Hello- Trying to troubleshoot an error I keep getting on one of my 2 truenas arrays which are joined to my domain. The error I get is:
[KRB5KDC_ERR_PREAUTH_FAILED] Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638936): Preauthentication failed.
Both arrays are added to the same domain using the same credentials. I am not sure why it keeps happening. I have to essentially turn off AD, enter in the password for the AD user again and turn it back on. When the error occurs I am unable to see any of my groups or users from AD in the TrueNAS GUI, but shares are still working and it appears to still respect the permissions based on AD that are already in place. Thanks!
I am having the same issue, I disabled and deleted the Kerberos Principal keytab then enabled AD again and that solved the issue for one day but it came back this morning.
I also have two systems that are connected to AD the same but the one that hasn’t had issues is still on 24.10 and the one having issues I upgraded to 25.04 about a week ago.
Both of mine are 25.04 and only 1 is having the issue. To be fair, the one not having the issue is a DR replica target and not really getting much use other than replication.
I also have the same issue, had with version 24.10 and now same thing with 25.04.
It happens from time to time, can only recover by removing the server from AD and then adding again, but dos not always work at the first time (or did not found a consistent way to do it). When this happens the access to the storage is lost by the AD users.
I have the same problem too! The strange thing is that on my TrueNAS it is even more complex, because when this error occurs, the Leave Domain option does not appear, when it is in FAULTED status.
To solve the problem I have to:
1 - Go to Credentials => Domain Controller => Settings and edit the configuration, unchecking the field: “Enable (requires password or Kerberos principal)”
2 - Go to the shell and run the command:
sudo kinit Administrator@DOMAIN.LOCAL
3 - Go back to the Credentials => Domain Controller => Settings screen and edit the configuration, check the field: “Enable (requires password or Kerberos principal)” again and Save
4 - Go to Services => smb and activate it again
In addition, in my case the Active Directory screen does not have the AD user and password field either, to try a rejoin.
I just noticed that it has the added effect of turning off the SMB share service when it fails. Thankfully, when I enable the SMB service again after it has faulted, the users are able to access the file share without restoring the domain relationship. When I do restore the connection to the directory, I follow these steps.
Go to Shares and turn off the SMB service under the More Options menu in the “Windows (SMB) Shares” section.
Go to Credentials > Directory and edit the settings for Active Directory.
Uncheck the “Enable” field and save.
Then, still in Directory Services, show Advanced Settings
Delete the machine account under Kerberos Keytab
Enable Active Directory again. It will have saved all the other information, I only need to enter my password again.
Enable the SMB service again in Shares.
After it faults again in a few hours, enable the SMB service again.
I am assuming that the share still works because of cached credentials, but if any changes are made to the domain, the relationship needs to be restored to pull the new information.
I am also experiencing this issue across multiple systems. We have six TrueNAS servers (one at our headquarters and five at satellite locations), and each has encountered this exact problem at some point. All servers were stable on CORE and after their initial upgrades to SCALE. However, the issue began appearing only after upgrading to 25.04.1.
All of our systems were upgraded directly from 24.10.x to 25.04.1. For our main HQ server, we performed a completely fresh install and build on 25.04.1, rather than migrating from CORE. Despite these different upgrade paths, every server has experienced this problem since moving to 25.04.1.
If there’s any additional information I can provide, such as a debug report, I’d be happy to send it to iXsystems to help get this extremely frustrating bug resolved.
May I suggest those affected raise bug tickets above with an attached debug file as this should help to identify whats going on.
If you could also update this thread with your bug ticket numbers and any outcomes you may have that would be really helpful to other and future users.
https://ixsystems.atlassian.net/browse/NAS-135671
Open ticket related to this issue, please note there are a number of different reasons this particular error could be being shown, currently targeted for 25.04.2 for a fix.
Currently getting this also, my SMB shares are accessible even with the credentials cache disabled and flushed though. So the domain access must be functional?
Disabling and flushing the cache, currently seems to be the only way to keep my shares up (if any id’s get loaded into the cache somehow during loading the ACLs config pages it breaks things for me due to RID not always resolving IDs falling back to tdb which may have different IDs in it than what is saved on disk).
I am pretty sure this occurred only AFTER, I updated AD to 2016 recently, it was running at 2012 R2 level previously. Same domain controllers and configuration otherwise. It did not happen on Fangtooth prior to updating to 2016 AD level. I upgraded the level as our 2012 R2 server has been decommissioned for over a year now so felt it was safe.
I, too, am experiencing this issue on TN v25.04.1. Except that in my case, the SMB service isn’t getting disabled while the Directory Service is in the “FAULTED” state. Additionally, SMB shares are still accessible and I am able to create and delete files/folders.
Just want to add i’ve been getting this as well. This morning I had no access to my windows redirected folders (any normal file access). Looked at active directory status on both truans, and both are “FAULTED”. SMB service was also turned off and did not auto-turn back on.
had to uncheck enable require password or kerberos principal, save, then go to advanced settings and remove AD_MACHINE_ACCOUNT under Kerberos Keytab.
