TrueNAS SCALE 25.10 – AD Join Fails on Reboot (“Kerberos credentials not valid”)

Hi All - I’ve been at this for too long. I think if I had working cli commands I could fix this in 10m, but many/most midclt commands simply don’t work in 25.10

Environment:

TrueNAS SCALE version: 25.10.0

AD Domain: DAVELAN.LOCAL

Domain Controller OS: Windows Server 2022

DNS: Provided by DC (forward + reverse zones configured)

TrueNAS IP: Static (10.92.60.100)

DC IP: Static (10.92.10.2)

Issue Summary:
Active Directory integration works immediately after joining the domain, but breaks after reboot.
GUI then reports:

“Kerberos credentials are not valid. You must rejoin the domain.”

At this point, the Leave Domain button disappears and the system cannot gracefully rejoin.

Steps Taken / Verified:

DNS sanity check:

nslookup truenas-scale.davelan.local
nslookup 10.92.60.100

(Resolves correctly both forward and reverse)

Join AD from GUI:

Domain join successful, AD Status: HEALTHY

Users and groups resolve:

wbinfo -t
getent passwd “DAVELAN\dave.isbell”

(Both commands work)

After reboot:

AD status changes to FAULTED

GUI shows:

“Kerberos ticket for domain is expired. Failure to renew kerberos ticket may indicate issues with DNS resolution or realm changes.”

Attempted fixes:

Disabled AD service → re-enabled → no change

Deleted /var/db/samba4/* and rejoined

Tried re-creating the Kerberos keytab

Fresh system reset → rejoin works temporarily until next reboot

What I’m looking for:

CLI method to gracefully refresh or rejoin AD when GUI shows “Kerberos credentials invalid.”

Guidance on recommended sequence for Directory Service and AD initialization on SCALE 25.10.

Confirmation whether this is a known regression or requires a service dependency fix.

Goal:
Reliable, persistent AD integration for SMB shares and ACLs on TrueNAS SCALE 25.10.

Thanks in advance!
Any insight or command sequence from @Sambassador, @Dan, or other iX folks would be hugely appreciated — especially if there’s a way to re-establish credentials without wiping /var/db/samba4.

I’m not an “iX folk”, and it’s highly unlikely I ever will be. And I’m afraid I don’t have any input on the question.

It took some time, but I finally got it sorted. Of course the key was tracking down the correct CLI commands while side stepping all the “midclt call activedirectory *” commands that no longer work. AD still breaks on each reboot (normally measured in years in production), but at least now I can fix them quickly if they decide to upgrade. Glad I only spun up this one box so far. Who needs documentation Thanks again for the help!

@pondoroo I’m stuck at others Problems with AD after Upgrae to 25.10.
I can’t leave the Domain via GUI cause there’s just no Opion.
I can’t even change any Settings because the save-Button just keeps disabled no matter how much entrys i change.
It’s just frustrating.
Could you please provide the CLI command you mentioned?
I can’t even find any config-files for the AD-setting.

Could you share the commands please?

I’m on 25.10.01 but I have winbind crashes and am wondering if they are related tough incorrect provisioning trough Kerberos as I was fighting with this.

I’m just as astonished by the lack of documentation for the midctl changes in addition to the UI.

How is this supposed to be used by anyone in Production, let alone evaluated if some so serious changes aren’t documented well. One layer change (UI or midware) is fine, two together is usually a strict no-go if you do any production level changes of that level - especially if you don’t document this properly.

I dont use AD but FreeIPA and the IPA Integration works but as soon as a Samba Client tries to connect winbind crashes and I get coredumps, which gives me an Alert in the UI as well telling me to upload the coredumps to their internal Bug-Tracker (edit: guess I found it now, or had to wait, will upload them there too and open an issue after debugging it further and I’m sure its not me)

root@dohstation[/]# coredumpctl info
           PID: 122994 (wb[DOHSTATION])
           UID: 0 (root)
           GID: 0 (root)
        Signal: 6 (ABRT)
     Timestamp: Mon 2025-11-24 02:23:13 CET (4min 42s ago)
  Command Line: $'winbindd: domain child [DOHSTATION]'
    Executable: /usr/sbin/winbindd
 Control Group: /system.slice/winbind.service
           PID: 122994 (wb[DOHSTATION])
           UID: 0 (root)
           GID: 0 (root)
        Signal: 6 (ABRT)
     Timestamp: Mon 2025-11-24 02:23:13 CET (4min 42s ago)
  Command Line: $'winbindd: domain child [DOHSTATION]'
    Executable: /usr/sbin/winbindd
 Control Group: /system.slice/winbind.service
          Unit: winbind.service
         Slice: system.slice
       Boot ID: b27a2429185e42e6bafe0a9a19a0c58b
    Machine ID: 5243d9fbedbd4c95bc35b59840b9dc72
      Hostname: dohstation
       Storage: /var/lib/systemd/coredump/core.wb[DOHSTATION].0.b27a2429185e42e6bafe0a9a19a0c58b.122994.1763947393000000.zst (present)
  Size on Disk: 635.7K
       Message: Process 122994 (wb[DOHSTATION]) of user 0 dumped core.
                
