TrueNAS out from domain suddenly

TrueNAS General
, ,
1

Hello everyone,

my first message on this forum is (sadly) for help request. My truenas scale, installed more than 1 year ago always worked like a charm, but suddenly some days ago lost his connection with active directory.
I also tried to recover a previous configuration, when everything works, but always the same error:

*[KRB5KDC_ERR_PREAUTH_FAILED] Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638936): Preauthentication failed.*
  • Domain validation failed with error: _ldap._tcp.MY.DOMAIN.IT.: Nameserver 192.168.1.31 failed to resolve SRV record for domain MY.DOMAIN.IT : All nameservers failed to answer the query _ldap._tcp.MY.DOMAIN.IT. IN SRV: Server 192.168.1.31 UDP port 53 answered ; Server 192.168.1.31 TCP port 53 answered The DNS operation timed out after 3.998 seconds; Server 192.168.1.31 UDP port 53 answered ; Server 192.168.1.31 TCP port 53 answered A DNS query response does not respond to the question asked.*

but dig replied:
*#dig -t SRV _ldap._tcp.dc.MY.DOMAIN.IT *

  • ; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -t SRV _ldap._tcp.dc.MY.DOMAIN.IT*
  • ;; global options: +cmd*
  • ;; Got answer:*
  • ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35847*
  • ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1*
  • ;; OPT PSEUDOSECTION:*
  • ; EDNS: version: 0, flags:; udp: 4000*
  • ;; QUESTION SECTION:*
  • ;_ldap._tcp.dc.MY.DOMAIN.IT. IN SRV*
  • ;; AUTHORITY SECTION:*
  • MY.DOMAIN.IT. 3600 IN SOA badgsr001.MY.DOMAIN.IT. hostmaster.domain.local. 646660 900 600 86400 900*
  • ;; Query time: 0 msec*
  • ;; SERVER: 192.168.1.31#53(192.168.1.31) (UDP)*
  • ;; WHEN: Wed May 28 15:51:57 CEST 2025*
  • ;; MSG SIZE rcvd: 156*

Opening /var/log/middlewared.log there are a lot of:

*[2025/05/28 15:42:00] (WARNING) DomainHealth._recover_krb5():25 - Attempting to recover kerberos service after health check failure for the following reason: Kerberos ticket for domain is expired. Failure to renew kerberos ticket may indicate issues with DNS resolution or IPA domain or realm changes that need to be accounted for in the TrueNAS configuration.*

and:

*File \"/usr/lib/python3/dist-packages/middlewared/schema/processor.py\", line 178, in nf\n    return func(*args, **kwargs)\n           ^^^^^^^^^^^^^^^^^^^^^\n  File \"/usr/lib/python3/dist-packages/middle*
  • wared/plugins/kerberos.py", line 431, in do_kinit\n raise KRB5Error(\nmiddlewared.utils.directoryservices.krb5_error.KRB5Error: [KRB5KDC_ERR_PREAUTH_FAILED] Major (458752): No credentials were supplied, or the credentials were unavailable or*
  • inaccessible, Minor (2529638936): Preauthentication failed", "type": "PYTHON_EXCEPTION", "time": "2025-05-28 07:09:58.014997"}}*

and /var/log/audit/truenas_verify.TrueNAS-25.04.1.log sais:

*2025-05-28 07:11:29.222806+00:00: 1 discrepancies found.*
  • /etc/security/limits.conf: expected: 0adf64deecea56e9ed5c2229db357900218b10b76f7e69830c9d209347896206, got: f182be610298341bbaaf787191d65c0d3fdd1bf7424a2f71799101c2a9937540*

So, my problem could be the renovation of krb5 token, but I don’t know how to work on it and, more important: why? I changed IP keeping the same hostname (and fixing windows server DNS) but 1 week ago, and everything has worked for days.
Last update was today.

2

This looks like the same problem I have. It was also reported here [KRB5KDC_ERR_PREAUTH_FAILED] Errors on AD quite often
You can upload your debug file to an open ticket here Jira

3

Hi GlendonKuhns,

you’re a beacon of hope. Thank you.

4

I posted on Jira as you proposed, but this morning, suddenly, without any activity the active directory status is HEALTHY.
I don’t believe in miracle, I want to understand.

my /var/log/middlewared.log

[2025/06/02 10:58:42] (WARNING) DomainHealth._recover_krb5():25 - Attempting to recover kerberos service after health check failure for the following reason: Kerberos ticket for domain is expired. Failure to renew kerberos ticket may indicate issues with DNS resolution or IPA domain or realm changes that need to be accounted for in the TrueNAS configuration.
[2025/06/02 11:08:42] (WARNING) DomainHealth._recover_krb5():25 - Attempting to recover kerberos service after health check failure for the following reason: Kerberos ticket for domain is expired. Failure to renew kerberos ticket may indicate issues with DNS resolution or IPA domain or realm changes that need to be accounted for in the TrueNAS configuration.
[2025/06/02 11:09:54] (DEBUG) KerberosKeytabService.check_updated_keytab():988 - Machine account password has changed. Stored copies of kerberos keytab and directory services secrets will now be updated.
[2025/06/02 11:18:43] (WARNING) DomainHealth._recover_krb5():25 - Attempting to recover kerberos service after health check failure for the following reason: Kerberos ticket for domain is expired. Failure to renew kerberos ticket may indicate issues with DNS resolution or IPA domain or realm changes that need to be accounted for in the TrueNAS configuration.
[2025/06/02 20:59:33] (DEBUG) UsageService.start():64 - Scheduled next run in 40721 seconds
[2025/06/03 03:45:04] (DEBUG) PoolScrubService.__run():268 - Pool ‘boot-pool’ last scrub datetime.datetime(2025, 6, 1, 3, 45, 9)
[2025/06/03 08:18:19] (DEBUG) UsageService.start():64 - Scheduled next run in 70372 seconds