Plugins dataset permissions with AD

[rdybro]

Hi. I have a question.

I have tried Googling around, as I am sure this is answered somewhere, but I can't seem to find it. Or maybe I am just searching wrong :p

My problem is the following. I have some plugins setup on my FreeNAS. As far as I know these plugins require some special Group ID or User ID to work with the permissions.

Now I have just setup Active Directory authentication. How do I go about giving an AD security group access to a dataset which at the same time has to work with one of the users/groups with the specific ID?

Regards.

 

[anodos]

Hi. I have a question.

I have tried Googling around, as I am sure this is answered somewhere, but I can't seem to find it. Or maybe I am just searching wrong :p

My problem is the following. I have some plugins setup on my FreeNAS. As far as I know these plugins require some special Group ID or User ID to work with the permissions.

Now I have just setup Active Directory authentication. How do I go about giving an AD security group access to a dataset which at the same time has to work with one of the users/groups with the specific ID?

Regards.

If it's a jail you're trying to give AD users / groups access to, it will probably require installing samba / winbind, nss-winbind (or whatever it's called), and pam-winbind. Then properly configure the packages, join the jail to AD, add permissions for AD security group, and you're good to go! Easy-peasy.

Or you can look to see if the plugin has AD integration already baked in. ;)

 

[rdybro]

If it's a jail you're trying to give AD users / groups access to, it will probably require installing samba / winbind, nss-winbind (or whatever it's called), and pam-winbind. Then properly configure the packages, join the jail to AD, add permissions for AD security group, and you're good to go! Easy-peasy.

Or you can look to see if the plugin has AD integration already baked in. ;)

Yeah the plugin is creating it's own jail. I never really thought about doing it like you describe there :p

Some of the plugins definitely have the capability baked in, but to me it just seems like I would still try to grant two different permission sets on the same dataset. I may very well be wrong though.

But I thought it would be possible to set an AD group as a member of the FreeNAS local group - but I guess that is not an option?

 

[anodos]

Yeah the plugin is creating it's own jail. I never really thought about doing it like you describe there :p

Some of the plugins definitely have the capability baked in, but to me it just seems like I would still try to grant two different permission sets on the same dataset. I may very well be wrong though.

But I thought it would be possible to set an AD group as a member of the FreeNAS local group - but I guess that is not an option?

Give the full details of what you are trying to do. What plugin? What sort of access does your AD group need to the plugin (shell, scp, webgui, etc)? Is the freenas server already joined to the domain?

 

[rdybro]

Give the full details of what you are trying to do. What plugin? What sort of access does your AD group need to the plugin (shell, scp, webgui, etc)? Is the freenas server already joined to the domain?

My AD group does not need access to the plugin per se. My question is regarding the following:

I have several plugins and this issue is actually regarding all/most of them, as it is not something with the plugin, but more a FreeBSD/FreeNAS/Jails issue. For the sake of this example though I will use my btsync-plugin.

The btsync-plugin requires read and write on a dataset. To give this I have created a user called btsync with the ID "817". This was, as far as I understand, done to match the ID of the user inside the plugins jail. So when I give my btsync user full access to a dataset, this will work for the user inside the jail too.

No I want to make a CIFS share pointing at the btsync dataset, so that I can access this share from my Windows PC. I would like it to use AD authentication on this share. To do this the AD user (or a group the user is a member of) needs rights to this same dataset, but I can't give this AD user/group permissions as this will break the permissions given to the local FreeNAS user (btsync / ID 817).

Right now my btsync dataset have a owner user of btsync and owner group of btsync. I would have hoped that I could just put an AD user/group inside the local btsync group, but this doesn't seem to be the case.

So how do I give access to an AD user/group while still preserving the correct access for my jails user?

 

[anodos]

My AD group does not need access to the plugin per se. My question is regarding the following:

I have several plugins and this issue is actually regarding all/most of them, as it is not something with the plugin, but more a FreeBSD/FreeNAS/Jails issue. For the sake of this example though I will use my btsync-plugin.

The btsync-plugin requires read and write on a dataset. To give this I have created a user called btsync with the ID "817". This was, as far as I understand, done to match the ID of the user inside the plugins jail. So when I give my btsync user full access to a dataset, this will work for the user inside the jail too.

No I want to make a CIFS share pointing at the btsync dataset, so that I can access this share from my Windows PC. I would like it to use AD authentication on this share. To do this the AD user (or a group the user is a member of) needs rights to this same dataset, but I can't give this AD user/group permissions as this will break the permissions given to the local FreeNAS user (btsync / ID 817).

Right now my btsync dataset have a owner user of btsync and owner group of btsync. I would have hoped that I could just put an AD user/group inside the local btsync group, but this doesn't seem to be the case.

So how do I give access to an AD user/group while still preserving the correct access for my jails user?

Okay. So what you really need is to give an AD group access to a CIFS share. That is easy. Join your FreeNAS server to your domain then configure permissions for your CIFS share the way you would for any windows server. Navigate to \\<ip-or-hostname-of-server>, right-click on share, click on "properties", select the "security" tab, and set permissions as desired.

See here: http://doc.freenas.org/9.3/freenas_directoryservice.html#active-directory

 

[rdybro]

Okay. So what you really need is to give an AD group access to a CIFS share. That is easy. Join your FreeNAS server to your domain then configure permissions for your CIFS share the way you would for any windows server. Navigate to \\<ip-or-hostname-of-server>, right-click on share, click on "properties", select the "security" tab, and set permissions as desired.

See here: http://doc.freenas.org/9.3/freenas_directoryservice.html#active-directory

Ahh, nice. Never even thought about doing it that way. I was sure I had to do something inside the FreeNAS web gui :)

Thanks for it mate :)