(408) 943-4100               V   Commercial Support


  3 minute read.

Last Modified 2021-03-25 18:09 EDT

Kerberos is a web authentication protocol that uses strong cryptography to prove the identity of both client and server over an insecure network connection.

Kerberos uses “realms” and “keytabs” to authenticate clients and servers. A Kerberos realm is an authorized domain that a Kerberos server can use to authenticate a client. By default, TrueNAS creates a Kerberos realm for the local system. A keytab (“key table”) is a file that stores encryption keys and is used for various authentication scenarios.

TrueNAS allows configuring both Kerberos realms and keytabs.

Kerberos Realms

Go to Directory Services > Kerberos Realms to view and add Kerberos realms. When the network contains a Key Distribution Center (KDC), click ADD to add the realm.


Enter the Realm name and click SUBMIT.

KDCstringName of the Key Distribution Center.
Admin ServerstringServer where all changes to the database are performed.
Password ServerstringServer where all password changes are performed.

Kerberos Keytabs

Kerberos keytabs are for joining Active Directory or LDAP without a password. This means the password for the Active Directory or LDAP administrator account is not saved in the TrueNAS system database, which can be seen as a security risk in some environments.

When using a keytab, create and use a less privileged account for performing any required queries. The password for that account is stored in the TrueNAS system database.

Create Keytab on Windows

To create the keytab on a Windows system, use the ktpass command:

ktpass.exe /out freenas.keytab /princ http/useraccount@EXAMPLE.COM /mapuser useraccount /ptype KRB5_NT_PRINCIPAL /crypto ALL /pass userpass


Setting /crypto to ALL allows using all supported cryptographic types. These keys can be specified instead of ALL:

  • DES-CBC-CRC is used for compatibility.
  • DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.
  • RC4-HMAC-NT uses 128-bit encryption.
  • AES256-SHA1 uses AES256-CTS-HMAC-SHA1-96 encryption.
  • AES128-SHA1 uses AES128-CTS-HMAC-SHA1-96 encryption.

This creates a keytab with sufficient privileges to grant tickets.

Add Windows Keytab to TrueNAS

After the keytab is generated, add it to the TrueNAS system in Directory Services > Kerberos Keytabs > Add Kerberos Keytab.

To instruct the Active Directory service to use the keytab, select the installed keytab using the drop-down Kerberos Principal in Directory Services > Active Directory > Advanced Mode. When using a keytab with Active Directory, make sure that username and userpass in the keytab matches the Domain Account Name and Domain Account Password fields in Directory Services > Active Directory.

To instruct LDAP to use a principal from the keytab, use the Kerberos Principal drop down in Directory Services > LDAP > Advanced Mode.

Kerberos Settings

Additional Kerberos options are in Directory Services > Kerberos Settings.


  • Appdefaults Auxiliary Parameters : Define any additional settings for use by some Kerberos applications. The available settings and syntax is listed in the [appdefaults] section of krb.conf(5).
  • Libdefaults Auxiliary Parameters : Define any settings used by the Kerberos library. The available settings and their syntax are listed in the [libdefaults] section of krb.conf(5).