Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Unable to join FreeIPA domain

Description

As mentioned in the forum post:

I am unable to join an FreeIPA domain trough the ldap interface in Electric Eel 24.10.1. I was joined to the domain on an earlier version but after upgrading there was a message about an incomplete join. After clearing all settings and trying to rejoin I’m getting different error messages depending on the selection:

  • Using a bind-dn and password I get the following error:
    middlewared.service_exception.ValidationErrors: [EINVAL] ldap_update: [UNWILLING_TO_PERFORM]: Server is unwilling to perform: Unauthenticated binds are not allowed

  • Using a bind-dn + password + creating and selecting the realm for the domain I get the following error:
    middlewared.utils.directoryservices.krb5_error.KRB5Error: [KRB5_FCC_NOFILE] Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639107): No credentials cache found

  • Using an imported keytab I can join but it’s only a partial join.

Problem/Justification

None

Impact

None

Activity

Show:

Talle February 3, 2025 at 7:15 PM

Good news, I think I’ve solved the problem. My theory:

  • I had a previous LDAP configuration from an earlier version of SCALE.

  • After an upgrade to SCALE-24.10.x and the message about incomplete join I removed this configuration and cleared all settings.

  • It seems that kerberos_principal is NOT properly cleared, even though it doesn’t exist anymore as keytab and the interface doesn’t show it.

  • That means that during the validation the line clears the bindpw, although there is no actual kerberos_principal available.

  • This means that the ldap bind fails (since it is using an empty password).

Commenting-out the lines 408-409 allows the join to continue and the rest of the process completes successfully.

Talle January 31, 2025 at 9:17 PM
Edited

Something I’ve noticed is that the ldap bind is tried from TrueNAS but the binding fails. Maybe it is something in how the password is used (or not at all?).

 

On the FreeIPA side I get the following logs (anonymized) from slapd when trying to join TrueNAS through the web UI using a binddn and password:

 

When I try a custom ldapsearch from a different host with the following command:

The bind works correctly with the following logs from slapd:

 

Maybe this helps in narrowing down the issue. I’m still trying to debug this issue on my side, so if there is anything I can try or any tips on how to debug the TrueNAS middleware I’m all ears.

ps. this is still an issue in ElectricEel-24.10.2

Andrew Walker January 14, 2025 at 5:45 PM

Please upload system debug.

Bug Clerk January 14, 2025 at 3:51 PM

Thank you for submitting this TrueNAS Bug Report! So that we can quickly investigate your issue, please attach a Debug file and any other information related to this issue through our secure and private upload service below. Debug files can be generated in the UI by navigating to System -> Advanced -> Save Debug.

https://ixsystems.atlassian.net/servicedesk/customer/portal/15/group/37/create/153

Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Labels

Impact

Medium

Department

Services

Components

Affects versions

Priority

More fields

Katalon Platform

Created January 14, 2025 at 3:51 PM
Updated February 3, 2025 at 7:15 PM
Configure