Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

Active Directory Screen

  3 minute read.

Last Modified 2022-06-10 13:14 EDT

Use the Directory Serices Active Directory screens to set up Active Directory (AD) on your TrueNAS.

ActiveDirectoryScreen

Basic Options

ActiveDirectoryScreenBasicOptions

SettingDescription
Domain Nameenter the Active Directory domain (exmple.com) or child domain (sales.example.com). Required field.
Domain Account NameSEnter the Active Directory administrator account name. Required field.
Domain Accunt PasswordLEnter the password for the Active Directory administrator account. Required the first time a domain is configured. After initial configuration, the password is not needed to edit, start or stop the service.
Enable (requires password or Kerberos principleEnable the Active Directory services. The first time this option is selected, the Domain Account Password must be entered.

Advanced Options

ActiveDirectoryScreenAdvancedOptions

SettingDescription
Verbose loggingSelect to log attempts to join the domain to /var/log/messages.
Allow Trusted DomainsSelect to not include a domain name in user names. Leave checkbox clear to force domain names to prepend to user names. One possible reason for not setting this value is to prevent user name collisions when Allow Trusted Domains is selected and there are identical user names in more than one domain.
Use Default DomainLeave checkbox clear to prepend the domain name to the user name. When not selected prevents name collisions when Allow Trusted Domains is set and multiple domains use the same user name.
Allow DNS UpdatesSelect to enable Samba to do DNS updates when joining a domain.
Disable FreeNAS CacheSelect to disable caching AD users and groups. This can help when unable to bind to a domain with a large number of users or groups.
Restrict PAMSelect to restrict SSH access in certain circumstances to only members of BUILTIN\Administrators.
Site NameEnter the relative distinguished name of the site object in the Active Directory.
Kerberos RealmSelect an existing realm that is added in Directory Services > Kerberos Realms.
Kerberos PrincipalSelect the location of the principal in the keytab created in Directory Services > Kerberos Keytabs.
Computer Account OUThe OU in which new computer accounts are created. The OU string is read from top to bottom without RDNs. Slashes (/) are used as delimiters, like Computers/Servers/NAS. The backslash (\) is used to escape characters but not as a separator. Backslashes are interpreted at multiple levels and might require doubling or even quadrupling to take effect. When left blank, new computer accounts are created in the Active Directory default OU.
AD TimeoutNumber of seconds before timeout. To view the AD connection status, open the interface Task Manager.
DNS TimeoutNumber of seconds before a timeout. Increase this value if AD DNS queries time out.
Winbind NSS InfoSelect the schema to use when querying AD for user/group info from the dropdown list. rfc2307 uses the schema support included in Windows 2003 R2, sfu is for Service For Unix 3.0 or 3.5, and sfu20 is for Service For Unix 2.0.
Netbios NameThe Netbios name of this NAS is truenas. This name must differ from the Workgroup name and be no greater than 15 characters.
NetBIOS aliasAlternative names that SMB clients can use when connecting to this NAS. Can be no greater than 15 characters.
LEAVE DOMAINDisconnects the TrueNAS system from the Active Directory.

Use EDIT IDMAP to navigate to the Directory Services > Idmap screen.

Use REBUILD DIRECTORY SERVICE CACHE to resync the cache if it becomes out of sync or fewer users than expected are available in the permissions editors.

Additional Information

Idmap Screen

Setting Up Active Directory