AD Join Failed to validate bind credentials

sgoldstein · May 10, 2022

TrueNAS-12.0-U8.1
Active Directory Functional Level 2016

Put in the correct domain name / username / password (including trying domain\username) and if flashes Please Wait for a half second then gives me the "Failed to validate bind credentials:"
I have manually specified the nameservers / domain (Primary & Secondary domain controllers)
I can ping and resolve the Primary Domain Controller from the shell.
I have enabled SMB and checked the autostart box

Not sure what I am missing, my googlefu is failing me, and my search through this forum has not given me a clear cut solution.

anodos · May 10, 2022

sgoldstein said:
TrueNAS-12.0-U8.1
Active Directory Functional Level 2016

Put in the correct domain name / username / password (including trying domain\username) and if flashes Please Wait for a half second then gives me the "Failed to validate bind credentials:"
I have manually specified the nameservers / domain (Primary & Secondary domain controllers)
I can ping and resolve the Primary Domain Controller from the shell.
I have enabled SMB and checked the autostart box

Not sure what I am missing, my googlefu is failing me, and my search through this forum has not given me a clear cut solution.

It may be a failure in underlying kerberos library that isn't getting translated into a helpful error message. The credential validation basically attempts to kinit with the provided creds. Have you checked that clock is set correctly on TrueNAS?

sgoldstein · May 10, 2022

Clock is correct. I don't understand the second portion of your response? It's a fresh install of true nas core

sgoldstein · May 10, 2022

Just to confirm I removed the stock NTP servers and put in my active directory pd as the time server so they stay in sync. How do I fix the kerberos...

sgoldstein · May 11, 2022

Update

I tried to use the kerberos keytab instructions on this page:
https://www.truenas.com/docs/core/coretutorials/directoryservices/kerberos/

This is what I get when trying to enable the AD (after setting the kerberos:

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 797, in validate_credentials
self.middleware.call_sync('kerberos.do_kinit', data)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1272, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1312, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 438, in result
return self.__get_result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 390, in __get_result
raise self._exception
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/kerberos.py", line 269, in do_kinit
raise CallError(f"kinit for domain [{data['domainname']}] "
middlewared.service_exception.CallError: [EFAULT] kinit for domain [***] with principal [administrator@***] failed: kinit: krb5_get_init_creds: unable to reach any KDC in realm ***

Not sure where I go from here?

anodos · May 11, 2022

sgoldstein said:
Update

I tried to use the kerberos keytab instructions on this page:
https://www.truenas.com/docs/core/coretutorials/directoryservices/kerberos/

This is what I get when trying to enable the AD (after setting the kerberos:

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/activedirectory.py", line 797, in validate_credentials
self.middleware.call_sync('kerberos.do_kinit', data)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1272, in call_sync
return self.run_coroutine(methodobj(*prepared_call.args))
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1312, in run_coroutine
return fut.result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 438, in result
return self.__get_result()
File "/usr/local/lib/python3.9/concurrent/futures/_base.py", line 390, in __get_result
raise self._exception
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/kerberos.py", line 269, in do_kinit
raise CallError(f"kinit for domain [{data['domainname']}] "
middlewared.service_exception.CallError: [EFAULT] kinit for domain [***] with principal [administrator@***] failed: kinit: krb5_get_init_creds: unable to reach any KDC in realm ***

Not sure where I go from here?

Kerberos library is failing to look up KDCs via SRV records in DNS / can't reach the KDC. Maybe we're being blocked by firewall, maybe we're not pointed at correct nameserver(s).

sgoldstein · May 11, 2022

anodos said:
Kerberos library is failing to look up KDCs via SRV records in DNS / can't reach the KDC. Maybe we're being blocked by firewall, maybe we're not pointed at correct nameserver(s).

Nameservers correct, as stated above the PDC can be resolved during ping. Temporarily disabled both software firewalls on server (symantec and windows), no change. That server is the one providing DNS, DHCP as well. No other machines are having issues joining domain, even my 3 synology nas's are joined to domain. Secondary Domain Controller also running DNS and is filled in as nameserver2, that is also resolvable in the shell...

sgoldstein · May 13, 2022

Tried a fresh install of 13 release, figuring all of my tinkering might have made things worse, still no bind. Is there any other diagnostic techniques I can try or should I just give up?

Important Announcement for the TrueNAS Community.

AD Join Failed to validate bind credentials

sgoldstein

Cadet

anodos

Sambassador

sgoldstein

Cadet

sgoldstein

Cadet

sgoldstein

Cadet

anodos

Sambassador

sgoldstein

Cadet

sgoldstein

Cadet

Similar threads