(408) 943-4100               V   Commercial Support

Active Directory

  5 minute read.

Last Modified 2021-06-24 13:29 EDT

The Active Directory (AD) service shares resources in a Windows network. Because AD provides authentication and authorization services for the users in a network, you do not need to recreate the same user accounts in TrueNAS.

Users can configure AD services on a Windows server running Windows Server 2000 or higher, or on a Unix-like operating system that is running Samba version 4. To configure a basic connection, you will need to know the Active Directory domain controller’s domain and that system’s account credentials.

Preparation

Before configuring Active Directory, you should take a few steps to ensure the connection process goes smoothly.

To confirm that name resolution is functioning, go to the Shell and use ping to check the connection to the AD domain controller.

ShellDomainPingSCALE

When packets are being sent and received without loss, the connection is verified. Press Ctrl + C to cancel the ping.

Another option is to use host -t srv _ldap._tcp.domainname.com to check the SRV records of the network and verify DNS resolution.

If the ping fails, go to Network and click Settings in the Global Configuration window. Update the DNS Servers and Default Gateway settings so the connection to your Active Directory Domain Controller can start. Use more than one Nameserver for the AD domain controllers so that DNS queries for requisite SRV records can succeed. This helps maintain the AD connection whenever a domain controller becomes unavailable.

Active Directory relies on the time-sensitive Kerberos protocol. During the domain join process, the AD domain controller with the PDC Emulator FSMO Role is added as the preferred NTP server. If your environment requires something different, navigate to System Settings and add or edit a server in the NTP Servers window.

The time on the system and the AD domain controller cannot be out of sync by more than five minutes in a default AD environment. Use an external time source when configuring a virtualized domain controller. If the time gets out of sync between TrueNAS and the AD domain controller, the system generates an Alert.

There are a few options in TrueNAS to ensure both systems are set to the same time:

  • Go to System Settings > General and click Settings in the Localization window to make sure the system Timezone matches the AD Domain Controller.

LocalizationSCALE

  • Set either localtime or universal time in the system BIOS.

Connect to the Active Directory Domain

To connect to Active Directory, click Settings in the Active Directory window and enter the AD Domain Name and account credentials. Set Enable to attempt to join the AD domain immediately after saving the configuration.

ActiveDirectorySCALE

Advanced options are available for fine-tuning the AD configuration, but the preconfigured defaults are generally suitable.

After configuring the Active Directory service, it can take a few minutes for TrueNAS to populate the AD information. To check the AD join progress, open the Task Manager in the upper-right corner. Any errors during the join process are also displayed in the Task Manager.

When the import is complete and the TrueNAS cache is enabled (enabled by default), AD users and groups be available when configuring basic dataset permissions or an Access Control List (ACL).

Joining AD also adds default Kerberos realms and generates a default AD_MACHINE_ACCOUNT keytab. TrueNAS automatically begins using this default keytab and removes any administrator credentials that were stored in the TrueNAS configuration file.

Troubleshooting

If the cache becomes out of sync or fewer users than expected are available in the permissions editors, resync the cache by clicking Settings in the Active Directory window and selecting Rebuild Directory Service Cache.

If the Windows server version is lower than 2008 R2, try creating a Computer entry on the Windows server Organizational Unit (OU). When creating the entry, enter the TrueNAS hostname in the name field. Make sure it is the same name as the one set in the Hostname field in the Network section (go to Network and find the Hostname in the Global Configuration window), and the same NetBIOS alias from the Directory Services section (go to Directory Services and click Settings in the Active Directory window, then click Advanced Options and find the NetBIOS alias).

You can go to System Settings > Shell and enter various commands to get more details about the AD connection and users:

  • AD current state: midclt call activedirectory.get_state.
  • Details about the currently connected Lightweight Directory Access Protocol (LDAP) server: midclt call activedirectory.domain_info | jq. Example:
    truenas# midclt call activedirectory.domain_info | jq
    {
      "LDAP server": "192.168.1.125",
      "LDAP server name": "DC01.HOMEDOM.FUN",
      "Realm": "HOMEDOM.FUN",
      "Bind Path": "dc=HOMEDOM,dc=FUN",
      "LDAP port": 389,
      "Server time": 1593026080,
      "KDC server": "192.168.1.125",
      "Server time offset": 5,
      "Last machine account password change": 1592423446
    }
    
  • View AD users: wbinfo -u. To see more details about a user, enter getent passwd DOMAIN\\<user>, replacing <user> with the desired user name. If wbinfo -u shows more users than appear to be available when configuring permissions and the TrueNAS cache is enabled, go to Directory Services > Active Directory and increase the AD Timeout value.
  • View AD groups: wbinfo -g. To see more details, enter getent group DOMAIN\\domain\ users.
  • View domains: wbinfo -m.
  • Test AD connection: wbinfo -t. A successful test shows a message similar to checking the trust secret for domain YOURDOMAIN via RPC calls succeeded.
  • User connection test to an SMB share: smbclient '//127.0.0.1/smbshare -U AD01.LAB.IXSYSTEMS.COM\ixuser, replacing 127.0.0.1 with your server address, smbshare with the SMB share name, AD01.LAB.IXSYSTEMS.COM with your trusted domain, and ixuser with the user account name for authentication testing.