Active Directory Groups not available in permission dropdown

[someone1]

Hello All,

I've been researching the myriad of Active Directory issues found in the forum but I don't think anything is quite like what I'm experiencing. I just did a fresh, new installation of FreeNAS (Build: FreeNAS-9.2.1.3-RELEASE-x64 (dc0c46b)) and joined my domain (from what it looks like, succesfully). Quick breakdown of my setup:

1. Install FreeNAS on USB stick
2. On First load, setup static IP on NIC, set gateway, DNS, Domain, etc. via CLI menu - reboot
3. Login to web GUI, reset ADMIN password
4. Go to Network >> Global Config >> put in new hostname and verify other settings, save - reboot
5. Setup (under settings) "Directory Service" as "Active Directory"
6. Add configuration to Services >> Directory Service >> Active Directory (basic mode only fields)
7. Verify configuration for CIFS service (only had to change the WORKGROUP)
8. Turn on Active Directory service (CIFS turned on but not Directory Service) - reboot
8a. Verified that computer was in Active Directory Users and Computers snap-in as well as in DNS snap-in - manually added reverse PTR record.
9. Both CIFS and Directory Services not started, try to start (seemed like both failed)
10. Try step 9 again - This time both worked - reboot
11. Verified services started up correctly (yes!)
12. wbinfo -u/wbinfo -g both output correctly. getent users/getent groups both look like they have users/groups from domain. `net ads join` command worked fine
13. Create new ZFS volume (ZFS RAID 10) and create new dataset under new volume
14. Try and set permissions on the dataset: users dropdown has all users listed, groups only has local groups

I hope I wasn't too verbose but I hope that if I messed the setup process then it would be easy for someone to point it out. I'm dumbfounded as to why its not showing up in the groups drop down when it appears to exist everywhere else.

Now what's really weird (or maybe its expected and I'm just misinformed) is that if I check (enable) the Active Directory Advanced setting "Use default domain" the groups drop down populates just fine. Oddly enough, I get most things working like this but am running into a very weird permission issue this way and thought that maybe having this setting unchecked would solve my issue, though now I have a new issue to deal with.

I'd appreciate any insight on how to troubleshoot this issue!

Thank you.

 

[TheSmoker]

anyone having a solution on the above problem. Same thing happens to me. Successfully joined domain but no visible domain users in GUI.

 

[Chris Hoefler]

Yeah, Active Directory users/groups aren't integrated into the gui. I believe the "Change Permissions" on your zfs datasets will work correctly, and chown will as well, but the Users and Groups gui doesn't enumerate directory users and groups.

 

[Chris Hoefler]

Whoops, sorry, just reread the parent post. Try setting the ACL to Windows in the "Change Permissions". That should get you the AD users/groups.

 

[dodoherty]

Same problem for me. Just installed 9.2.1.3 and everything seems to work fine. wbinfo show AD users and groups. But AD users don't show in the GUI under View Users or View Groups.

Any ideas?

 

[TheSmoker]

You need to modify /usr/local/etc/nss_ldap.conf and enter user pass for pam updates. You camd find a bug report which tells you precisely the format, although once you open that file is quite straight forwarding.

 

[someone1]

Just to clarify, Users populate just fine in the permissions drop down and I am using the Windows ACL type. Groups only appear in the permission drop down if I have the advanced setting for "Use Default Domain" checked. If left unchecked, everything appears to be fine via the CLI, however, the drop down for Groups (and only groups, users works fine both ways) is not populated.

 

[TheSmoker]

BTW, they fixed the nss_ldap stuff by properly populating nss_ldap.conf and nss_ldap.secret based on AD service definition but the users/groups are not being properly populated in GUI. Damn!

 

[dlavigne]

Do you know if there is a bug report on that yet? If so, what is its number?

 

[TheSmoker]

<b>dlavigne said: </b><br />Do you know if there is an active bug report on this one?

<br />Not sure. There are some bugs posted and mine behaves like a combination of 2-3 other bugs.

 

[Nick Buonanno]

Update 1: Updated from 9.2.1.3 to 9.2.1.5. Confirmed that user and group information could be found using wbinfo -u/-g and getent passwd/group. Went to change permissions, and got all the groups in the drop-down. Not sure what changed, but it seems to be fixed for the moment.

I just started having this exact issue today. It was working normally for a while. However, I was screwing around with (and then eventually completely broke) permissions on one of my CIFS shares, and I ran into this problem during the troubleshooting process. I have no idea if the two are related, and I haven't made any breakthroughs on either front yet.