Cannot get newly updated 25.10.0.1 to pull correct UIDs/GIDs from new Server 2022 AD

TrueNAS General
, ,
1

Updated from 25.04 latest to 25.10.0.1 and joined it to a new Server 2022 with Active Directory.

  1. It refused to join the find the realm for the AD until I manually input the realm on the Advanced Kerberos panel.

  2. No matter what setting I choose it’s inventing it’s own UIDs/GIDs for my AD users. Initially I left the UIDnumber and GIDnumber null in AD as all my linux systems joined fine and have the same #’s but later I input them (UIDs/GIDs) into (AD) to match what my linux machines where showing. I’ve dis-joined/re-joined over 2 dozen times today, rebooted, rebuild AD cache and run out of things to try. *Note just to add I say inventing numbers as I don’t know where it’s getting them from but they are the same numbers through all the re-joins.

Any advise is appreciated as I’m fixing to reload 25.04 at this point.

TrueNAS 25.10.0.1 is Now Available!
2

There are about 5 AD related issues being fixed in 25.10.1. You can test with a nightly.

One is:

Its an inability connect if DNS servers are not AD servers. Is that your case?

3

No, my DNS is AD integrated.

4

No matter what setting I choose it’s inventing it’s own UIDs/GIDs for my AD users.

This is due to the idmap configuration in the directory services settings. C.f. documentation on idmap_ad.

5

What do I need to change to return the behavior to how it previously worked?

6

You can start a review here:

its easier if you know who is managing the AD server and discuss with them.

7

  1. Tried following that documentation but the information and screenshots don’t match.

  2. No matter what I select in the ‘Enable Trusted Domains’ the the Save button is grayed out.

1 Like
8

Documenting those differences might help find the issue…

9

It looks like that part of the documentation was not updated for 25.10 changes (I filed a docs bug ticket about this just now). As mentioned above changing idmap configuration is not possible while directory services are enabled (that’s why it’s greyed-out. You don’t need to set trusted domains, you just need to change the idmap backend to AD and set an appropriate idmap range for your non-default AD configuration). “Appropriate idmap range” in this case means setting the low range to less than your lowest assigned AD uid/gid (but no lower than 1000) and high range means higher than the highest assigned value.

The configuration is literally in the AD form if you scoll down so I don’t know if there’s a way to make this clearer.

image
image446×507 5.21 KB

1 Like
10

  1. Thanks for filing to update the docs.

  2. I never stated that I was changing the IDMAP while joined, but I guess I didn’t explicitly say I was doing a new join other then what I stated in my original post about trying 2 dozen times.

  3. I don’t know where you get “non-default AD configuration” from. From the title this is a “new Server 2022 AD”

  4. To add, I do have a backup TrueNAS 25.04 that joined the same AD with all the default settings.

12

No matter what setting I choose it’s inventing it’s own UIDs/GIDs for my AD users. Initially I left the UIDnumber and GIDnumber null in AD as all my linux systems joined fine and have the same #’s but later I input them (UIDs/GIDs) into (AD) to match what my linux machines where showing.

You’re describing our default behavior (the uids / gids on our side are actually deterministic, not random). You’re trying to get alternate behavior to match other linux systems. You need to investigate those other systems to see how they’re getting IDs allocated and do the same on TrueNAS if you want local IDs to match.

13

I am getting the exact same issue as OP but with Samba AD 4.19.5-Ubuntu and TrueNAS 25.10.1.

In this this post I am showing two TrueNAS boxes:

  1. Sark that has been updated to 25.10.1
  2. Discovery is still on 25.04.2.6 and is working fine.

In my Samba AD:

  • User uidNumber: 1000 is admin rest are >2001 for users
  • Group gidNumber: >2003

In 25.10.1 while using:

IDMAP Backend:

  • RID: I am able to import users and groups but their TrueNAS UIDs are offset by 1000 + some number - this is expected behavior as far as I can tell.
  • Active Directory: Unable to import any users / groups regardless of what Low and High ranges I set.
  • RFC2037: Unable to import any users / groups regardless of what Low and High ranges I set.
  • LDAP: Unable to import any users / groups regardless of what Low and High ranges I set.

Trusted Domains:

  • No matter how I modify the trusted domains configuration, the Save button is always greyed out, see screenshot:

image
image461×859 10.9 KB

What works in 25.04.2.6:

image
image1274×1093 55.5 KB

# 25.04.2.6
$ testparm -s | grep "idmap"
Load smb config files from /etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

        idmap config * : readonly = False
        idmap config * : range = 300000000 - 400000000
        idmap config ad : unix_nss_info = True
        idmap config ad : unix_primary_group = True
        idmap config ad : schema_mode = RFC2307
        idmap config ad : range = 1000 - 200000000
        idmap config ad : backend = ad
        idmap config * : backend = tdb

What no longer works in 25.10.1:

image
image1399×946 34.8 KB

# 25.10.1
$ testparm -s | grep "idmap"
Load smb config files from /etc/smb4.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_DOMAIN_MEMBER

        idmap config ad : unix_nss_info = True
        idmap config ad : unix_primary_group = True
        idmap config ad : schema_mode = RFC2307
        idmap config ad : range = 1000 - 200000000
        idmap config ad : backend = ad
        idmap config * : read only = True
        idmap config * : range = 300000000 - 400000000
        idmap config * : backend = tdb

Would greatly appreciate any guidance or follow up questions, I might be missing something very obvious.

14

I’m also getting the same issue. I tried to go from 25.10.0.1 (working) to 25.10.1, not working. Reverting allowed me to get it working again even with voiding the config and rejoining AD (machine account credentials expired). Upgraded and again all SMB shares don’t function and I cannot use AD creds in the GUI for ACLs… on 25.10.0.1 it works fine. I’m also using AD idmap, rfc2307, for a long time and my unix gid and uid were added to all my accounts that touch the filer. Permissions work when it works. I am also on 2022 Datacenter AD