IPA Integration break Samba on 25.10

cfouche · January 3, 2026, 11:12pm

I wanted to try to link my truenas server and a freeipa domain to sync and allow user to login to smb with their user account.
But atfer linking truenas to my freeipa domain (via the ipa integration), Samba auth stopped to work, both for local users and IPA users. Looking at the logs, the only thing I could find is this :

[2026/01/03 13:53:03.964060,  0, traceid=1] ../../source3/librpc/crypto/gse.c:1047(gensec_gse_client_prepare_ccache)
  gensec_gse_client_prepare_ccache: Kinit for TRUENAS$@IDM.REDACTED.COM to access cifs/freeipa-0.idm.redacted.com failed: Preauthentication failed: NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:04.000244,  1, traceid=1] ../../source3/winbindd/winbindd_cm.c:814(cm_prepare_connection)
  authenticated session setup to freeipa-0.idm.redacted.com using IDM\TRUENAS$ failed with NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:04.000572,  1, traceid=1] ../../source3/winbindd/winbindd_cm.c:960(cm_prepare_connection)
  Failed to prepare SMB connection to freeipa-0.idm.redacted.com: NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:04.002207,  1, traceid=1] ../../source3/libsmb/namequery.c:3543(get_sorted_dc_list)
  get_sorted_dc_list: No server for domain 'IDM.REDACTED.COM' available in site 'Default-First-Site-Name', fallback to all servers
[2026/01/03 13:53:04.256343,  1, traceid=1] ../../source3/libads/ldap.c:830(ads_find_dc)
  ads_find_dc: name resolution for realm 'IDM.REDACTED.COM' (domain 'IDM') failed: NT_STATUS_NO_LOGON_SERVERS
[2026/01/03 13:53:04.510274,  1, traceid=1] ../../source3/libsmb/namequery.c:3543(get_sorted_dc_list)
  get_sorted_dc_list: No server for domain 'IDM.REDACTED.COM' available in site 'Default-First-Site-Name', fallback to all servers
[2026/01/03 13:53:34.258077,  0, traceid=1] ../../source3/librpc/crypto/gse.c:1047(gensec_gse_client_prepare_ccache)
  gensec_gse_client_prepare_ccache: Kinit for TRUENAS$@IDM.REDACTED.COM to access cifs/freeipa-0.idm.redacted.com failed: Preauthentication failed: NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:34.290491,  1, traceid=1] ../../source3/winbindd/winbindd_cm.c:814(cm_prepare_connection)
  authenticated session setup to freeipa-0.idm.redacted.com using IDM\TRUENAS$ failed with NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:34.290850,  1, traceid=1] ../../source3/winbindd/winbindd_cm.c:960(cm_prepare_connection)
  Failed to prepare SMB connection to freeipa-0.idm.redacted.com: NT_STATUS_LOGON_FAILURE
[2026/01/03 13:53:34.292631,  1, traceid=1] ../../source3/libsmb/namequery.c:3543(get_sorted_dc_list)
  get_sorted_dc_list: No server for domain 'IDM.REDACTED.COM' available in site 'Default-First-Site-Name', fallback to all servers
[2026/01/03 13:53:34.546611,  1, traceid=1] ../../source3/libads/ldap.c:830(ads_find_dc)
  ads_find_dc: name resolution for realm 'IDM.REDACTED.COM' (domain 'IDM') failed: NT_STATUS_NO_LOGON_SERVERS
[2026/01/03 13:53:34.800496,  1, traceid=1] ../../source3/libsmb/namequery.c:3543(get_sorted_dc_list)
  get_sorted_dc_list: No server for domain 'IDM.REDACTED.COM' available in site 'Default-First-Site-Name', fallback to all servers

I have already resolved another bug (I think) with this command :

ldbadd -H /var/db/system/samba4/private/secrets.ldb </dev/null

But I could not find a solution to this problem.

Software info :
TrueNAS 25.10.1 (the ipa connection work and is marked as healthy)
FreeIPA on Almalinux 10 with the ad-trust package installed and configured (done not for the AD trust but because it add some config and dns records needed for samba)
The rest of Freeipa install is pretty much standard without additional configs.

cfouche · January 3, 2026, 11:15pm

The client error :

smbclient -U "IDM\test" //10.0.0.170/bonk
Password for [IDM\test]:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

cfouche · January 6, 2026, 5:24pm

Do anyone have used the IPA integration in TrueNAS ?

dariopnc · January 7, 2026, 8:28am

I’m also trying to accomplish your goal on my machine, with the same level of success as you, it seems

pmh · January 7, 2026, 10:28am

As far as I know Samba supports only Active Directory. Any other authenticator can only be used for other services like FTP, DAV, …

dariopnc · January 7, 2026, 7:57pm

From the official docs (IPA Screens for 25.10)

IPA includes integrated Samba support and can provide user and group information for SMB authentication.

pmh · January 7, 2026, 8:07pm

You are right - I assume you followed the documentation? In that case, I do not have any ideas, either.

Well, re-reading the initial post: in AD it is mandatory that the AD member system uses the AD domain controllers and only the domain controllers as DNS servers. I don’t know if that is also the case for IPA, but it just might be.

dariopnc · January 7, 2026, 8:19pm

In my case I have it like that: IPA server is the only nameserver (from old versions of the documentation).

I’m also facing another issue, that I don’t see any update of log files in /var/log/samba4, only in TrueNas GUI. It was working earlier and it stopped, but don’t know why

Topic		Replies	Views
FreeIPA/IdM - Stops working after updating to 24.x TrueNAS General SCALE	4	208	February 1, 2025
IPA/Active Directory setup problems on 25.10 TrueNAS General SCALE	10	333	November 7, 2025
Cannot start SMB service after joining IPA Directory Services on 25.10 TrueNAS General SCALE , SMB	13	125	November 11, 2025
Clarifications on TrueNAS Scale and LDAP integration TrueNAS General SCALE , SMB	10	1059	November 16, 2025
Use FreeIPA/RedHat IdM for Auth in TrueNAS with Kerberos & LDAP for NFSv4 TrueNAS General SCALE	6	923	June 25, 2025

IPA Integration break Samba on 25.10

Related topics