TrueNAS
Products
Support & Resources
Solutions
Company
  1. TrueNAS 26 (Early)
  2. /
  3. Credentials
  4. /
  5. Directory Services
  6. /
  7. Directory Services Screens
Edit page
TrueNASTrueNAS Early Release Documentation
This content follows TrueNAS 26 releases.
Use the Product and Version selectors above to view content specific to a stable software release.

Directory Services Screens

  22 minute read.

The Directory Services screen and widgets provide access to TrueNAS settings to set up access to directory services and advanced authentication systems deployed in user environments.

TrueNAS does not configure Active Directory domain controllers or LDAP directory servers, nor does it configure Kerberos authentication servers or ID mapping systems.

Refer to documentation for these services and systems for information on how to configure each to suit your use case.

The Directory Services screen configuration options set up access to directory servers through domain and account settings, and can set up ID mapping or Kerberos authentication and authorization services.

Directory Services Screen
Figure 1: Directory Services Screen

The screen shows the status of directory services when a service is not configured or when it is configured but disabled.

The main option displays:

  • Configure Directory Services opens the Directory Services Configuration form where you can set up Active Directory, IPA, or LDAP connections.
  • Advanced Settings

Directory Services Configuration Screen

The Directory Services Configuration screen shows common and directory service-specific settings based on the type of directory service selected in Configuration Type.

Common settings:

Directory Service-specific settings:

Basic Configuration

The Basic Configuration settings show settings common to the three directory services available in TrueNAS: Active Directory, LDAP, and IPA (formerly FreeIPA).

Directory Services Configuration -Basic Settings
Figure 2: Directory Services Configuration - Basic Settings
Basic Configuration Settings
SettingDescription
Configuration TypeSets the type of directory service. Options are: Active Directory, LDAP, and IPA. Each option shows the Credential Configuration settings and changes the setting options shown for each type of directory service.
Enable ServiceEnables the directory service when selected. If TrueNAS has never joined the specified domain (IPA or Active Directory), enabling causes TrueNAS to attempt to join the domain.
NOTE: The domain join process for Active Directory and IPA makes changes to the domain, such as creating a new computer account for the TrueNAS server and creating DNS records for TrueNAS. Enabled by default. Leave disabled to deactivate the configuration without deleting it and allow reenabling it later without reconfiguring it. The screen returns to the default settings and provides the option to configure AD, LDAP, or IPA.
Enable Account CacheEnables backend caching for user and group lists. When enabled, directory services users and groups are presented as choices in the UI dropdowns and in API responses for user and group queries. Also controls whether users and groups appear in getent results. Disable to reduce load on the directory server when necessary. Enabled by default.
Enable DNS UpdatesAllows TrueNAS to automatically register and update its DNS records on the DNS server for the domain when its IP address changes. Uses Kerberos authentication to verify TrueNAS has permission to update its own records. Enabled by default. Disable only if your DNS server does not support dynamic updates or if DNS is managed manually.
Timeout (seconds)The number of seconds before the directory service connection times out. Valid range is 1-40 seconds. The timeout value for DNS queries that are performed as part of the join process and NETWORK_TIMEOUT for LDAP requests (5-60 seconds).
Kerberos RealmSpecifies the name of the Kerberos realm used for authentication to the directory service, for example, EXAMPLE.COM. When left empty, Kerberos is not used for binding to the directory service, but when joining an Active Directory or IPA domain for the first time, the realm is detected and configured automatically if not specified.

Credential Configuration

The Credential Type setting changes the authentication settings shown for the directory service no matter which type is selected in Configuration Type. Active Directory, IPA and LDAP all show Kerberos authentication options, but LDAP shows additional settings based on LDAP options.

Credential Type sets the credential used to bind to the specified directory service. Kerberos credentials are required for Active Directory or IPA domains. Generic LDAP environments support various authentication methods. Available methods depend on the remote LDAP server configuration. If Kerberos credentials are selected for LDAP, GSSAPI binds replace plain LDAP binds. Use Kerberos or mutual TLS authentication when possible for better security.

