to do to fix it!

    help!
  15. aae New Member

    Member Since:
    Jan 2, 2013
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    aae, Jan 3, 2013

    anybody else have the original information?

    i've got 6 SDC and a PDC, and now users everywhere are starting to fail to connect to DFS shares throughout the company... the SDC info i had put into freenas was hosting a couple DFS shares... now i'm getting "Logon Failure: The target account name is incorrect." en masse in my active directory
  16. aae New Member

    Member Since:
    Jan 2, 2013
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    aae, Jan 4, 2013

    i was able to reset the keys and that looks like it sorted some of the issues out for about a day, now it's gone back to the same issue... i found a microsoft KB article on the subject

    http://support.microsoft.com/kb/325850

    i followed the directions including stopping the service, but i was a little unclear on how i was supposed to do it... i have a PDC and 6 SDCs, so i just stopped the KDC service on all of them, ran the netdom commands on the PDC only, reboot, re-enabled kdc, and that got me going for a little while, but i was still coming up with those kerberos errors in event log...

    now the "account name incorrect" errors are coming back when trying to access stuff over my DFS shares...

    my forward lookup zones in DNS look OK though...
  17. noprobs Member

    Member Since:
    Aug 12, 2012
    Message Count:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Yorkshire, UK
    noprobs, Jan 4, 2013

    Unfortunately I made the same error a while back but was (finally) able to correct. Regrettably I did not document what I did (quite a lot of trial and error and snapshot restroes) however the actions included resetting machine password account (as above). Resetting permission on DC computer object (ADSIedit UserAccountControl to 532480). I then used dcdiag /v to work through final errors. I know I had a DNS error and then I had a replication error in the forest which required manual editing.

    Sorry I cant be more specific.

    Jon
  18. aae New Member

    Member Since:
    Jan 2, 2013
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    0
    aae, Jan 4, 2013

    any details on how you do this?

    i found this article: http://support.microsoft.com/kb/305144 is that the same thing?


    EDIT:
    http://webcache.googleusercontent.c...countcontrol-issue/ &cd=3&hl=en&ct=clnk&gl=us
    followed these directions.... my SDC that i had put into the freenas field + my pdc were both not 532480... fixed those... hopefully that does it for me...
  19. noprobs Member

    Member Since:
    Aug 12, 2012
    Message Count:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Yorkshire, UK
    noprobs, Jan 5, 2013

  20. drzoidberg33 New Member

    Member Since:
    Aug 15, 2013
    Message Count:
    4
    Likes Received:
    0
    Trophy Points:
    1
    drzoidberg33, Aug 17, 2013

    I wish I had seen this thread before breaking things. I'm just glad we only have one DC and not very many users but was still stressing huge over this especially because of the fact that it broke our Exchange server too.

    Somebody should really put a warning on that entry box! Took me a few days to get everything running properly again (I'm still busy now, but basically just waiting for files to copy to the NAS).

    Please FreeNAS, prevent others from falling into this trap.

Share This Page