How to Fix UNAS' Delegated SMB Authentication when Using a .local Domain
The Problem
Out of the box, syncing users from a domain controller via Active Directory will work just fine, with or without a .local domain. However, enabling delegation for authentication SMB connections via Active Directory will result in a "domain not found" error message, and domain credentials will be denied for SMB authentication.
The Cause
.local domains have been deprecated and discouraged for 10+ years at the time of writing, as it's reserved for local testing and mDNS requests. As such, by default, the UNAS-Pro is configured to intercept all requests for .local domains and treat them as mDNS requests. By specifying the desired domain in the network adapter's config file, we can bypass the mDNS interception and forward the request to the relevant DNS server.
The Fix
SSH into the UNAS-Pro
Edit /etc/systemd/network/enp0s2.network (or the network controller currently in use) and add the specified line:
[Match]
Name=enp0s2
[Network]
# Ensure DNS starts with domain controller
DNS=domain_dns_server
DNS=9.9.9.9
# ADD THE DOMAIN HERE
Domains=mydomain.local
[Address]
Address=unas_ip_range
[Route]
Gateway=gateway_ip_here
Restart the relevant systemd services like so:
systemctl restart systemd-networkd
systemctl restart systemd-resolved
I'm not 100% sure that both services are required to be restarted, but it doesn't hurt.
You can check that the change took effect by running resolvectl status. Once confirmed, disable and re-enable Active Directory SMB authentication in the UNAS web UI, then try authentication via SMB again.