FRG: Directory Services

Descriptions of each field in the Directory Services section of the TrueNAS web interface.

  6 minute read

Active Directory

Domain Credentials

Domain NameEnter the Active Directory domain (example.com) or child domain (sales.example.com).
Domain Account NameEnter the Active Directory administrator account name.
Domain Account PasswordPassword for the Active Directory administrator account. Required the first time a domain is configured. After initial configuration, the password is not needed to edit, start, or stop the service.
EnableEnable the Active Directory service. The first time this option is set, the Domain Account Password must be entered.

Advanced

Verbose loggingSet to log attempts to join the domain to /var/log/messages.
Allow Trusted DomainsWhen set, usernames do not include a domain name. Unset to force domain names to be prepended to user names. One possible reason for unsetting this value is to prevent username collisions when Allow Trusted Domains is set and there are identical usernames in more than one domain.
Use Default DomainUnset to prepend the domain name to the username. Unset to prevent name collisions when Allow Trusted Domains is set and multiple domains use the same username.
Allow DNS updatesSet to enable Samba to do DNS updates when joining a domain.
Disable FreeNAS CacheSet to disable caching AD users and groups. This can help when unable to bind to a domain with a large number of users or groups.
Restrict PAMSet to restrict SSH access in certain circumstances to only members of BUILTIN\Administrators
Site NameEnter the relative distinguished name of the site object in the Active Directory.
Kerberos RealmSelect an existing realm that was added in Directory Services > Kerberos Realms.
Kerberos PrincipalSelect the location of the principal in the keytab created in Directory Services > Kerberos Keytabs.
Computer Account OUThe OU in which new computer accounts are created. The OU string is read from top to bottom without RDNs. Slashes ("/") are used as delimiters, like Computers/Servers/NAS. The backslash ("\") is used to escape characters but not as a separator. Backslashes are interpreted at multiple levels and might require doubling or even quadrupling to take effect. When this field is blank, new computer accounts are created in the Active Directory default OU.
AD TimeoutNumber of seconds before timeout. To view the AD connection status, open the interface Task Manager.
DNS TimeoutNumber of seconds before a timeout. Increase this value if AD DNS queries time out.
Winbind NSS InfoChoose the schema to use when querying AD for user/group info. rfc2307 uses the schema support included in Windows 2003 R2, sfu is for Service For Unix 3.0 or 3.5, and sfu20 is for Service For Unix 2.0.
Netbios NameNetbios Name of this NAS. This name must differ from the Workgroup name and be no greater than 15 characters.
NetBIOS aliasAlternative names that SMB clients can use when connecting to this NAS. Can be no greater than 15 characters.

IDMAP Edit

Settings

ldmap BackendProvides a plugin interface for Winbind to use varying backends to store SID/uid/gid mapping tables. The correct setting depends on the environment in which the NAS is deployed.
NameEnter the pre-Windows 2000 domain name.
DNS Domain NameDNS name of the domain
Range LowRange Low and Range High set the range of UID/GID numbers which this IDMap backend translates. If an external credential like a Windows SID maps to a UID or GID number outside this range, the external credential is ignored.
Range HighRange Low and Range High set the range of UID/GID numbers which this IDMap backend translates. If an external credential like a Windows SID maps to a UID or GID number outside this range, the external credential is ignored.

Options

SSSD CompatGenerate idmap low range based on same algorithm that SSSD uses by default.

LDAP

Server Credentials

HostnameLDAP server hostnames or IP addresses. Separate entries with an empty space. Multiple hostnames or IP addresses can be entered to create an LDAP failover priority list. If a host does not respond, the next host in the list is tried until a new connection is established.
Base DNTop level of the LDAP directory tree to be used when searching for resources. Example: dc=test,dc=org.
Bind DNAdministrative account name on the LDAP server. Example: cn=Manager,dc=test,dc=org.
Bind PasswordPassword for the Bind DN.
EnableActivates the configuration. Unset to disable the configuration without deleting it.

Advanced

Allow Anonymous BindingSet for the LDAP server to disable authentication and allow read and write access to any client.
Kerberos RealmSelect an existing realm that was added in Directory Services > Kerberos Realms.
Kerberos PrincipalSelect the location of the principal in the keytab created in Directory Services > Kerberos Keytabs.
Encryption ModeOptions for encrypting the LDAP connection: OFF: do not encrypt the LDAP connection. ON: encrypt the LDAP connection with SSL on port 636. START_TLS: encrypt the LDAP connection with STARTTLS on the default LDAP port 389.
CertificateCertificate to use when performing LDAP certificate-based authentication. To configure LDAP certificate-based authentication, create a Certificate Signing Request for the LDAP provider to sign. A certificate is not required when using username/password or Kerberos authentication.
Validate CertificatesVerify certificate authenticity.
Disable LDAP User/Group CacheDisable caching LDAP users and groups in large LDAP environments. When caching is disabled, LDAP users and groups do not appear in dropdown menus, but are still accepted when manually entered.
LDAP timeoutLDAP timeout in seconds. Increase this value if a Kerberos ticket timeout occurs.
DNS timeoutDNS timeout in seconds. Increase this value if DNS queries timeout.
Samba Schema (DEPRECATED - see help text)Only set LDAP authentication for SMB shares is required and the LDAP server is already configured with Samba attributes. DEPRECATED: Support for Samba Schema is officially deprecated in Samba 4.13. The feature will be removed after Samba 4.14. Users should begin upgrading legacy Samba domains to Samba AD domains.
Auxiliary ParametersAdditional options for nslcd.conf.
SchemaSelect a schema when Samba Schema is set.

NIS

Network Information Service (NIS)

NIS DomainName of NIS domain.
NIS ServersList of hostnames or IP addresses. Separate entries by pressing Enter.
Secure ModeSet to have ypbind(8) refuse to bind to any NIS server not running as root on a TCP port over 1024.
ManycastSet for ypbind to bind to the server that responds the fastest.
EnableUnset to disable the configuration without deleting it.

Kerberos Realms: Add

Kerberos Realms

RealmEnter the name of the realm.

Advanced

RealmEnter the name of the realm.
KDCEnter the name of the Key Distribution Center. Separate multiple values by pressing Enter.
Admin ServerDefine the server where all changes to the database are performed. Separate multiple values by pressing Enter.
Password ServerDefine the server where all password changes are performed. Separate multiple values by pressing Enter.

Kerberos Keytab: Add

Kerberos Keytab

NameEnter a name for this Keytab.
Keberos KeytabBrowse to the keytab file to upload.

Kerberos Settings

Options

Appdefaults Auxiliary ParametersAdditional Kerberos application settings. See the “appdefaults” section of krb.conf(5). for available settings and usage syntax.
Libdefaults Auxiliary ParametersAdditional Kerberos application settings. See the “libdefaults” section of krb.conf(5). for available settings and usage syntax.

Last modified February 5, 2021: fix typo (312ae0da)