Active Directory cant use default domain

[adam8797]

Afternoon all, I'm writing this up because I've spent the last day or two trying to get AD integration setup, and I've run into cryptic issues and bugs. I was trying simply to add join my homelab domain, and not have to include the domain name in my login, as well as use the AD id backend as my other servers use it as well. I kept getting a long, "Configuration for trusted domains requires that the idmap backend be configured to handle these domains..." validation message, and then once I got that working, there's a bug in the configuration when trying to enable "Use Default Domain" as well as incorrect tooltip text! So I'll list the steps out here that I stumbled into, and hopefully I can save someone the effort.

1. Join the domain with all the standard settings.
2. Open Advanced Settings and under the Idmap box, Change the idmap type to AUTORID for your domain. There are two entries, its the one that has your domain in it. Even if you want to use AD later, you have to have AUTORID selected to bypass the validation checks.
3. Leave the domain
4. Join the domain again, but this time open advanced options and check both "Use Default Domain" and "Allow Trusted Domains"
5. This join should go successfully. Now you can change the idmap type back to AD if you want.

Hope this helps someone!

 

[adam8797]

Ok coming back (with some more time now), hopefully someone takes note, as I believe there are three bugs here that make this view *painful* if you don't know what's happening (like me)

I'm on TrueNAS-SCALE-23.10.1

Bug #1 - Can't enable "Allow Trusted Domains" unless an "AUTORID" backend is enabled.​

If you try and check the "Allow Trusted Domains" while an RID backend (the default) option is selected, you get this long and cryptic error:

In my opinion, this warning is important, but in this case it prevents me from saving this configuration! I have to change the backend to AUTORID before this will let me save, clear the cache, then come back to set it again.

Bug #2 - Bad tooltip on "Use Default Domain"​

This one is pretty self explanatory. The tooltip has a simple typo, but the typo just makes the setting confusing.

As I interpret this setting, it says "If your account is 'EXAMPLE\user', you can just sign in as 'user' as we'll use the default domain."

I believe my interpretation is correct, however this is the tooltip:

"Unset to prepend"??? I think that should just say "Set"

Really simple, I know. But for someone who's never done this before? That was a lot of googling.

Bug #3 - Bind password not being saved​

There is a check that happens in the activedirectory.py file where it checks if there are any modified entries, but it seems like the 'bindpw' entry is missing from the old configuration. The python script doesn't check for key existence before attempting to access, so this raises.

This is especially annoying because I can't enable the "Use Default Domain" option now. In order to change this, I need to leave the domain, and join again so that there is no old configuration.

I'll go submit these to the bug tracker, but the forums are more visible to search. If anyone has a similar issue, follow the steps in the first post and that *should* get you configured as you intend. Also for any other new folks to TrueNAS, I ended up going back to the RID backend instead of AD, and so far its working exactly as I would expect. You dont want to leave it on AUTORID, unless you have multiple domains (at least thats how I understand it)