Joining Active Directory Error

[bartqn4]

Hi everyone,

Im kinda new to TrueNAS and I'm working on a small proof of concept for school.

I'm stuck with one problem: When I'm trying to join my domain it gives this error:

I can ping the domain and the domain controller.

Anyone knows a fix?

 

[anodos]

What version is this?

 

[bartqn4]

What version is this?

12.0

 

[Samuel Tai]

What's the full version? 12.0 doesn't tell us that much.

 

[bartqn4]

What's the full version? 12.0 doesn't tell us that much.

CORE 12.0
Is that the full version name?

 

[Samuel Tai]

CORE 12.0
Is that the full version name?

What does the version show in System Information widget in the Dashboard? We're looking for something like 12.0-U7.

 

[bartqn4]

What does the version show in System Information widget in the Dashboard? We're looking for something like 12.0-U7.

12.0-U5

 

[Samuel Tai]

For the domain account name, try just the account without the domain in front. It's probably prepending the domain in front of your domain\account, so of course there won't be an account matching domain\domain\account.

 

[anodos]

12.0-U5

update to U7, there is a critical winbindd security vulnerability in U5, otherwise Samuel Tai is right. Later versions also have better error reporting.

 

[bartqn4]

For the domain account name, try just the account without the domain in front. It's probably prepending the domain in front of your domain\account, so of course there won't be an account matching domain\domain\account.

I tried that already, didn't work

 

[bartqn4]

update to U7, there is a critical winbindd security vulnerability in U5, otherwise Samuel Tai is right. Later versions also have better error reporting.

Did this, same error. Should be something with the domain account then right?

 

[Samuel Tai]

Are you leaving the \ in front of the account?

 

[bartqn4]

Are you leaving the \ in front of the account?

Both not working, so DOMAIN\Administrator and Administrator not working

 

[Samuel Tai]

How is your domain set up? This smells like password authentication for Administrator has been disabled.

Also, have you looked at the manual? https://www.truenas.com/docs/core/directoryservices/activedirectory/

You've already stated DNS is working. How about NTP? Are you sync'ed to the DC? Are you using the NetBIOS domain or the DNS domain for your forest?

 

[bartqn4]

How is your domain set up? This smells like password authentication for Administrator has been disabled.

Also, have you looked at the manual? https://www.truenas.com/docs/core/directoryservices/activedirectory/

You've already stated DNS is working. How about NTP? Are you sync'ed to the DC? Are you using the NetBIOS domain or the DNS domain for your forest?

Yes, NTP is enabled. I think I'm using the DNS domain.
How do I check password authentication option?

 

[anodos]

The particular place you're failing at is when we try to kinit to get a kerberos ticket. You can try to kinit from CLI by running command `kinit administrator@fqdn`. It might give more useful information.

 

[bartqn4]

The particular place you're failing at is when we try to kinit to get a kerberos ticket. You can try to kinit from CLI by running command `kinit administrator@fqdn`. It might give more useful information.

I haven't set up Kerberos or anything tho, should I do that? Kinda new to this stuff.

 

[Samuel Tai]

AD requires Kerberos. No wonder it's not working. You're just trying to join an ordinary domain.

 

[bartqn4]

AD requires Kerberos. No wonder it's not working. You're just trying to join an ordinary domain.

Thanks! Will try that tomorrow

 

[anodos]

AD requires Kerberos. No wonder it's not working. You're just trying to join an ordinary domain.

In theory if you have properly-functioning DNS, the OS kerberos client should allow you to kinit if you specify the FQDN. This probably indicates a DNS issue. Perhaps relevant SRV records for kerberos are not able to be queried through the configured nameservers.