This was more complicated than it probably should have been due to the IPA domain not matching the truenas host domain, I think.

• Setup FreeIPA servers for Samba, run the following on all servers:

  dnf install ipa-server-trust-ad
  ipa-adtrust-install

• Setup TrueNAS
  • Credentials→Directory Services→Show Advanced
  • Add Kerberos Realm
    • Realm: IPA.SIHNON.NET
    • Primary KDC: pick one of the IPA servers
    • KDC/admin servers/password servers: List all the IPA servers
  • Add a host/fqdn@IPA.SIHNON.NET keytab
  • Configure Directory Services
    • Configuration type: IPA
    • Enable Service, Enable Account Cache, Enable DNS Updates
    • Timeout: 10s
    • Kerberos Realm: IPA.SIHNON.NET
    • Credential type: Kerberos Principal
    • Kerberos Principal: The host keytab uploaded previously
    • Target Server: pick one of the IPA servers
    • TrueNAS hostname: short hostname
    • Domain: ipa.sihnon.net
    • Base DN: dc=ipa,dc=sihnon,dc=net
    • Validate Certificates
    • For SMB, don't use defaults
      • Name: IPA
      • Domain: ipa.sihnon.net
      • Rest of the attributes at default
  • Edit /etc/krb5.conf:

    [libdefaults]
            dns_lookup_realm = false # change from true
            dns_lookup_kdc = false # change from true
    
    [domain_realms]
            # Add these two lines
            jellybean.sihnon.net = IPA.SIHNON.NET
            .jellybean.sihnon.net = IPA.SIHNON.NET

  • Restart winbind service

When connecting from a non-domain joined Windows, it won't prompt for credentials and will fail. Must explicitly map a drive, using IPA domain creds first. Subsequent connections to the same hostname will reuse the credentials, so not all shares need to be mapped.