IPA/Active Directory setup problems on 25.10

cfouche · November 1, 2025, 11:15am

In the myriad of change for 25.10, the Active Directory screen and API was changed and the IPA setup was added (You could use it before but in LDAP mode, now it’s a “true” setup like AD)

I tried to setup an active directory join on a fresh install of truenas 25.10 and I was hit by this error :

Seeing that not working (the domain was working, I could join others machines and synology nas) and seeing that IPA was supported, I decided to try. Same error :

I checked in the middleware error logs :

[2025/10/30 22:34:39] (ERROR) middlewared.job.run():542 - Job <bound method DirectoryServices.update of <middlewared.plugins.directoryservices_.datastore.DirectoryServices object at 0x7fdf344d4c90>> failed @cee:{"TNLOG": {"exception": "Traceback (most recent call last):
  File \"/usr/lib/python3/dist-packages/middlewared/job.py\", line 527, in run
    await self.future
  File \"/usr/lib/python3/dist-packages/middlewared/job.py\", line 574, in __run_body
    rv = await self.middleware.run_in_thread(self.method, *args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 668, in run_in_thread
    return await self.run_in_executor(io_thread_pool_executor, method, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 665, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3.11/concurrent/futures/thread.py\", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/api/base/decorator.py\", line 116, in wrapped
    result = func(*args)
             ^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/datastore.py\", line 558, in update
    self.validate_ipa(old, new, verrors, revert)
  File \"/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/datastore.py\", line 454, in validate_ipa
    self.validate_dns(old, new, verrors, revert)
  File \"/usr/lib/python3/dist-packages/middlewared/plugins/directoryservices_/datastore.py\", line 434, in validate_dns
    dns_addresses = set(x['address'] for x in self.middleware.call_sync('dnsclient.forward_lookup', {
                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 1065, in call_sync
    return self.run_coroutine(methodobj(*prepared_call.args))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/main.py\", line 1105, in run_coroutine
    return fut.result()
           ^^^^^^^^^^^^
  File \"/usr/lib/python3.11/concurrent/futures/_base.py\", line 449, in result
    return self.__get_result()
           ^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3.11/concurrent/futures/_base.py\", line 401, in __get_result
    raise self._exception
  File \"/usr/lib/python3/dist-packages/middlewared/api/base/decorator.py\", line 108, in wrapped
    result = await func(*args)
             ^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py\", line 178, in forward_lookup
    raise failuresPerHost[h][0]
  File \"/usr/lib/python3/dist-packages/middlewared/plugins/dns_client.py\", line 96, in resolve_name
    ans = await r.resolve(
          ^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/dns/asyncresolver.py\", line 120, in resolve
    (answer, done) = resolution.query_result(response, None)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File \"/usr/lib/python3/dist-packages/dns/resolver.py\", line 768, in query_result
    raise NoAnswer(response=answer.response)
dns.resolver.NoAnswer: The DNS response does not contain an answer to the question: truenas\\@tenno.REDACTED. IN A", "type": "PYTHON_EXCEPTION", "time": "2025-10-30 21:34:39.984985"}}

and in the code on github.

I found that to check if the nameserver are correct and if the hostname is already used, truenas call hostname@domain

I have checked all documentation I could find on active directory and FreeIPA and I wasn’t able to find why @ is use instead of a dot.

Is this a bug that I should report or is this a me problem, a problem of my setup ?

cfouche · November 1, 2025, 10:37pm

After digging further, this is why I can add my freeIPA domain to Truenas.
TrueNAS validate_dns function only work if it receive an NXDOMAIN but by sending hostname@my.domain, it receive an NOERROR with empty A record

cfouche · November 2, 2025, 9:31pm

And after building a patched truenas build of 25.10 (thanks truenas team to make this process very simple and accessible), I can pass the validate_dns check (the patch is just replacing the @ with a dot) and connect to FreeIPA :

(I know it’s failed but it’s normal, I was test with a not privileged user)

cfouche · November 2, 2025, 9:41pm

Ticket filed under Jira

kevin_k · November 3, 2025, 1:49pm

Hi, Experiencing this issue as well (AD join fails after DNS query for “hostname@domain.com” and I am glad to see it’s been addressed. Where can I find that patch?

thank you!

Kevin

cfouche · November 3, 2025, 5:33pm

You will need to build a custom version of truenas from sources :
from the scale-build directory, you need to edit this file :
sources/truenas/src/middlewared/middlewared/plugins/directoryservices_/datastore.py
at line 432 and change the @ into a dot (.)

cfouche · November 3, 2025, 9:18pm

Join successful with FreeIPA (should also work with Active Directory)

No news about the ticket

awalkerix · November 4, 2025, 2:00am

I have checked all documentation I could find on active directory and FreeIPA and I wasn’t able to find why @ is use instead of a dot.

It looks like I typoed it. Probably was working on kerberos principals in the immediate vicinity of that code and had a brain-fart. It didn’t show up in our CI because the particular DNS servers used provided different errors than some people are seeing.

cfouche · November 4, 2025, 7:52am

I see you made a PR on the middleware repo but not linked on my issue on Jira, you might want to check it to close it and remove it from the list of open issues

cfouche · November 4, 2025, 8:00pm

PR has been merged for 26.04 and 25.10.1

If someone from the truenas team can close this ticket to avoid confusion

shpokas · November 7, 2025, 3:16pm

Never had an issue with joining IPA, I guess that’s DNS related, here IPA domain passes all healthchecks with ipa-healthcheck (it complains if DNS records are not proper, but YMMV).

However, I cannot start Samba service after joining IPA and I’d assume that’s number one thing that people want to do after joining IPA.

I am going to open a separate thread on this, but the gist of it is that as per my troubleshooting winbind service cannot start because we’re on the wrong domain (default setting for Samba service - “WORKGROUP”) and domain cannot be changed, because “Workgroup may not be changed while directory service is enabled”.

So I guess I have to start Samba with correct domain then join IPA.
All tried on a freshly installed test system.