I am having trouble getting a user access to an SMB share in a hybrid AD environment.
They have an on-prem AD domain controller and it works great for any of the older machines joined to the local domain.
If I have a user on a workstation that is just joined to the Entra domain they don’t have access to the share. We are leveraging Cloud Kerberos Trust, which works in this environment on Windows Servers but we are no longer doing file shares on Windows Servers if possible. It simply doesn’t work for authenticating to TrueNAS.
The audit logs indicate it is failing over to NTLMv2 instead of even trying to use Kerberos, which is weird. The domain is “domain.com” and the NetBIOS/pre-Windows 2000 domain name is “domain0”. However, the NetBIOS domain name that users authenticating with Cloud Kerberos Trust appear to be using is “domain” without the 0 at the end. Again, this works to authenticate to legacy Windows Server file shares, but not TrueNAS when joined to AD.
Anything we should check? Happy to run any tests, provide config or log info, or try additional troubleshooting steps.
This means that you need to configure an idmap backend for domain (without the 0). RID is probably best for this case. Then enable “trusted domains” in the AD form. Since the accounts from cloud realm are different from your local realm they will have separate local user and group IDs and names. You will have to account for this when designing permissions and testing.
I’m a bit confused. With synced users, the Kerberos ticket is granted by the on-prem DC for the local user. It shouldn’t be a different domain.
I’m willing to try the Idmap just because I know I’m not familiar with Idmap backends, but I don’t know what range to put on the config for it and range is required.
Thank you for the response Mr. Fartpants, but believe it or not, I am the AD admin. I have never run into needing to configure idmap so idmap ranges are a topic I haven’t wrapped my brain around.
I already had AAD joined machines working with Windows Hello for Buiisness and doing silent SSO to a synology. I just added a 24.10.02 truenas to this environment and Kerberos based silent SSO to the truenas shares from the windows 11 AAD joined machine just worked.
I didn’t have to touch idmap.
Let me know if you didn’t get it to work and still want help?