                Module libsystemd.so.0 from deb systemd-254.26-1~bpo12+1.amd64
                Stack trace of thread 122994:
                #0  0x00007f8d0a4f0eec __pthread_kill_implementation (libc.so.6 + 0x8aeec)
                #1  0x00007f8d0a4a1fb2 __GI_raise (libc.so.6 + 0x3bfb2)
                #2  0x00007f8d0a48c472 __GI_abort (libc.so.6 + 0x26472)
                #3  0x00007f8d0afe6890 dump_core (libsmbconf.so.0 + 0x58890)
                #4  0x00007f8d0afdc4b0 smb_panic_s3 (libsmbconf.so.0 + 0x4e4b0)
                #5  0x00007f8d0a9e986a smb_panic (libgenrand-private-samba.so + 0x286a)
                #6  0x00007f8d0a9e98f1 n/a (libgenrand-private-samba.so + 0x28f1)
                #7  0x00007f8d0a4a2050 __restore_rt (libc.so.6 + 0x3c050)
                #8  0x0000562451559c59 n/a (winbindd + 0x3cc59)
                #9  0x0000562451557f1e cm_connect_netlogon (winbindd + 0x3af1e)
                #10 0x000056245155a0b1 cm_connect_netlogon_secure (winbindd + 0x3d0b1)
                #11 0x000056245154c9b0 n/a (winbindd + 0x2f9b0)
                #12 0x000056245155188f winbind_dual_SamLogon (winbindd + 0x3488f)
                #13 0x0000562451551d82 _wbint_PamAuthCrap (winbindd + 0x34d82)
                #14 0x00005624515744f4 n/a (winbindd + 0x574f4)
                #15 0x00007f8d0b650fe5 dcesrv_call_dispatch_local (libdcerpc-server-core.so.0 + 0x9fe5)
                #16 0x000056245156cce3 winbindd_dual_ndrcmd (winbindd + 0x4fce3)
                #17 0x0000562451568944 n/a (winbindd + 0x4b944)
                #18 0x00007f8d0b9a2781 tevent_common_invoke_fd_handler (libtevent.so.0 + 0x8781)
                #19 0x00007f8d0b9a9ac9 n/a (libtevent.so.0 + 0xfac9)
                #20 0x00007f8d0b9a7137 n/a (libtevent.so.0 + 0xd137)
                #21 0x00007f8d0b9a1911 _tevent_loop_once (libtevent.so.0 + 0x7911)
                #22 0x000056245156b470 n/a (winbindd + 0x4e470)
                #23 0x000056245156bdad n/a (winbindd + 0x4edad)
                #24 0x00007f8d0b9a2cf6 tevent_common_invoke_immediate_handler (libtevent.so.0 + 0x8cf6)
                #25 0x00007f8d0b9a2d46 tevent_common_loop_immediate (libtevent.so.0 + 0x8d46)
                #26 0x00007f8d0b9a98db n/a (libtevent.so.0 + 0xf8db)
                #27 0x00007f8d0b9a7137 n/a (libtevent.so.0 + 0xd137)
                #28 0x00007f8d0b9a1911 _tevent_loop_once (libtevent.so.0 + 0x7911)
                #29 0x0000562451538ff0 main (winbindd + 0x1bff0)
                #30 0x00007f8d0a48d24a __libc_start_call_main (libc.so.6 + 0x2724a)
                #31 0x00007f8d0a48d305 __libc_start_main_impl (libc.so.6 + 0x27305)
                #32 0x0000562451539cf1 _start (winbindd + 0x1ccf1)
                ELF object binary architecture: AMD x86-64

Same here. Save button is disabled.

Seems to occur only when upgrading from Fangtooth.

The Save button is working on a fresh install.

@pondoroo Could you please explain how you fixed it?

In my case it turns out lack of knowdlege … midctl is basically an api client, as such - all api commands are (somewhat) documented here:

So I can understand why its not seperately documented …

Also further in that regard Samba was crashing due to Authentification issues. Turns out its instability related to configuration that wasn’t tackled correctly as such winbind failing, this could be handled more transparent in the TrueNAS UI e.g. tracking winbind domain status in Active Directory UI.