Active Directory integration

[baptistejstn]

Hi everybody,

My name's Baptiste and I'm a french 24 yo's newbie in the TrueNAS world ^^.
So I've just installed TrueNAS and I'm encoutering a problem with the Active Directory integration.
My NAS has successfully joined my Windows Server 2019 Active Directory, so I can now give access on shares to my AD users.
The problem is that it's the only thing I can do with them... For example, I can't connect AD users to my NAS using FTP, but with local users it works. I looked on the internet and on this forum and I saw people who can do it but not how they did. For a second example, I can't connect to my TrueNAS UI with my AD credentials (but for this case I don't know if it's possible).
For information, I tried to change the IDMAP properties for AD but it didn't work...

Is there someone who can help me please ?

 

[Samuel Tai]

The TrueNAS GUI only accepts root logins with the local password. If you're interested in AD-based administration, you'll need to run TrueCommand.

As for FTP, it's only capability for non-local logins is via RFC 1413 IDENT against an identd somewhere. You'll probably need to run an IDENT-AD gateway like this: http://rndware.info/products/windows-ident-server.html.

 

[baptistejstn]

Thank you for you fast reply :) I'll make so searchs about this !

 

[Samuel Tai]

Actually, I stand corrected. It is possible via LDAP login. See http://davidstangeby.blogspot.com/2012/01/proftpd-and-microsoft-active-directory.html.

However, you'll need to supply this into the FTP service's Auxiliary Parameters box.

 

[anodos]

AD auth for FTP should be possible if you:
1) allow local users in the FTP config
2) use username of form "DOMAIN\username"
3) have a proper home directory path for the user

 

[RegularJoe]

Anodos,

Can we force the use of one FTP folder even for all those AD users? I do not know what users will be connecting and even a skel that points to the one FTP folder would be messy as when users leave the copany I would have jibblets left behind that I would have to deal with.

I am looking at the LDAP route for a project.

Thanks,
Joe

 

[anodos]

Anodos,

Can we force the use of one FTP folder even for all those AD users? I do not know what users will be connecting and even a skel that points to the one FTP folder would be messy as when users leave the copany I would have jibblets left behind that I would have to deal with.

I am looking at the LDAP route for a project.

Thanks,
Joe

I'm not particularly familiar with all configuration options for proftp. You can do something like this by setting up an SFTP chroot for a domain group (probably not domain users) through auxiliary parameters for SSH. You could also move the users to be removed to a "former_employees" OU in AD and then write a script to perform an ldapsearch in the "former_employees" OU and remove any homedirs associated with old users.