Hello,
I would like to use TrueNAS Scale in my Company as a secondary Fileserver.
When trying to sync the Users of our existing LDAP Server, I recieve the error Message “Active Directory plugin must be used to join Active Directory domains”.
The Problem arises here since neither do I want to join to the Domain, nor do I have the access rights to do so since our Users are managed in a way that I do not have admin rights.
All I need are the Basic LDAP functions of Syncing Users, Groups and Authentication.
Is there a way to force the use of LDAP? We have other Services which use this exact Konfiguration without Problems (Zammad, Nextcloud)
Thank you very much for your time.
No. If this is an active directory domain, you must use the active directory plugin.
Why not ask your Domain Admin (nicely) to create your TrueNAS an object in AD and create you an account that just gives you access to that object.
That way you get the join and desired outcome and AD admin doesn’t have a heart attack about you having domain admin access?
Stage 2 might be they give you access to an OU so you can create your own permission groups.
PS: Welcome to the forums. Can you tell I’ve been in your position before 
Thank you for your Reply.
Sadly, this is not possible. There is no way we recieve any permissions other than reading from the Domain via LDAP.
Still thank you for your Ideas.
Thank you for the short and clear Answer.
Guess we will have to use a different Solution.
As a compromise could your domain admin join the TN server to AD as after the initial join it’s all Kerberos after that?
That’s an odd choice honestly since it basically breaks most NAS-related functionality, and actually degrades overall security for protocols since you are eliminating ability to use kerberos, SMB, and NFS.
In theory you can use mtls to authenticate to the LDAP component of AD, but at that point you only have lists of accounts that you can’t really do anything with. Once you start adding functionality back in for the AD account then you end up with something very similar to a computer account.
TL;DR, we don’t allow this because the configuration basically ends up being useless for NAS purposes.
