TrueNAS not accepting username/password/2FA

[IBCMED]

Hello everyone, how are you doing?

Something strange is happening when logging into the TrueNAS web interface, for some reason, even though I enter the username/password/2FA correctly, TrueNAS won't let me log in, it keeps showing that the password or 2FA are wrong, but they are not . I've tried like 30 times in a row and nothing. This has been happening for a few months now but every now and then I manage to log in quickly, but it's getting annoying, there are days that I spend minutes and minutes trying to log in :/

 

[Constantin]

To the inexperienced newb I am, that sounds like a clock offset between your host computer (which is running one clock to generate the 2FA code) and the TrueNAS (which is running potentially a different clock time and hence generates a different 2FA code). I'd consider logging in via SSH or console and compare the system times between the two systems whenever 2FA doesn't work. Until the time issue is resolved, I'd turn off 2FA.

As for causes, you may have a motherboard with a bad clock that then causes a mismatch until the next time your TrueNAS (or home computer) re-syncs with the NTP pool (see system settings). I'd consider coming up a with a common clock source for your home systems. Mikrotik routers, for example, offer NTP servers and can advertise themselves as a agreed-to reference for your whole home network. Key here is not that the router is accurate to the last millisecond (this is SOHO use after all) but rather that all local clocks are showing the same time.

 

[victort]

To the inexperienced newb I am, that sounds like a clock offset between your host computer (which is running one clock to generate the 2FA code) and the TrueNAS (which is running potentially a different clock time and hence generates a different 2FA code). I'd consider logging in via SSH or console and compare the system times between the two systems whenever 2FA doesn't work. Until the time issue is resolved, I'd turn off 2FA.

As for causes, you may have a motherboard with a bad clock that then causes a mismatch until the next time your TrueNAS (or home computer) re-syncs with the NTP pool (see system settings). I'd consider coming up a with a common clock source for your home systems. Mikrotik routers, for example, offer NTP servers and can advertise themselves as an agreed-to reference for your whole home network. Key here is not that the router is accurate to the last millisecond (this is SOHO use after all) but rather that all local clocks are showing the same time.

It does sound like the clock is out of sync. I personally have forced all NTP servers to use my gateway NTP by hijacking NTP queries on a network level. That keeps all my stuff in sync.

 

[Constantin]

Some devices do not take kindly to that. For example, my more modern apple devices insist on connecting to time.apple.com, which may be a crude way for them to ensure that 2FA works for iCloud. But I have done similarly re: time requests (port 123).

Ditto port 53 (aka DNS) requests. Those queries are also forced to the Pi holes, though that can now be bypassed with DOH. The arms race continues.

 

[IBCMED]

It does sound like the clock is out of sync. I personally have forced all NTP servers to use my gateway NTP by hijacking NTP queries on a network level. That keeps all my stuff in sync.

How did you do it? Could you explain me?

 

[victort]

You need a NAT rule for each network segment redirecting all NTP traffic to your gateway (in my case pfsense)

And a rule for each network segment allowing NTP UDP traffic to your gateway (port 123)
This here is a floating rule, but all three segments are still included.