This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.

• Setup FreeIPA servers for Samba, run the following on all servers:

  dnf install ipa-server-trust-ad
  ipa-adtrust-install

• Setup TrueNAS
  • Credentials→Directory Services→Show Advanced
  • Add Kerberos Realm
    • Realm: IPA.SIHNON.NET
    • Primary KDC: pick one of the IPA servers
    • KDC/admin servers/password servers: List all the IPA servers
  • Add a host/fqdn@IPA.SIHNON.NET keytab
  • Configure Directory Services
    • Configuration type: IPA
    • Enable Service, Enable Account Cache, Enable DNS Updates
    • Timeout: 10s
    • Kerberos Realm: IPA.SIHNON.NET
    • Credential type: Kerberos Principal
    • Kerberos Principal: The host keytab uploaded previously
    • Target Server: pick one of the IPA servers
    • TrueNAS hostname: short hostname
    • Domain: ipa.sihnon.net
    • Base DN: dc=ipa,dc=sihnon,dc=net
    • Validate Certificates
    • For SMB, don't use defaults
      • Name: IPA
      • Domain: ipa.sihnon.net
      • Rest of the attributes at default
  • Edit /etc/krb5.conf:

    [libdefaults]
            dns_lookup_realm = false # change from true
            dns_lookup_kdc = false # change from true
    
    [domain_realms]
            # Add these two lines
            jellybean.sihnon.net = IPA.SIHNON.NET
            .jellybean.sihnon.net = IPA.SIHNON.NET

  • Restart winbind service

When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.

For the first server, follow the below instructions.

• Create a tsig key for nsupdate:

  tsig-keygen -a HMAC-SHA512

• Update the key name to truenas.
• Distribute the key to nameservers via puppet (hiera key profile::freeipa::named::keys), and make sure bind has been restarted to pick up the change
• Create data/system/acme datasets
• SSH to the host as truenas_admin and run the following:

  sudo chown truenas_admin /mnt/data/system/acme
  git clone --depth 1 https://github.com/acmesh-official/acme.sh.git

• Save the tsig key to /mnt/data/system/acme/.nsupdate.key (making sure the key name and secret match puppet)

For subsequent servers, clone the acme filesystem

For all servers:

• Navigate to Credentials→Certificates
• Add an ACME DNS-Authenticator
  • Name: freeipa
  • Authenticator: shell
  • Script: /mnt/data/system/dns_acme.sh
  • User: root
  • Timeout: 60
  • Delay: 90
• Add a Certificate Signing Request. Follow the wizard. LetsEncrypt doesn't use any of the subject attributes so set any values.
• Once added, click three dots next to the CSR Create ACME certificate
  • Name: letsencrypt
  • Accept ToS
  • Directory UI: LetsEncrypt Production
  • Set Freeipa for each domain
• Once the letsencrypt CSR appears in the list, navigate to System-General
• Click the GUI Settings button
• Select letsencrypt certificate under GUI SSL Certificate and save changes, confirming thr restart