Active Directory Issues [24.10 Scale]

I am new to truenas.

I have on premises AD controllers, these sync to AAD (i refuse to say Entra), i have a fully working WHFB configuration so AAD joind machines can to kerberos login to AD joined NAS like synology, truenas etc.

I would like to add a user from AD as an admin on truenas, i am getting bunch of odd errors. I joined the domain fine, i see my users and groups synced.

When i try and the AD user to truenas_admin group i get [EINVAL] group_update.users: Following users do not exist: 200001112 despite it being in the UI and existing.

So i tried modifying the permissions of MYDOMAIN\Domain Admins to allow all users in that AD group to be admins. I added local administrator to the priviieges field but the save button never lit up and so couldn’t be pressed.

So i wondered if there was an issue with the MYDOMAIN\MyUser and noticed:

• Full Name is not set but required - why wasn’t this pulled from AD
• email is not set why was wasn’t this pulled from AD
• If i tryy and set either of these, or add them to the group truenas_admin i get [EPERM] Users provided by a directory service must be modified through the identity provider (LDAP server or domain controller).

Can someone help me understand what I am supposed to do here? I read the docs, did some google and forum searches and didn’t see anything that helped.

Oh, and yes i tried rebuilding the AD cache.

My user looks like this

image588×724 51.1 KB

and is member of Domain Admins / Domain Users

I tried to disable active directory (not leave) and I see that, that is impossible (it was working in early 24.10 nightly builds but seems to be broken now in release, and now I get this error dedpite not having edited NETBIOS names.

Note this is a fresh install, not an upgrade from nightly before anyone asks

[EINVAL] activedirectory.netbiosalias: NetBIOS names may not be changed while service is enabled.

I set up an SMB share for the MYDOMAIN\MyUser user and can access that quite happily from an AAD joined (not AD joined) client using WHFB Kerberos base logon. So Samba seems to be working quite well.

Question: am i supposed to be able to use AD users to login to UI, manage services, via SSH, API etc?

i am quite in the same situation with 24.10 wich is impossible to edit some permission due to full name not pulling from DC.
i am quite sure too that it was not a problem on previous builds

I got a confirmation that the scenario above is not possible.

Users can be added / ediited on samba shares, that’s all that is supported.

If that’s not working for you i don’t know what the issue is, i would suggest in disabling and enabling the directory integration service but i am unclear if that will reset all ACLs across the shares.