Active Directory
7 minute read.
Last Modified 2021-07-16 16:28 EDTThe Active Directory (AD) service shares resources in a Windows network. AD provides authentication and authorization services for the users in a network, eliminating the need to recreate the user accounts on TrueNAS.
Users can configure AD services on a Windows server running Windows Server 2000 or later, or on a Unix-like operating system running Samba version 4. To configure a connection, you will need to know the Active Directory domain controller’s domain and that system’s account credentials.
Users can take a few steps before configuring Active Directory to ensure the connection process goes smoothly.
To confirm that name resolution is functioning, go to the Shell and use ping to check the connection to the AD domain controller.
When packets are being sent and received without loss, the connection is verified.
Press Ctrl + C to cancel the ping.
Another option is to use host -t srv _ldap._tcp.domainname.com to check the network’s SRV records and verify DNS resolution.
Active Directory relies on Kerberos, a time-sensitive protocol. During the domain join process, the AD domain controller with the PDC Emulator FSMO Role is added as the preferred NTP server. If your environment requires something different, you can change NTP server settings in System > NTP Servers.
The local system time cannot be out of sync by more than five minutes with the AD domain controller time in a default AD environment. Use an external time source when configuring a virtualized domain controller. TrueNAS creates an Alert if the system time gets out of sync with the AD domain controller time.
There are a few options in TrueNAS to ensure both systems are synchronized:
- Go to System > General and make sure the Timezone matches the AD Domain Controller.
- Set either localtime or universal time in the system BIOS.
To connect to Active Directory, go to Directory Services > Active Directory and enter the AD Domain Name and account credentials. Set Enable to attempt to join the AD domain immediately after saving the configuration.
Advanced options are available for fine-tuning the AD configuration, but the preconfigured defaults are generally suitable.
When the import is complete, AD users and groups become available while configuring basic dataset permissions or an Access Control List (ACL) with TrueNAS cache enabled (enabled by default).
Joining AD also adds default Kerberos realms and generates a default AD_MACHINE_ACCOUNT keytab.
TrueNAS automatically begins using this default keytab and removes any administrator credentials stored in the TrueNAS configuration file.
| Setting | Description |
|---|---|
| Verbose logging | Set to log attempts to join the domain to /var/log/messages. |
| Allow Trusted Domains | When set, usernames do not include a domain name. Unset to force domain names to be prepended to user names. One possible reason for unsetting this value is to prevent username collisions when Allow Trusted Domains is set and there are identical usernames in more than one domain |
| Use Default Domain | Unset to prepend the domain name to the username. Unset to prevent name collisions when Allow Trusted Domains is set and multiple domains use the same username. |
| Allow DNS Updates | Set to enable Samba to do DNS updates when joining a domain. |
| Disable FreeNAS Cache | Set to disable caching AD users and groups. This can help when unable to bind to a domain with a large number of users or groups. |
| Restrict PAM | Set to restrict SSH access in certain circumstances to only members of BUILTIN\Administrators. |
| Site Name | Enter the relative distinguished name of the site object in the Active Directory. |
| Kerberos Realm | Select an existing realm that was added in Directory Services > Kerberos Realms. |
| Kerberos Principal | Select the location of the principal in the keytab created in Directory Services > Kerberos Keytabs. |
| Computer Account OU | The OU in which new computer accounts are created. The OU string is read from top to bottom without RDNs. Slashes ("/") are used as delimiters, like Computers/Servers/NAS. The backslash ("\") is used to escape characters but not as a separator. Backslashes are interpreted at multiple levels and might require doubling or even quadrupling to take effect. When this field is blank, new computer accounts are created in the Active Directory default OU. |
| AD Timeout | Number of seconds before timeout. To view the AD connection status, open the interface Task Manager. |
| DNS Timeout | Number of seconds before a timeout. Increase this value if AD DNS queries time out. |
| Winbind NSS Info | Choose the schema to use when querying AD for user/group info. rfc2307 uses the schema support included in Windows 2003 R2, sfu is for Service For Unix 3.0 or 3.5, and sfu20 is for Service For Unix 2.0. |
| Netbios Name | Netbios Name of this NAS. This name must differ from the Workgroup name and be no greater than 15 characters. |
| NetBIOS alias | Alternative names that SMB clients can use when connecting to this NAS. Can be no greater than 15 characters. |
| EDIT IDMAP | Navigates to Directory Services > Idmap so the user can edit the Active Directory’s Idmap |
| LEAVE DOMAIN | Disconnects the TrueNAS system from the Active Directory. |
If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync it using Directory Service > Active Directory > REBUILD DIRECTORY SERVICE CACHE.
If the Windows server version is lower than 2008 R2, try creating a Computer entry on the Windows server Organizational Unit (OU). When creating this entry, enter the TrueNAS hostname in the name field. Make sure it is the same name as the one set in the Hostname field in Network > Global Configuration, and the NetBIOS alias from Directory Service > Active Directory > Advanced Options.