Cannot Complete Active Directory Join

[something_amusing]

Can you dig the KRB and LDAP SRV records? That's more relevant here.

Here is what I see when i dig the kerberos records:

Code:

root@truenas[/home/admin]# dig srv _kerberos._tcp.dc._msdcs.mydomain.local

; <<>> DiG 9.16.27-Debian <<>> srv _kerberos._tcp.dc._msdcs.mydomain.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18884
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_kerberos._tcp.dc._msdcs.mydomain.local. IN SRV

;; ANSWER SECTION:
_kerberos._tcp.dc._msdcs.mydomain.local. 600 IN SRV  0 100 88 dc-02.mydomain.local.
_kerberos._tcp.dc._msdcs.mydomain.local. 600 IN SRV  0 100 88 DC-01.mydomain.local.
_kerberos._tcp.dc._msdcs.mydomain.local. 600 IN SRV  0 100 88 dc-01.mydomain.local.
_kerberos._tcp.dc._msdcs.mydomain.local. 600 IN SRV  0 100 88 DC-02.mydomain.local.

;; ADDITIONAL SECTION:
dc-02.mydomain.local.        3600    IN      A       10.10.40.200
DC-01.mydomain.local.        3600    IN      A       10.10.40.10
dc-01.mydomain.local.        3600    IN      A       10.10.40.10
DC-02.mydomain.local.        3600    IN      A       10.10.40.200

;; Query time: 0 msec
;; SERVER: 10.10.40.10#53(10.10.40.10)
;; WHEN: Thu Aug 17 08:48:20 CDT 2023
;; MSG SIZE  rcvd: 267

When I lookup LDAP SRV records I see the following:

Code:

root@truenas[/home/admin]# host -t srv _ldap._tcp.mydomain.local
_ldap._tcp.mydomain.local has SRV record 0 100 389 dc-02.mydomain.local.
_ldap._tcp.mydomain.local has SRV record 0 100 389 DC-01.mydomain.local.
_ldap._tcp.mydomain.local has SRV record 0 100 389 dc-01.mydomain.local.

All the hostnames and IPs are correct.

 

[something_amusing]

I went ahead and installed the 23.10 beta to see what would happen. Got something different there.

This time I got a message that the credentials couldn't be found in Kerberos database while getting initial credentials. But what struck me as odd, was that it looks to have appended a $ to the username. You can see here I set it with the username of `truenas` but in all the messages it says `TRUENAS$@MYDOMAIN.LOCAL`.

 

[anodos]

I went ahead and installed the 23.10 beta to see what would happen. Got something different there.

This time I got a message that the credentials couldn't be found in Kerberos database while getting initial credentials. But what struck me as odd, was that it looks to have appended a $ to the username. You can see here I set it with the username of `truenas` but in all the messages it says `TRUENAS$@MYDOMAIN.LOCAL`.

View attachment 69394

View attachment 69395

This means you have a kerberos keytab created from a previous domain join that you should remove. The DC does not recognize it and is rejecting it.

 

[something_amusing]

This means you have a kerberos keytab created from a previous domain join that you should remove. The DC does not recognize it and is rejecting it.

It was a completely fresh install. Removed any remnants from DNS and AD, then installed the Beta from a new ISO. Made sure to overwrite the existing install. First thing I did after setting up networking to to try to join the domain and that was the error.

Resolved it by disabling AD, saving, then re-enabling ad with advanced options where I told it to use a new keytab.