AD Share Permissions in a Jail

[Ellimist]

Hi,

I am trying to figure out how to deal with AD permissions in a Jail. I have reviewed this page which worked perfectly for my non AD joined system however once joined to AD can I still repeat the same process to enable group write for a folder?

https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/

I.E. Create a group based on the GID of the AD group and then add the user to that in the jail.

If so does the GID or UID of the the AD users and groups ever change or if the FreeNAS box is ever disconnected do the values change when reconnected?

Cheers,

 

[dlavigne]

Were you able to figure this out?

 

[Ellimist]

I tried just creating a group (name is irrelevant) and using the same GID in the Jail then adding the account in the jail to the group. This works fine for creating and downloading files and assigns to the correct users.

What I don't know is how the GID is determined for groups that are imported from AD and if they will always remain the same even if freenas is built ground up.

 

[SweetAndLow]

Ad group id will always be the same that is the purpose of ad.

 

[Ellimist]

Yes but how is the GID identified by Freenas? is it an AD attribute to start with? if so which one am I supposed to be looking at. I can't see it through the normal AD Users and Computers interface when looking at the attribute editor tab.

 

[SweetAndLow]

No clue I don't use ad but I suspect there should be a posix uid and gid attribute.

 

[anodos]

The GID assigned to your AD groups depends on the idmap backend you set in your CIFS config. The best option for most people is "RID" because it basically requires no additional information - no database, no additional AD config. It is deterministic and so in principle it should remain the same between samba servers if you set the idmap values identically. If you need to have your jail pull the AD users / groups, then you need to install and configure samba / winbind in the jail. Be sure to bind the smbd/winbindd instance to your jail's IP address.

See manpage here: https://www.samba.org/samba/docs/man/manpages/idmap_rid.8.html

Anecdotally, lots of people seem to have problems configuring samba properly even with all the hand-holding the webgui does for you. I would say that the above probably requires a moderately advanced knowledge of FreeBSD / samba. That being said, jails are great for tinkering with things - just don't blow up your AD.