I had the problem "[EFAULT] TrueNAS server is joined to activedirectory while lacking a configured kerberos principal"

Full error:

[EFAULT] TrueNAS server is joined to activedirectory (possibly through commands issued outside of public APIs) while lacking a configured kerberos principal, which is required maintain a stable domain connection. Disabling service.

I updated from SCALE 23.10.1 to 23.10.2

I tried following those other posts but it didn’t work:

• [SOLVED] - Active Directory Missing Username and Password fields after joining failure TrueNAS-SCALE-23.10.2 | TrueNAS Community

• AD Not working after rollback from 23.10.1.1 | TrueNAS Community

• hxxps://www.truenas.com/community/threads/truenas-looses-active-directory-join.113854/ (link removed because this forum disallows more than 2 links in a post)

but no luck

in the end I created a new keytab file on my windows server with

ktpass /princ administrator@example.com /pass mysupersecretpassword /mapuser EXAMPLE\Administrator /ptype KRB5_NT_PRINCIPAL /out admin.keytab

and i loaded it back to the keytab section in /ui/directoryservice/kerberoskeytabs

then instead of joining back with a password, i chose that keytab in advanced setting

Hi Could7980

I ran into the same problem, could create the keytap file on my DC. But where do I need to copy it to? The system structure of truenas scale is still a blackbox for me :-/ Can I just copy it to the target file via ssh?

Appreciate your help!

Pat

I didn’t use ssh, I used the UI

Load it at http://yourserver.local/ui/directoryservice/kerberoskeytabs

I wish in a future version there’s a way to let it forget it was ever connected to active directory and start from scratch

*Edit
I did get Cloud’s Solution to work. I was confused on how to actually use the keytab file.

Wish I would have taken a screenshot to show the correct “knobs” that needed to be turned.

I had this same problem. What ended up working for me was two steps:

1 - On the TrueNAS server, I ran the following from the command line: “net cache flush”
2 - On the Windows Active Directory server, I went into “Active Directory Users and Computers” and removed the TrueNAS server entry from Active Directory Users and Computers → mydomain.lan → Computers
3 - On the TrueNAS server, I made sure that “Kerberos Realms” and “Kerberos Keytab” was cleared from “Advanced Settings”. I then re-attempted to join the domain. (It gave an error the first time, but it worked on a second attempt).