25.04.1 Kerberos Issues with Active Directory

cory1768 · June 22, 2025, 12:37am

First time posting, hoping to reach out to the community. I have actually been a long time user of TrueNas, I had been successfully running Trunas core for almost five years now without an issue. I have only used my nas for storage, iscsi and SMB services, nothing complex like jails or anything.

After upgrade from core to scale, I cannot get the Active Directory integration to work at all.

The error from Scale:
gssapi.raw.exceptions.MissingCredentialsError: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638926): KDC has no support for encryption type

I can see it makes it to the Windows Domain controller successfully but it is failing with the same error just in Microsoft syntax:
Kerberos pre-authentication failed.

Account Information:
Security ID: <truenasNameRedacted>$
Account Name: $

Service Information:
Service Name: krbtgt/

Network Information:
Client Address:
Client Port: 58960

Additional Information:
Ticket Options: 0x40010010
Failure Code: 0xE
Pre-Authentication Type: 0

An 0xE means: KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type

For all of my other lab servers I see the KDC is working just fine, the KDC is issuing tickets on AES 128, AES 256.

The time is in sync with the nas and the domain, they are only maybe 1 to 2 seconds max apart in time. I have also tried adding the encryption types to my “Libdefaults Auxiliary Parameters” with no success, values below.
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

To me it seems like the nas isn’t listening to the stronger encryption types and maybe is still trying something not supported by the KDC. I am at a loss of how to ‘force’ it to use the accepted types, all my research suggests it should just use this. I have also tried purging the config but its always the same error.

AD Forest is 2025, all latest updates are deployed to the DCs.

Hopefully someone knows what I need to do to resolve it.

Johnny_Fartpants · June 22, 2025, 5:43pm

Hi and welcome to the forums.

I personally can’t assist you with this but I’m commenting in the hope others can. We’ve seen an increase in AD issues since SCALE/TC and personally I’m keen to understand why.

This may very well be a separate issue but nevertheless I think it needs further investigation.

Thanks for raising.

Feel free to raise a bug ticket above and attach a debug file for the devs to take a closer look. Please update this thread with any outcome.

cory1768 · June 22, 2025, 7:53pm

Thanks, at this point I am inclined to believe that its a TrueNas Scale issue. I’ve gone as far as formatting the OS today and reinstalling TrueNas Scale for a fresh installation. I have also temporarily enabled the RC4 cipher for the KDC. Sadly I was met with the same error about the KDC cipher support. I am trying to keep this post updated with all the steps I have gone through so far.

TrueNas Scale error:
middlewared.service_exception.ValidationError: [EINVAL] activedirectory.bindpw: [KRB5KDC_ERR_ETYPE_NOSUPP] Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638926): KDC has no support for encryption type

Domain Controller KDC event log:
Additional Information:
Ticket Options: 0x40000010
Failure Code: 0xE
Pre-Authentication Type: 0

Johnny_Fartpants · June 22, 2025, 8:21pm

If you create a bug ticket please add it to this thread so others can follow. Thank you.

cory1768 · June 22, 2025, 9:10pm

Adding the Jira Bug report I submitted:
https://ixsystems.atlassian.net/browse/NAS-136417

cory1768 · June 23, 2025, 2:22pm

Adding an update here, My ticket was closed in Jira stating its a duplicate of another item. This other linked Item I cannot view due to lack of access, maybe in their Enterprise portal or something.

The notes read as follows:
Duplicate of Jira. This is caused by non-default AD kerberos settings.

I have asked them for clarity as I am unsure what they mean by “non-default AD Kerberos settings”. I’ve tried enabling legacy ciphers such as RC4 and TrueNas wouldn’t connect. I also reminded them that this was working successfully in TrueNas Core, I made no KDC changes after, during, or immediately before the upgrade except enabling weaker ciphers to see if that’s what Scale wanted.

Johnny_Fartpants · June 23, 2025, 2:49pm

This thread sounds similar with fix coming soon [KRB5KDC_ERR_PREAUTH_FAILED] Errors on AD quite often - #15 by Johnny_Fartpants