TrueNAS Scale won't join AD if the domain name is uppercase

[vitaprimo]

I noticed TrueNAS left AD. There were some changes on the controllers so it wasn't unexpected.

I clicked <somewhere> that took me to the AD settings, it was prefilled with the Kerberos realm, which is the same as the domain. Since DNS is supposed to be case-insensitive, I just clicked on Save and watched on the console/ticker below make and fail the SRV query. I kept trying changing here and there but intentionally leaving the domain in capital letters and it would fail over and over. Finally I corrected it when it stopped being fun and it didn't quite join, but it didn't return an error and the status changed to JOINING.

Just to make sure it'll join, I requested a Kerberos ticket from the web CLI (it worked right away):

Code:

root@zx1[~]# kinit maskedusername
Password for maskedusername@MASKEDDOMA.IN:
root@zx1[~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: maskedusername@MASKEDDOMA.IN
Valid starting     Expires            Service principal
11/22/22 13:55:50  11/22/22 23:55:50  krbtgt/MASKEDDOMA.IN@MASKEDDOMA.IN
        renew until 11/23/22 13:55:45
root@zx1[~]#

It's mostly if not only an host-authenticated NFS server, AD was joined only for "what if…" reasons so I have no real problem except a little guilt of not reporting it if I may be sitting on a bug. Is it a bug? or is it designed like that?

 

[anodos]

It's unclear what part of the webui you are referencing. kerberos realms are case-sensitive, but convention is to use upper-case only. I've only seen one or two cases where lower-case was in use (universities that had kerberos back when standards were being developed probably).

 

[vitaprimo]

Oh, my bad. Here:

Only it already joined the domain so the exact screen is slightly different. I has a proper Kerberos keytab (other times I would just join the machine letting it sort things out on its own from DNS). My guess is, because it has the the keytab, it's taking the realm from it so autocomplete the domain, instead of just using the previously-joined domai.. DNS labels. That's just especulation though, what I know for a fact is that DNS is not case sensitive, URIs, sure, but not the DNS labels themselves.

That middle dig is embarrassing.

I'm also very aware that the records exist because I'm using a couple of BIND servers to route DNS between outbound DNS filters and AD DCs. I had to create them manually. I ran out of things to rule out, except for a bug. I'm on TrueNAS-SCALE-22.02.2.1, BTW. I think it's still on beta. I forgot to mention. I'm the worst bug reporter ever.

 

[vitaprimo]

Also, that university thing sounds awesome. Since kid, I always wanted to be in that kind of environments when things were chunky and mainframe-y. Here, proper networks only were made common because of the Internet so it was a somewhat abrupt transition, I would've been far too young to be trusted around that anyway. If only I had been born in the '70s…make that the '60s so I would be old enugh to enjoy the '70s debauchery. You just piqued my curiosity again.

 

[anodos]

Sorry. Still not clear on the issue you're seeing. Discussion of uppercase is somewhat covered here: https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html

Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters.

. Though if this is AD, the realm will always be upper-case.

There were some issues regarding kerberos config and AD joins in SCALE that were fixed in later releases.