Unfortunately when setting up LDAP with FreeIPA, I went directly into the advanced settings, configured things manually. Following several guides, manually created the host on another system using, ipa host-add, then downloaded the keyfile and used the GUI to add it.
When finishing the setup I got the following:
Warning
Attempt to fully join IPA domain failed. TrueNAS will continue to act as an IPA client but with diminished capabilities including lack of support for kerberos security for NFS and SMB protocols. [EEXIST] LDAP kerberos principal is already populated, but was not generated through the IPA join process. Domain functionality may be reduced and is undefined from the perspective of the TrueNAS backend.
2025-05-27 16:06:15 (America/Chicago)
Spent many hours trying to resolve it only to find some articles where I should have just left the initial LDAP settings very plain without any advanced configuration. I brought up a new truenas core, tested and sure enough, joined right up!
Nothing I do seems to clear these settings fully. I’ve blanked them all, and disabled and saved, it does seem to clear out a few things system level wise. But no matter what I do I still get this same issue.
I brought up another system and was able to recreate the same issues. I solved it on that one doing a full systems reset. Easy enough to do in a test env, not so easy in a production system.
Anyone have a clue what isn’t getting reset on the backend that would cause this to still come up after clearing all the settings in the LDAP config, deleting the keytabs in the gui and kerberos realms? It sits there saying waiting for domain to come online. Eventually it will compelte and show healthy but I always get this error:
[EEXIST] LDAP kerberos principal is already populated, but was not generated through the IPA join process. Domain functionality may be reduced and is undefined from the perspective of the TrueNAS backend.
And now even showing healthy, the kerber domain in the gui and keytabs never gets populated.
Hoping someone can help me reset this without actually having to do a full settings reset.