Credential Configuration Kerberos User
Figure 3: Credential Configuration Kerberos User
Credential Configuration Kerberos Principal
Figure 4: Credential Configuration Kerberos Principal
Kerberos Credential Configuration Settings
SettingDescription
Credential TypeSets the credential type for authentication. Options: Kerberos User or Kerberos Principal. Kerberos User shows the Username and Password settings. Kerberos Principal shows the Kerberos Principal dropdown list. Kerberos Principal, and Kerberos User.
UsernameUsername of the account to use to create a Kerberos ticket for authentication to directory services. This account must exist on the domain controller. A Kerberos ticket is a time-limited encrypted credential issued by the domain controller that allows TrueNAS to authenticate to domain services without transmitting passwords over the network.
PasswordPassword for the user account that obtains the Kerberos ticket. A Kerberos ticket is a time-limited encrypted credential issued by the domain controller that allows TrueNAS to authenticate to domain services without transmitting passwords over the network.
Kerberos PrincipalA Kerberos principal is the unique identity, formatted as username@DOMAIN.COM, that Kerberos uses to issue authentication tickets. Kerberos keytabs configured in TrueNAS show on the dropdown list. The specified principal must have a matching entry in a keytab stored on TrueNAS. Keytabs are managed in Directory Services > Advanced Settings > Kerberos Keytabs. If a keytab entry does not exist for the specified principal, authentication fails.
LDAP Credential Configuration Settings

When Configuration Type is set to LDAP, Credential Configuration shows five options to define the authentication method for LDAP access:

  • LDAP Plain
  • LDAP Anonymous (shows no additional settings)
  • LDAP MTLS
  • Kerberos Principal
  • Kerberous User

Each option shows different settings in Credential Configuration.

SettingDescription
Bind DNSpecifies the distinguished name to use for authentication. This is the administrative account name for the LDAP server. Shows when LDAP Plain is selected. For example, cn=Manager,dc=test,dc=org.
Bind PasswordSpecifies the password for the Bind DN. Shows when LDAP Plain is selected.
Client CertificateSpecifies the client certificate to use for mutual TLS authentication to the remote LDAP server. Shows when LDAP MTLS is selected.
Kerberos PrincipalA Kerberos principal is the unique identity, formatted as username@DOMAIN.COM, that Kerberos uses to issue authentication tickets. Kerberos keytabs configured in TrueNAS show on the dropdown list. The specified principal must have a matching entry in a keytab stored on TrueNAS. Keytabs are managed in Directory Services > Advanced Settings > Kerberos Keytabs. If a keytab entry does not exist for the specified principal, authentication fails.
Kerberos UserShows the Username and Password authentication fields, and sets authentication to use the LDAP administrative account credentials.
UsernameUsername of the account used to obtain a Kerberos ticket for authentication to the LDAP server. A Kerberos ticket is a time-limited, encrypted
credential that allows TrueNAS to authenticate without transmitting passwords over the network.
PasswordPassword for the user account that obtains the Kerberos ticket. A Kerberos ticket is a time-limited encrypted
credential that allows TrueNAS to authenticate without transmitting passwords over the network.

Active Directory Configuration

The Active Directory Configuration section settings define the connection parameters and domain-specific options.

Active Directory Configuration
Figure 9: Active Directory Configuration
Active Directory Configuration Settings
SettingDescription
TrueNAS HostnameThe hostname for the TrueNAS system to register in Active Directory, for example, truenasnyc. This value must match the Hostname setting on the Network > Global Configuration screen and cannot exceed 15 characters. Cannot contain these special characters: \ / : * ? " < >
Domain NameThe full DNS domain name of the Active Directory domain name (for example, mydomain.internal) or child domain (for example, sales.example.com) if configuring access to a child domain. This must not be a domain controller!
Site NameThe Active Directory site where the TrueNAS server is located. TrueNAS detects this automatically during the domain join process.
Computer Account OUThe organizational unit (OU) where the TrueNAS computer object is created when joining the Active Directory domain for the first time. The OU string includes the distinguished name (DN) of the Computer Account OU. For example, OU=Computers,DC=example,DC=com. Use this setting to override the default organizational unit (OU) in which the TrueNAS computer account is created during the domain join. Use it to set a custom location for TrueNAS computer accounts.
Use Default DomainRemoves the domain name prefix from AD users and groups. This setting might be required for specific configurations, such as Kerberos authentication with NFS for AD users. Note that using this setting can cause collisions with local user account names. Controls if the system removes the domain prefix from Active Directory user and group names. If enabled, users appear as “administrator” instead of “EXAMPLE\administrator”. In most cases, disable this (default) to avoid name conflicts between Active Directory and local accounts.

Active Directory Trusted Domain Configuration

Beginning in TrueNAS 25.10, trusted domains are configured as part of the Active Directory configuration rather than as separate IDmap entries.

The Trusted Domains Configuration section controls access for trusted domains.

Enable Trusted Domains shows the Trusted Domains options that allow clients to access TrueNAS if they are members of domains with a trust relationship. When enabled, the Trusted Domain section and Add button show. Add shows the Basic Configuration section with the IDMAP Backend options.

Trusted Domain Configuration
Figure 10: Trusted Domain Configuration

The IDMAP Backend configuration defines how domain accounts joined to TrueNAS are mapped to Unix UIDs and GIDs on the TrueNAS server. Most TrueNAS deployments use the RID backend, which algorithmically assigns UIDs and GIDs based on the Active Directory account SID. Another common option is the AD backend, which reads predefined Active Directory LDAP schema attributes that assign explicit UID and GID numbers to accounts.

The IDMAP Backend dropdown list shows four options:

  • AD (RFC2307/SFU attributes from Active Directory)
  • LDAP
  • RFC2307 (RFC2307 attributes from a standalone LDAP server)
  • RID (Default - algorithmic mapping based on RID values)

Each option shows different settings.

Trusted Domain AD (RFC2307/SFU Attributes from Active Directory) Settings
SettingDescription
NameShort name for the domain. This should match the NetBIOS domain name for Active Directory domains.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
Schema ModeThe schema mode the IDMAP backend uses to query Active Directory for user and group information. The RFC2307 schema applies to Windows Server 2003 R2 and newer. The Services for Unix (SFU) schema applies to versions before Windows Server 2003 R2.
Unix Primary GroupDefines if the user’s primary group is fetched from Unix attributes (Services for Unix) or the Active Directory primary group. If enabled, the TrueNAS server uses the gidNumber LDAP attribute. If disabled, it uses the primaryGroupID LDAP attribute.
Unix NSS InfoIf enabled, the login shell and home directory are retrieved from LDAP attributes (Unix attributes in Active Directory). If disabled, or if the Active Directory LDAP entry lacks Unix attributes, the home directory defaults to /var/empty.
Trusted Domain LDAP Settings
SettingDescription
NameShort name for the domain. This should match the NetBIOS domain name for Active Directory domains.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
LDAP Base DNDirectory base suffix to use for mapping UIDs and GIDs to SIDs.
LDAP User DNDefines the user DN to be used for authentication to the LDAP server.
LDAP User DN PasswordSecret to use for authenticating the user specified by ldap_user_dn.
LDAP UrlLDAP server to use for the IDMAP entries.
ReadonlyIf enabled, TrueNAS does not attempt to write new IDMAP entries.
Validate CertificatesVerify certificate authenticity.
Trusted Domain RFC2307 Attributes from Standalone LDAP Server Settings
SettingDescription
NameShort name for the domain. This should match the NetBIOS domain name for Active Directory domains.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
LDAP UrlLDAP server to use for the IDMAP entries.
LDAP User DNDefines the user DN to be used for authentication to the LDAP server.
LDAP User DN PasswordSecret to use for authenticating the user specified by ldap_user_dn.
Bind Path UserThe search base that contains user objects in the LDAP server.
Bind Path GroupThe search base that contains group objects in the LDAP server.
User CNIf set, query the CN attribute instead of the UID attribute for the user name in LDAP.
LDAP RealmAppend @realm to the CN for groups. Also, append it to users if user_cn is specified.
Validate CertificateVerify certificate authenticity.
Trusted Domain RID (Default - Algorithmic Mapping Based on RID Values) Settings
SettingDescription
NameShort name for the domain. This should match the NetBIOS domain name for Active Directory domains.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
SSSD CompatGenerate an IDMAP low range using the algorithm from SSSD. Use this option if the domain uses only a single SSSD IDMAP slice.

IDMAP Configuration (AD)

Use Trusted Server IDMAP Defaults is enabled by default. Use the TrueNAS default IDMAP configuration unless you want to customize ID mapping. Defaults are suitable for new deployments without existing support for Unix-like operating systems. The default configuration uses the RID backend with predefined UID/GID ranges (builtin: 90000001-100000000, domain: 100000001-200000000).

When disabled, it shows IDMAP configuration settings to customize ID mapping.

IDMAP Configuration
Figure 15: IDMAP Configuration
Only administrators experienced with configuring ID mapping should customize IDMAP settings.

IDMAP Builtin Settings

The Builtin settings map Windows built-in local groups to Unix GIDs, defining the UID/GID range allocated to Windows built-in local groups, such as Administrators, Users, and Guests. TrueNAS creates this entry automatically when joining a domain. Adjust the range only if it conflicts with existing local UID/GID assignments.

IDMAP Configuration Builtin Settings
SettingDescription
NameShort name for the joined domain. This should match the NetBIOS domain name for Active Directory domains.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.

IDMAP Domain Settings

IDMAP Domain settings configure how TrueNAS maps Windows domain users and groups from the joined domain to Unix UIDs and GIDs. The selected backend determines whether mappings are generated algorithmically or read from directory attributes. The UID/GID range defined here must not overlap with local accounts or trusted domain ranges.

The IDMAP Backend configuration defines how domain accounts the domain TrueNAS is joined to are mapped to Unix UIDs and GIDs on the TrueNAS server. Most TrueNAS deployments use the RID backend, which algorithmically assigns UIDs and GIDs based on the Active Directory account SID. Another common option is the AD backend, which reads predefined Active Directory LDAP schema attributes that assign explicit UID and GID numbers to accounts.

The IDMAP Backend dropdown list shows four options:

  • AD (RFC2307/SFU attributes from Active Directory)
  • LDAP
  • RFC2307 (RFC2307 attributes from a standalone LDAP server)
  • RID (Default - algorithmic mapping based on RID values)

Each option shows different settings.

IDMAP Domain AD (RFC2307/SFU Attributes from Active Directory) Settings
SettingDescription
NameShort name for the joined domain. Typically matches the NetBIOS domain name.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
Schema ModeThe schema mode the IDMAP backend uses to query Active Directory for user and group information. The RFC2307 schema applies to Windows Server 2003 R2 and newer. The Services for Unix (SFU) schema applies to versions before Windows Server 2003 R2.
Unix Primary GroupDefines if the user’s primary group is fetched from Unix attributes (Services for Unix) or the Active Directory primary group. If enabled, the TrueNAS server uses the gidNumber LDAP attribute. If disabled, it uses the primaryGroupID LDAP attribute.
Unix NSS InfoIf enabled, the login shell and home directory are retrieved from LDAP attributes (Unix attributes in Active Directory). If disabled, or if the Active Directory LDAP entry lacks Unix attributes, the home directory defaults to /var/empty.
IDMAP Domain LDAP Settings
SettingDescription
NameShort name for the joined domain. Typically matches the NetBIOS domain name.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
LDAP Base DNDirectory base suffix to use for mapping UIDs and GIDs to SIDs.
LDAP User DNDefines the user DN to be used for authentication to the LDAP server.
LDAP User DN PasswordSecret to use for authenticating the user specified by ldap_user_dn.
LDAP UrlLDAP server to use for the IDMAP entries.
ReadonlyIf enabled, TrueNAS does not attempt to write new IDMAP entries.
Validate CertificatesVerify certificate authenticity.
IDMAP Domain RFC2307 Attributes from Standalone LDAP Server Settings
SettingDescription
NameShort name for the joined domain. Typically matches the NetBIOS domain name.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
LDAP UrlLDAP server to use for the IDMAP entries.
LDAP User DNDefines the user DN to be used for authentication to the LDAP server.
LDAP User DN PasswordSecret to use for authenticating the user specified by ldap_user_dn.
Bind Path UserThe search base that contains user objects in the LDAP server.
Bind Path GroupThe search base that contains group objects in the LDAP server.
User CNIf set, query the CN attribute instead of the UID attribute for the user name in LDAP.
LDAP RealmAppend @realm to the CN for groups. Also append it to users if user_cn is specified.
Validate CertificateVerify certificate authenticity.
IDMAP Domain RID (Default - Algorithmic Mapping Based on RID Values) Settings
SettingDescription
NameShort name for the joined domain. Typically matches the NetBIOS domain name.
Range LowThe lowest UID or GID that the IDMAP backend can assign.
Range HighThe highest UID or GID that the IDMAP backend can assign.
SSSD CompatGenerate an IDMAP low range using the algorithm from SSSD. Use this option if the domain uses only a single SSSD IDMAP slice.

LDAP Configuration

The LDAP Configuration section settings define the connection parameters and validation options.

LDAP Configuration
Figure 20: LDAP Configuration
LDAP Configuration Settings
SettingDescription
Server URLsSpecifies the hostname or IP address of the LDAP server. Separate entries by pressing Enter. Multiple URLs create an LDAP failover priority list. If a host does not respond, TrueNAS tries the next host until it establishes a connection. If using a cloud service LDAP server, do not include the full URL.
Base DNThe top level of the LDAP directory tree to use when searching for resources. For example, dc=test,dc=org.
Start TLSEncrypts the LDAP connection with STARTTLS on the default LDAP port 389. Options for encrypting the LDAP connection:
  • OFF - Does not encrypt the LDAP connection.
  • ON- Encrypts the LDAP connection with SSL on port 636.
  • START_TLS- Encrypts the LDAP connection with STARTTLS on the default LDAP port 389
    • .
    Validate CertificatesVerifies certificate authenticity when connecting to the LDAP server, when enabled.
    SchemaSets the LDAP NSS schema. Options are RFC2307 or RFC2307BIS.
  • RFC2307 — Standard Unix attributes schema. Compatible with most LDAP servers, including OpenLDAP.
  • RFC2307BIS — Extended schema that supports nested group membership. Use if your LDAP server is configured with RFC2307bis.

    • Auxiliary Parameters (LDAP)

    The Auxiliary Parameters subsection allows customization of auxiliary parameters.

    Use Standard Auxiliary Parameters is enabled by default. Disable to enter custom options for nslcd.conf.

    LDAP Auxiliary Parameters
    Figure 21: LDAP Auxiliary Parameters
    Auxiliary parameters are an unsupported configuration. Parameters entered here are not validated and can cause undefined system behavior, including data corruption or data loss.

    Search Bases

    The Search Bases uses standard search bases when enabled. Disable to allows customization of search base DNs. Use the base DN for user, group, and netgroup searches. Disable to specify alternative LDAP search base settings to define where to find user, group, and netgroup entries. Use custom search bases only if the LDAP server uses a non-standard LDAP schema or if you want to limit the accounts available on TrueNAS.

    LDAP Search Bases
    Figure 22: LDAP Search Bases
    Search Bases Settings
    SettingDescription
    User Base DNSets the base DN to use when searching for LDAP user accounts. Restricts user searches to a specific directory subtree. For example, ou=users,dc=example,dc=org.
    Group Base DNSets the base DN to use when searching for LDAP group accounts. Restricts group searches to a specific directory subtree. For example, ou=groups,dc=example,dc=org.
    Netgroup Base DNSets the base DN to use when searching for LDAP group accounts. Restricts netgroup searches to a specific directory subtree. For example, ou=netgroups,dc=example,dc=org.

    Attribute Maps

    The Attribute Maps settings allow customization of attribute mappings by defining custom LDAP attribute names for user and group account fields. An attribute left blank uses the default attribute name for that field. Only use custom attribute maps if the LDAP server is non-standard, if your LDAP schema uses non-standard attribute names.

    Use Standard Attribute Maps is enabled by default, and uses standard RFC2307 or RFC2307BIS attribute mappings. When disabled, the standard LDAP attribute mapping for LDAP servers that do not follow RFC2307 or RFC2307BIS shows to allow for customization.

    The screen groups settings into LDAP password attributes, shadow attributes, and group attributes: LDAP Password Attributes, LDAP Shadow Attributes, LDAP Group Attributes, and LDAP Net Group Attributes.

    LDAP Password Attribute Settings
    SettingDescription
    User Object ClassSpecifies the entry object class in LDAP for the user.
    Username AttributeSpecifies the LDAP attribute for the login name for the user.
    UID AttributeSpecifies the LDAP attribute for the id of the user.
    GID AttributeSpecifies the LDAP attribute for the primary group id for the user.
    GECOS AttributeSpecifies the LDAP attribute for the gecos field for the user.
    Home Directory AttributeSpecifies the LDAP attribute for the home directory for the user.
    Shell AttributeSpecifies the LDAP attribute for the path to the default shell for the user.
    LDAP Shadow Attribute Settings
    SettingDescription
    Last Change AttributeSpecifies the LDAP attribute for password last change.
    Min Days AttributeSpecifies the LDAP attribute for minimum password age.
    Max Days AttributeSpecifies the LDAP attribute for maximum password age.
    Warning AttributeSpecifies the LDAP attribute for password warning period.
    Inactive AttributeSpecifies the LDAP attribute for the account inactive period.
    Expire AttributeSpecifies the LDAP attribute for account expiration.
    LDAP Group Attribute Settings
    SettingDescription
    Group Object ClassSpecifies the LDAP object class for groups.
    Netgroup Member AttributeSpecifies the LDAP attribute for group members.
    Netgroup Triple AttributeSpecifies the LDAP attribute for group triples.
    LDAP Net Group Attribute Settings
    SettingDescription
    Netgroup Object ClassSpecifies the LDAP object class for netgroups.
    Netgroup Member AttributeSpecifies the LDAP attribute for netgroup members.
    Netgroup Triple AttributeSpecifies the LDAP attribute for netgroup triples.

