Cannot authenticate in hybrid AD environment

Hi all,

I am having trouble getting a user access to an SMB share in a hybrid AD environment.

They have an on-prem AD domain controller and it works great for any of the older machines joined to the local domain.

If I have a user on a workstation that is just joined to the Entra domain they don’t have access to the share. We are leveraging Cloud Kerberos Trust, which works in this environment on Windows Servers but we are no longer doing file shares on Windows Servers if possible. It simply doesn’t work for authenticating to TrueNAS.

The audit logs indicate it is failing over to NTLMv2 instead of even trying to use Kerberos, which is weird. The domain is “domain.com” and the NetBIOS/pre-Windows 2000 domain name is “domain0”. However, the NetBIOS domain name that users authenticating with Cloud Kerberos Trust appear to be using is “domain” without the 0 at the end. Again, this works to authenticate to legacy Windows Server file shares, but not TrueNAS when joined to AD.

Anything we should check? Happy to run any tests, provide config or log info, or try additional troubleshooting steps.

This means that you need to configure an idmap backend for domain (without the 0). RID is probably best for this case. Then enable “trusted domains” in the AD form. Since the accounts from cloud realm are different from your local realm they will have separate local user and group IDs and names. You will have to account for this when designing permissions and testing.

I’m a bit confused. With synced users, the Kerberos ticket is granted by the on-prem DC for the local user. It shouldn’t be a different domain.

I’m willing to try the Idmap just because I know I’m not familiar with Idmap backends, but I don’t know what range to put on the config for it and range is required.

My AD Administrator gave me an idmap range years ago and I still use it today. Perhaps contact your AD admin?

Thank you for the response Mr. Fartpants, but believe it or not, I am the AD admin. I have never run into needing to configure idmap so idmap ranges are a topic I haven’t wrapped my brain around.

But I appreciate you taking the time to respond.

Ah, I thought you may say that. Have you tried the default values?