Cannot start SMB service after joining IPA Directory Services on 25.10

shpokas · November 7, 2025, 6:07pm

Hi,
has anyone run into a similar issue?
Here is my steps as 1,2,3.

Install TrueNAS Scale 25.10
Join IPA domain
Start SMB

First two steps done without issues, 3rd step fails.
SMB service fails with “dependency issue”.
After some troubleshooting I found that it is Winbind service is not starting and preventing SMB (smbd service) from starting.

Winbind service fails, because it seem that domain is not correct, failing with message

[2025/10/31 10:42:45.780970,  0, traceid=1] ../../source3/winbindd/winbindd_util.c:1222(init_domain_list)
  Could not fetch our SID - did we join?
[2025/10/31 10:42:45.781057,  0, traceid=1] ../../source3/winbindd/winbindd.c:1173(winbindd_register_handlers)
  unable to initialize domain list

However, when I try to change Workgroup setting in SMB service configuration from default “WORKGROUP” to IPA domain, TrueNAS does not let me do so, complaining that “Workgroup may not be changed while directory service is enabled”.

So, am I supposed to set up SMB before joining IPA? Is that documented somehow?
And what is “SMB Domain Configuration” setting in IPA Directory Services Configuration page supposed to do then?

Any insight appreciated. Thanks in advance.

LarsR · November 7, 2025, 6:24pm

Known bug

Johnny_Fartpants · November 7, 2025, 6:27pm

Try a more stable version like 25.04.2.5

awalkerix · November 7, 2025, 8:02pm

Is it?

github.com/truenas/middleware

src/middlewared/middlewared/plugins/smb_/util_smbconf.py

adb35ad78


      
              # the other end.
              domain_short = ds_config['configuration']['smb_domain']['name']
              range_low = ds_config['configuration']['smb_domain']['range_low']
              range_high = ds_config['configuration']['smb_domain']['range_high']
              domain_name = ds_config['configuration']['smb_domain']['domain_name']
          
              smbconf.update({
                  'server role': 'member server',
                  'kerberos method': 'dedicated keytab',
                  'dedicated keytab file': 'FILE:/etc/ipa/smb.keytab',
                  'workgroup': domain_short,
                  'realm': domain_name.upper(),
                  f'idmap config {domain_short} : backend': 'sss',
                  f'idmap config {domain_short} : range': f'{range_low} - {range_high}',
              })
          
          # Add relevant auxiliary parameters
          __parse_aux_param_list(smbconf, smb_service_config['smb_options'].splitlines())
          
          # Ordering here is relevant. Do not permit smb_options to override required
          # settings for the STIG.

When IPA is enabled we override the workgroup setting when generating the smb.conf based on what was auto-discovered about the IPA domain during the domain join process.

What is output of midclt call directoryservices.config | jq ?

awalkerix · November 7, 2025, 8:12pm

Example of properly detected IPA SMB settings:

{
  "id": 1,
  "service_type": "IPA",
  "credential": {
    "credential_type": "KERBEROS_PRINCIPAL",
    "principal": "host/testqq2yqks421.tn.ixsystems.net@TN.IXSYSTEMS.NET"
  },
  "enable": true,
  "enable_account_cache": true,
  "enable_dns_updates": true,
  "timeout": 10,
  "kerberos_realm": "TN.IXSYSTEMS.NET",
  "configuration": {
    "target_server": "ipatest1.tn.ixsystems.net",
    "hostname": "testqq2yqks421",
    "domain": "TN.IXSYSTEMS.NET",
    "basedn": "dc=tn,dc=ixsystems,dc=net",
    "smb_domain": {
      "name": "TN",
      "range_low": 925000000,
      "range_high": 925199999,
      "idmap_backend": "SSS",
      "domain_name": "tn.ixsystems.net",
      "domain_sid": "S-1-5-21-157882827-213361071-3806343854"
    },
    "validate_certificates": false
  }
}

If you haven’t configured your IPA domain for SMB access then this is not going to work.

all the smb_domain info should be provided by your IPA domain.

shpokas · November 7, 2025, 8:16pm

This.

{
  "id": 1,
  "service_type": "IPA",
  "credential": {
    "credential_type": "KERBEROS_USER",
    "username": "admin",
    "password": "<SANITIZED>"
  },
  "enable": true,
  "enable_account_cache": true,
  "enable_dns_updates": false,
  "timeout": 10,
  "kerberos_realm": "MY.DOMAIN",
  "configuration": {
    "target_server": "ipaserver.my.domain",
    "hostname": "truenas-test",
    "domain": "my.domain",
    "basedn": "dc=my,dc=domain",
    "smb_domain": {
      "name": "MY",
      "range_low": 926800000,
      "range_high": 926999999,
      "idmap_backend": "SSS",
      "domain_name": "my.domain",
      "domain_sid": "S-1-5-21-3568196435-2032812666-415940551"
    },
    "validate_certificates": true
  }
}

awalkerix · November 7, 2025, 8:18pm

Hmm.. what keytab names do you have in midclt call kerberos.keytab.query output? We should have transitioned to using your IPA MACHINE ACCOUNT keytab for middlewared (no longer have username / password there).

Note that IPA isn’t a drop-in replacement for how people use AD. Client config (except for linux clients) for SMB is non-trivial.

shpokas · November 7, 2025, 8:41pm

Just this one.

root@truenas-test[~]# midclt call kerberos.keytab.query

[{"id": 1, "name": "IPA_MACHINE_ACCOUNT", "file": "BQIAAABYAAIAB1NFVFMuTFYABGhvc3QAFHRydWVuYXMtdGVzdC5zZXRzLmx2AAAAAWkOCW4BABIAII3HuzW5xfhIsDVU8y4JYSs3R1/IiUamRSivvQe5OZ4JAAAAAQAAAEgAAgAHU0VUUy5MVgAEaG9zdAAUdHJ1ZW5hcy10ZXN0LnNldHMubHYAAAABaQ4JbgEAEQAQT0klFYGq7Ld8RsJwulwBAwAAAAE="}]

awalkerix · November 7, 2025, 8:46pm

Hmm… so it looks like the IPA join possibly failed in stage where we make the SMB keytab / srv record.

Please create a bug report and attach a debug to it.

shpokas · November 7, 2025, 8:49pm

Will do, tomorrow (nearly 11 pm here).
However, on the surface nothing shows that IPA join has failed.
Machine account was created in IPA, IPA users were created in TrueNAS system and so on.

IPA Status shows as HEALTHY.

awalkerix · November 7, 2025, 9:12pm

That’s why I want to see debug.