I have the latest version of TrueNAS Scale running in a Hyper-V VM on Windows Server 2025 Standard. No Windows client can connect to the SMB share I set up. SMB share permissions have been checked, and not even a full admin user can authenticate. This is because NTLM is disabled on all my Windows machines. I’d rather not have to enable NTLM or configure exceptions in Group Policy. Is there another way to get this to work?
I’m also unable to successfully join the TrueNAS server to my domain. The TrueNAS server’s computer object gets created in Active Directory, but TrueNAS returns a message of ‘FAILED’. Here is the output, but I removed the real domain name, IPv6 addresses of the domain controller and the SIDs and GUIDs:
[EFAULT] [EFAULT] Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 smb2: 5 smb2_credits: 5 dsdb_audit: 5 dsdb_json_audit: 5 dsdb_password_audit: 5 dsdb_password_json_audit: 5 dsdb_transaction_audit: 5 dsdb_transaction_json_audit: 5 dsdb_group_audit: 5 dsdb_group_json_audit: 5 ldapsrv: 5 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 auth_audit: 5 auth_json_audit: 5 kerberos: 5 drs_repl: 5 smb2: 5 smb2_credits: 5 dsdb_audit: 5 dsdb_json_audit: 5 dsdb_password_audit: 5 dsdb_password_json_audit: 5 dsdb_transaction_audit: 5 dsdb_transaction_json_audit: 5 dsdb_group_audit: 5 dsdb_group_json_audit: 5 ldapsrv: 5 Processing section "[global]" doing parameter disable spoolss = True doing parameter dns proxy = False doing parameter load printers = False doing parameter max log size = 5120 doing parameter printcap = /dev/null doing parameter bind interfaces only = True doing parameter fruit:nfs_aces = False doing parameter fruit:zero_file_id = False doing parameter rpc_daemon:mdssd = disabled doing parameter rpc_server:mdssvc = disabled doing parameter restrict anonymous = 2 doing parameter winbind request timeout = 60 doing parameter passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb doing parameter workgroup = DOMAIN doing parameter netbios name = TRUENAS doing parameter netbios aliases = doing parameter guest account = nobody doing parameter obey pam restrictions = False doing parameter create mask = 0664 doing parameter directory mask = 0775 doing parameter ntlm auth = False doing parameter server multichannel support = True doing parameter unix charset = UTF-8 doing parameter local master = False doing parameter server string = TrueNAS Server doing parameter log level = 1 doing parameter logging = file doing parameter server smb encrypt = required doing parameter idmap config * : backend = tdb doing parameter idmap config * : range = 90000001 - 100000000 doing parameter idmap config * : read only = True doing parameter smb3 directory leases = no doing parameter server role = member server doing parameter kerberos method = secrets only doing parameter sync machine password to keytab = /etc/samba/kerberos/krb5.keytab0:account_name:sync_kvno:machine_password /etc/samba/kerberos/krb5.keytab1:sync_spns:sync_kvno:machine_password /etc/samba/kerberos/krb5.keytab2:spn_prefixes=nfs:sync_kvno:machine_password doing parameter security = ADS doing parameter domain master = False doing parameter preferred master = False doing parameter winbind cache time = 7200 doing parameter winbind max domain connections = 10 doing parameter winbind use default domain = False doing parameter client ldap sasl wrapping = seal doing parameter template shell = /bin/sh doing parameter allow trusted domains = False doing parameter realm = AD.domain.invalid doing parameter template homedir = /var/empty doing parameter winbind enum users = True doing parameter winbind enum groups = True doing parameter machine password timeout = 0 doing parameter create krb5 conf = False doing parameter idmap config DOMAIN : backend = rid doing parameter idmap config DOMAIN : range = 100000001 - 200000000 doing parameter zfs_core:zfs_integrity_streams = False doing parameter zfs_core:zfs_block_cloning = False doing parameter registry shares = True doing parameter include = registry doing parameter registry shares = yes process_registry_service: service name global pm_process() returned Yes added interface eth0 ip=2600:REDACT bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0 Registering messaging pointer for type 2 - private_data=(nil) register_msg_pool_usage: Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) Registering messaging pointer for type 51 - private_data=(nil) added interface eth0 ip=2600:REDACT bcast= netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff added interface eth0 ip=192.168.1.15 bcast=192.168.1.255 netmask=255.255.255.0 libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : 'DC01.ad.domain.invalid' machine_name : 'TRUENAS' domain_name : * domain_name : 'AD.domain.invalid' domain_name_type : JoinDomNameTypeDNS (1) account_ou : NULL admin_credentials : * passed_machine_password : machine_password : join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL os_servicepack : NULL create_upn : 0x00 (0) upn : NULL dnshostname : 'TRUENAS.AD.domain.invalid' modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) secure_channel_type : SEC_CHAN_WKSTA (2) desired_encryption_types : 0x0000001c (28) provision_computer_account_only: 0x00 (0) odj_provision_data : NULL request_offline_join : 0x00 (0) Opening cache file at /var/run/samba-lock/gencache.tdb sitename_fetch: Returning sitename for realm 'AD.domain.invalid': "Domain" namecache_fetch: no entry for DC01.ad.domain.invalid#20 found. resolve_hosts: Attempting host lookup for name DC01.ad.domain.invalid<0x20> namecache_store: storing 2 addresses for DC01.ad.domain.invalid#20: [2600:REDACTED:DC:IP],192.168.1.2 sitename_fetch: Returning sitename for realm 'AD.domain.invalid': "Domain" namecache_fetch: name DC01.ad.domain.invalid#20 found. Connecting to 2600:REDACTED:DC:IP at port 445 socket options: SO_KEEPALIVE=0, SO_REUSEADDR=0, SO_BROADCAST=0, TCP_NODELAY=1, TCP_KEEPCNT=9, TCP_KEEPIDLE=7200, TCP_KEEPINTVL=75, IPTOS_LOWDELAY=0, IPTOS_THROUGHPUT=0, SO_REUSEPORT=0, SO_SNDBUF=87040, SO_RCVBUF=131072, SO_SNDLOWAT=1, SO_RCVLOWAT=1, SO_SNDTIMEO=0, SO_RCVTIMEO=0, TCP_QUICKACK=1, TCP_DEFER_ACCEPT=0, TCP_USER_TIMEOUT=0 cli_session_setup_spnego_send: Connect to DC01.ad.domain.invalid as TrueNAS Backup Account@AD.domain.invalid using SPNEGO GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'ncalrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'http_negotiate' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_gse_client_prepare_ccache: No kinit required for TrueNAS Backup Account@AD.domain.invalid to access cifs/DC01.ad.domain.invalid, KEYRING:persistent:0:krb_ccache_FjK3PjB signed SMB2 message (sign_algo_id=2) signed SMB2 message (sign_algo_id=2) Bind RPC Pipe: host DC01.ad.domain.invalid auth_type 0, auth_level 1 rpc_api_pipe: host DC01.ad.domain.invalid signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 76 check_bind_response: accepted! rpc_api_pipe: host DC01.ad.domain.invalid signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 32 rpc_api_pipe: host DC01.ad.domain.invalid signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 220 rpc_api_pipe: host DC01.ad.domain.invalid signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 32 signed SMB2 message (sign_algo_id=2) sitename_fetch: Returning sitename for realm 'AD.domain.invalid': "Domain" namecache_fetch: name DC01.ad.domain.invalid#20 found. ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.1.2 (realm: ad.domain.invalid) Successfully contacted LDAP server 192.168.1.2 Connecting to 192.168.1.2 at port 389 Connected to LDAP server DC01.ad.domain.invalid ads_current_time: server time offset is 0 seconds ads_current_time: server time offset is 0 seconds Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_gse_client_prepare_ccache: No kinit required for TrueNAS Backup Account@AD.domain.invalid to access ldap/dc01.ad.domain.invalid, KEYRING:persistent:0:krb_ccache_FjK3PjB ads_gen_add: AD LDAP: Adding cn=TRUENAS,CN=Computers,dc=AD,dC=domain,DC=invalid libnet_join_precreate_machine_acct: Machine account successfully created ads_gen_mod: AD LDAP: Modifying CN=TRUENAS,CN=Computers,DC=ad,DC=domain,DC=invalid ads_domain_func_level: 10 sitename_fetch: Returning sitename for realm 'AD.domain.invalid': "Domain" namecache_fetch: name DC01.ad.domain.invalid#20 found. ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.1.2 (realm: ad.domain.invalid) Successfully contacted LDAP server 192.168.1.2 Connecting to 192.168.1.2 at port 389 Connected to LDAP server DC01.ad.domain.invalid ads_current_time: server time offset is 0 seconds ads_current_time: server time offset is 0 seconds Starting GENSEC mechanism spnego Starting GENSEC submechanism gse_krb5 gensec_gse_client_prepare_ccache: Doing kinit for TRUENAS$@ad.domain.invalid to access ldap/dc01.ad.domain.invalid into MEMORY:cn4VF2e gensec_gse_client_prepare_ccache: Kinit for TRUENAS$@ad.domain.invalid to access ldap/dc01.ad.domain.invalid failed: Cannot find KDC for requested realm: NT_STATUS_NO_LOGON_SERVERS Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER Starting GENSEC submechanism ntlmssp ads_sasl_spnego_bind: ads_sasl_spnego_gensec_bind() failed for ldap/dc01.ad.domain.invalid with user[TRUENAS$@ad.domain.invalid]: Invalid credentials libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx odj_provision_data : NULL account_name : 'TRUENAS$' netbios_domain_name : 'DOMAIN' dns_domain_name : 'ad.domain.invalid' forest_name : 'ad.domain.invalid' dn : 'CN=TRUENAS,CN=Computers,DC=ad,DC=domain,DC=invalid' domain_guid : REDACTED-DOMAIN-GUID domain_sid : * domain_sid : REDACTED-DOMAIN-SID modified_config : 0x00 (0) error_string : 'failed to connect to AD: Invalid credentials' domain_is_ad : 0x01 (1) set_encryption_types : 0x00000000 (0) krb5_salt : NULL dcinfo : * dcinfo: struct netr_DsRGetDCNameInfo dc_unc : * dc_unc : '\\DC01.ad.domain.invalid' dc_address : * dc_address : '\\2600:REDACTED:DC:IP' dc_address_type : DS_ADDRESS_TYPE_INET (1) domain_guid : REDACTED-DOMAIN-GUID domain_name : * domain_name : 'ad.domain.invalid' forest_name : * forest_name : 'ad.domain.invalid' dc_flags : 0xe007f3fd (3758617597) 1: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 1: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 1: NBT_SERVER_FULL_SECRET_DOMAIN_6 1: NBT_SERVER_ADS_WEB_SERVICE 1: NBT_SERVER_DS_8 1: NBT_SERVER_DS_9 1: NBT_SERVER_DS_10 1: NBT_SERVER_HAS_DNS_NAME 1: NBT_SERVER_IS_DEFAULT_NC 1: NBT_SERVER_FOREST_ROOT dc_site_name : * dc_site_name : 'Domain' client_site_name : * client_site_name : 'Domain' account_rid : 0x00002971 (10609) result : WERR_GEN_FAILURE return code = -1 Freeing parametrics: