TrueNAS
Products
Support & Resources
Solutions
Company
  1. TrueNAS 25.10
  2. /
  3. TrueNAS Tutorials
  4. /
  5. Credentials
  6. /
  7. Setting Up Directory Services
  8. /
  9. Configuring Kerberos
Edit page
TrueNAS TrueNAS Stable Version Documentation
This content follows TrueNAS 25.10 (Goldeye) releases.
Use the Product and Version selectors above to view content specific to a different software release.

Configuring Kerberos

  4 minute read.

Kerberos is extremely complex. Only system administrators experienced with configuring Kerberos should attempt it. Misconfiguring Kerberos settings, realms, and keytabs can have a system-wide impact beyond Active Directory or LDAP, and can result in system outages. Do not attempt configure or make changes if you do not know what you are doing!
Kerberos is a computer network security protocol. It authenticates service requests between trusted hosts across an untrusted network (i.e., the Internet).

If you configure Active Directory, TrueNAS populates the realm fields and the keytab with what it discovers in AD. You can configure LDAP to communicate with other LDAP severs using Kerberos, or NFS if it is properly configured, but TrueNAS does not automatically add the realm or key tab for these services.

After AD populates the Kerberos realm and keytabs, do not make changes. Consult with your IT or network services department, or those responsible for the Kerberos deployment in your network environment for help. For more information on Kerberos settings refer to the MIT Kerberos Documentation.

Kerberos uses realms and keytabs to authenticate clients and servers. A Kerberos realm is an authorized domain that a Kerberos server can use to authenticate a client. By default, TrueNAS creates a Kerberos realm for the local system. A keytab (“key table”) is a file that stores encryption keys for authentication.

TrueNAS allows users to configure general Kerberos settings, as well as realms and keytabs.

Kerberos Realms

TrueNAS automatically generates a realm after you configure AD.

To configure Kerberos realms:

  1. Go to Credentials > Directory Services and click Show in Advanced Settings, then click Continue on the warning dialog.

  2. Click Add in the Kerberos Realms widget to open the Add Kerberos Realm screen.

  3. Enter the realm name in Realm. Required. Enter the name as a domain name, for example, example.com.

  4. (Optional) Enter the Key Distribution Center name in KDC. The KDC acts as the third-party authentication service for Kerberos. If left blank, TrueNAS uses DNS discovery to locate the KDC. Separate multiple values by pressing Enter.

  5. (Optional) Enter the primary KDC in Primary KDC. The Kerberos client uses this KDC when acquiring credentials if the current KDC fails with a bad password error. This is valuable for domains with hub-and-spoke topology.

  6. (Optional) Enter the server that performs all database changes in Admin Server. If left blank, TrueNAS uses DNS discovery. Separate multiple values by pressing Enter.

  7. (Optional) Enter the server that performs all password changes in Password Server. If left blank, TrueNAS uses DNS discovery. Separate multiple values by pressing Enter.

  8. Click Save.

Kerberos Keytabs

TrueNAS automatically generates a keytab after you configure AD.

A Kerberos keytab is a file containing one or more Kerberos principals with their associated encryption keys. TrueNAS automatically generates a keytab during the Active Directory domain join process. The keytab principals are typically associated with the TrueNAS host computer account.

Keytabs allow authentication without requiring password storage. TrueNAS does not store the Active Directory or LDAP administrator account password in the system database after the keytab is created.

Adding a Keytab to TrueNAS

After generating the keytab:

  1. Go to Credentials > Directory Services and click Show in Advanced Settings, then click Continue on the warning dialog.

  2. Click Add in the Kerberos Keytabs widget to open the Add Kerberos Keytab screen.

  3. Enter a name for the keytab in Name. If configured, TrueNAS populates this field with what it detects in Active Directory.

  4. Browse to the keytab file in Kerberos Keytab and upload it.

  5. Click Save.

Using a Keytab with Active Directory or LDAP

To configure AD to use a keytab, go to the Directory Services screen, click Settings in the Active Directory widget, and select the keytab using the Kerberos Principal dropdown list.

The keytab must correspond to the computer account created during the domain join process.

To configure LDAP to use a keytab principal, click Settings in the LDAP widget and select the keytab using the Kerberos Principal dropdown list.

Kerberos Settings

Kerberos is extremely complex. Only system administrators experienced with configuring Kerberos should attempt it. Misconfiguring Kerberos settings, realms, and keytabs can have a system-wide impact beyond Active Directory or LDAP, and can result in system outages. Do not attempt configure or make changes if you do not know what you are doing!

The Kerberos Settings screen is available in Advanced Settings for configuring auxiliary parameters.

To access Kerberos Settings:

  1. Go to Credentials > Directory Services and click Show in Advanced Settings, then click Continue on the warning dialog.

  2. Click Settings in the Kerberos Settings widget to open the Kerberos Settings screen.

  3. (Optional) Enter additional Kerberos application settings in Appdefaults Auxiliary Parameters. See the appdefaults section of krb.conf(5) for available settings and usage syntax.

  4. (Optional) Enter additional Kerberos library settings in Libdefaults Auxiliary Parameters. See the libdefaults section of krb.conf(5) for available settings and usage syntax.

  5. Click Save.

Related Content

UI Reference

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).