TrueNAS SCALE | Issues joining active directory

[Wiz]

Hi,

I am currently looking into SCALE, to see if it would be a good fit at my workplace, and part of that is obviously active directory implementation. I am currently running several instances of SCALE on my ESXI 7.0 hypervisor, in an effort to run through a mock setup, if I were to deploy this service. Currently I am having issues joining my AD. I have a personal use TrueNas Core running in my hypervisor as well, and that joined my AD no problem. I assumed SCALE would work similarly but for the life of me I cannot figure out why it wont.

When trying to join the AD, I am getting these errors, with the following input.
Domain: mydomain.local
Domain Account Name: adminuser@mydomain.local
Resultant error: Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration.
(This is the exact same way I successfully joined my AD with TrueNas Core)

Domain: domaincontroller.mydomain.local
Domain Account Name: adminuser
Resultant error: Failed to validate bind credentials: Cannot find KDC for realm "comaincontroller.mydomain.local" while getting initial credentials
(I tried this following some truenas documentation on joining AD)

I am not sure why SCALE and Core work differently when it comes to joining an AD, but the first error sounds to me like SCALE is not liking the domain I entered.
The second error when i included the actual domain controllers FQDN as the domain seems to indicate it is at least communicating with the DC, but im not sure about much else.

I have several devices on the AD, all is working well, I can ping the DC from all my devices including SCALE.
I also have tried setting SCALE to use a static ip and nameserver, instead of the MAC based dhcp reservations.
I set the default domain and hostname in SCALE as well, but these all made no difference.

Kinda out of ideas here. Any help would be greatly appreciated.

Thanks.

 

[Yazik]

I agree!
Confirmed message on SCALE 22.02-RC.1-1

Failed to validate bind credentials: Cannot find KDC for realm "comaincontroller.mydomain.local" while getting initial credentials
(I tried this following some truenas documentation on joining AD)

Any help with that?

 

[I_AM_RUFUS]

Confirmed on SCALE 22.02-RC.1-2 as well. Seems to be an issue where it looks up the NetBIOS name, and then tries to perform a DNS lookup using that name.

 

[amichelf]

I am not a Linux Expert, but in case your domain really ends with *.local, could it be that you hit this issue?

Ubuntu 18.04 .local domain dns lookup not working

I'm using a Raspberry Pi 3 with Ubuntu 18.04. At my company we have a DNS server and a couple of domains with ".local". I know technically this isn't correct and it should be ".lan" instead, because .

askubuntu.com

Since scale and Ubuntu are debian based this could be the case.

 

[Yazik]

I am not a Linux Expert, but in case your domain really ends with *.local, could it be that you hit this issue?

Ubuntu 18.04 .local domain dns lookup not working

I'm using a Raspberry Pi 3 with Ubuntu 18.04. At my company we have a DNS server and a couple of domains with ".local". I know technically this isn't correct and it should be ".lan" instead, because .

askubuntu.com

Since scale and Ubuntu are debian based this could be the case.

I use 'domain.lan' or just 'domain' and try domain.local

 

[I_AM_RUFUS]

've observed what's going wrong, comparing it to how Core is performing the task, and Scale. On Core, it resolves the DNS address for mydomain.net, and correctly connects, but on Scale, even though it initially correctly resolves mydomain.net, when it tries to actually connect, according to the log, it is trying to connect using the netbios name, MYDOMAIN, which being netbios, doesn't have a DNS entry. As a result, it fails with "unknown domain". It should be using the FQDN to perform the connection, just like Core does.

 

[anodos]

've observed what's going wrong, comparing it to how Core is performing the task, and Scale. On Core, it resolves the DNS address for mydomain.net, and correctly connects, but on Scale, even though it initially correctly resolves mydomain.net, when it tries to actually connect, according to the log, it is trying to connect using the netbios name, MYDOMAIN, which being netbios, doesn't have a DNS entry. As a result, it fails with "unknown domain". It should be using the FQDN to perform the connection, just like Core does.