    IPA Configuration

    The IPA Configuration settings define the connection parameters and validation options.

    IPA Configuration
    Figure 27: IPA Configuration
    IPA Configuration Settings
    SettingDescription
    Target ServerSpecifies the name of the IPA server (hostname or IP address) that TrueNAS uses to build URLs when it joins or leaves the IPA domain. For example: ipa.example.internal.
    TrueNAS HostnameSpecifies the hostname of the TrueNAS server to register in IPA during the join process. For example: truenasnyc.
    DomainSpecifies the domain name of the IPA Server. For example: ipa.internal.
    Base DNSpecifies the base distinguished name (base DN) to use when performing LDAP operations. For example: dc=example,dc=com.
    Validate CertificatesVerifies certificate authenticity when connecting to the IPA server. When enabled, TrueNAS validates the full certificate chain. TrueNAS does not support non-CA certificates when certificate validation is required. When disabled, TrueNAS does not validate certificates from the remote LDAP server. It is better to use valid certificates or import them into the TrueNAS server trusted certificate store.

    SMB Domain Configuration

    The SMB Domain Configuration settings control SMB integration.

    Use Default SMB Domain Configuration is enabled by default, and uses the default SMB domain settings detected during the IPA join. Settings for the IPA SMB domain are automatically detected by TrueNAS during the domain join process. Some IPA domains might not include SMB schema configuration. IPA includes integrated Samba support and can provide user and group information for SMB authentication. Disable to enter custom settings.

    IPA SMB Domain Configuration
    Figure 28: IPA SMB Domain Configuration
    SMB Domain Configuration Settings
    SettingDescription
    NameShort name for the IPA domain used for SMB access. Typically matches the IPA domain name.
    Domain NameName of the SMB domain as defined in the IPA configuration for the IPA domain to which TrueNAS is joined.
    Range LowSpecifies the lowest UID or GID that the IPA maps natively.
    Range HighSpecifies the highest UID or GID that IPA maps natively.
    Domain SIDSpecifies the domain SID for the IPA domain to which TrueNAS is joined.

    Advanced Settings

    The Show button to the right of Advanced Settings opens a warning dialog stating that incorrectly configuring advanced settings is dangerous. Continue closes the warning dialog.

    Directory Services Warning
    Figure 29: Directory Services Warning

    After closing the warning dialog, the Directory Services screen shows the Kerberos Realm and Kerberos Keytab cards.

    Directory Services Advanced SettingsCards
    Figure 30: Directory Services Advanced Settings Cards

    Each Kerberos card shows the realms or keytabs configured in TrueNAS.

    Add on the Kerberos cards opens configuration screens for each Kerberos function:

    Add Kerberos Realms

    The Add Kerberos Realm screen allows adding a Kerberos realm to the TrueNAS system.

    Kerberos Realms Screen
    Figure 31: Kerberos Realms Screen
    SettingDescription
    NameSpecifies a short name for the Kerberos realm. The Kerberos standard allows upper case characters, DNS rules apply, and does not exceed 253 characters (letters, digits, and/or hyphens). TrueNAS does not enforce naming conventions, but requires entering a name.
    Primary KDCSpecifies the master Kerberos domain controller for this realm. TrueNAS uses this as a fallback if it cannot get credentials because of an invalid password. This can help in environments where the domain uses a hub-and-spoke topology. Use this setting to reduce credential errors after TrueNAS automatically changes its machine password.
    KDCSpecifies the name of the Key Distribution Center. Pressing Enter separates multiple values.
    Admin ServerDefines the server where all changes to the database are performed. Pressing Enter separates multiple values.
    Password ServerDefines the server where all password changes are performed. Pressing Enter separates multiple values.

    Add Kerberos Keytabs

    The Add Kerberos Keytabs allows adding a keytab file using the file browser option and assigning the keytab a name.

    Kerberos Keytabs Screen
    Figure 32: Kerberos Keytabs Screen

    Name specifies a short name for the keytab on the TrueNAS system. Kerberos does not have a name convention for keytab files.

    Choose File opens the file browser to locate and upload a keytab file. Kerberos keytab files are binary files in a specific format (MIT Kerberos keytab format). Keytab files can have either the .keytab or .kt extension.

    Related Content

    Reference
    Tutorial

    Have more questions?

    For further discussion or assistance, see these resources:

    Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).