NetBIOS name parameter is always used to generate AD computer account.

 

[I_AM_RUFUS]

Correct, but not for DNS lookups. Mid way through the setup on both Core and Scale, the setup routine will attempt to test connect using the applied configuration. On core, it is using "mydomain.net" to query the list of available DC's from DNS, but Scale is trying to query "MYDOMAIN" - the NetBIOS name, which of course results in a "domain can't be found" error, and the NetBIOS name isn't in DNS, only the FQDN. So Scale is using the NetBIOS name rather than the FQDN. In situations where the two are exactly the same, there wouldn't be an error, simply by luck, but where the two are different, the error will occur. Again, this works perfectly on Core, as it is looking up the FQDN, not the NetBIOS name, and everything works perfectly.

 

[anodos]

Correct, but not for DNS lookups. Mid way through the setup on both Core and Scale, the setup routine will attempt to test connect using the applied configuration. On core, it is using "mydomain.net" to query the list of available DC's from DNS, but Scale is trying to query "MYDOMAIN" - the NetBIOS name, which of course results in a "domain can't be found" error, and the NetBIOS name isn't in DNS, only the FQDN. So Scale is using the NetBIOS name rather than the FQDN. In situations where the two are exactly the same, there wouldn't be an error, simply by luck, but where the two are different, the error will occur. Again, this works perfectly on Core, as it is looking up the FQDN, not the NetBIOS name, and everything works perfectly.

What is the exact error message in SCALE?

 

[Yazik]

What is the exact error message in SCALE?

I get message

Failed to validate bind credentials: Cannot find KDC for realm "dc.local" while getting initial credentials

Can i fix this temporarily?

 

[anodos]

I get message

Can i fix this temporarily?

That's us not being able to kinit using MIT kerberos. It's using the provided credentials to attempt to kinit. MIT kerberos uses the configured DNS nameservers to look up the SRV record for a KDC. In this case it's failing. Root cause is typically a network configuration issue. Perhaps make sure that network->configuration has correct DNS, hostname, and domain settings.

If we cannot kinit, then it is impossible to join AD.

 

[paul.schn]

this worked for me: https://www.truenas.com/community/t...mpossible-to-join-ad-domain.90983/post-631746

 

[Marc Lachapelle]

Hello, I hope someone solved the issue I have

When I was using TrueNAS CORE everything was fine
I updated to TrueNAS SCALE (in place upgrade) and it was fine too.
Recently I had to upgrade my network adapter on I had to re-install SCALE from the iso. I restored the config I backed up before.
Since I was not able to reach the domain I left the domain. Since then I cannot rejoin

Few facts:
My domain name has not changed and its length is greater than the WORKGROUP limit of 15 (it is 18 characters long)
I can ping all my 3 ADs (same domain) without any issue.
AD and TrueNAS are on the same subnet
host -t srv _ldap._tcp.DomainName returns my 3 ADs

The error I get "Failed to discover Active Directory Domain Controller for domain. This may indicate a DNS misconfiguration."
I tested the credentials and was able to log in

I tried the:
1) input credentials and AD info, but leave "enable" unchecked"
2) from shell run command "midclt call activedirectory.start".

I re-installed (without restoring my configs) and had the same error.


Since I cannot change the length of my domain name is it possible to join the domain manually?


Thanks

 

[Marc Lachapelle]

Here is what is in middlewared.log after attempting "midclt call activedirectory.start"


root@truenas[/var/log]# tail middlewared.log
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 411, in run
await self.future
File "/usr/lib/python3/dist-packages/middlewared/job.py", line 446, in __run_body
rv = await self.method(*([self] + args))
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 569, in start
dc_info = await self.lookup_dc(ad['domainname'])
File "/usr/lib/python3/dist-packages/middlewared/plugins/activedirectory.py", line 925, in lookup_dc
raise CallError("Failed to look up Domain Controller information: "
middlewared.service_exception.CallError: [EFAULT] Failed to look up Domain Controller information: Didn't find the cldap server!

Can I increase the log level?