AD SMB connection problem

[hmeij]

I am missing a piece, using v11.1 connecting to AD win server 2012 R2, clearly the binding is OK

root@whitetail:~ # wbinfo -ug | grep hmeij
WESLEYAN\hmeij
WESLEYAN\hmeijgroup

I'm unsure where AD users show up in freenas to add them to a SMB share so I added in my share config
create mask = 0660
force create mode = 0660
directory mask = 0770
force directory mode = 0770
force group = WESLEYAN\hmeijgroup
valid users = WESLEYAN\hmeij, WESLEYAN\hmeijgroup

In windows mapping \\whitetail\hmeijgroup now launches a password prompt (it should not I'm logged into domain on desktop)
During this contact and failure in providing password I do not observe a /var/log/samba4/log.IP that I expect with an error message

I also took the step of Storage > Change Permissions on dataset and changed the owner to 'hmeij' and group to 'hmeijgroup',
clicked Change...Please Wait, no errors on screen but in debug.log but in messages

Feb 12 13:21:12 whitetail notifier: winacl: getpwnam() failed

Any ideas/pointers on where to look next?

-Henk

 

[Nick2253]

You add users just like you would for any user on an SMB share.

The best way to do this, in my opinion, is create a FreeNAS Admin account in AD, and make all files owned by this FreeNAS admin account and the Domain Admins group. Then, using a DA account, you can configure the shares from within Windows Explorer to allow any other users. Usually, what I do is add my Storage Admins group so that way the storage admins can take it from there, and if they screw up, I can still adjust permissions using a DA account.

 

[hmeij]

Anybody? Still stuck on why I get prompted in my AD-SMB freenas setup. From another Linux server I can do the smbclient call, provide password, and get a response. (what is that OS= stuff coming back from freenas?)


# smbclient -L whitetail.wesleyan.edu -U WESLEYAN\hmeij
Enter WESLEYANhmeij's password:

Domain=[WESLEYAN] OS=[Windows 6.1] Server=[Samba 4.7.0]
Sharename Type Comment
--------- ---- -------
hmeijgroup Disk

-Henk

 

[Nick2253]

You didn't really respond at all to my comment. Was that helpful? Did I misunderstand your problem?

Also, I think you're doing a lot of stuff that is unnecessary at best, and may cause problems at worst. You shouldn't need to set any of the extra Samba parameters to accomplish what I think you want. If I am understanding correctly, I'm doing exactly what you want with multiple FreeNAS servers. My users are able to connect to the server no problem, and depending on what share they connect to, they are either prompted for a password if they don't have permission, or are passed straight through if they do.

 

[hmeij]

Just trying things out to get to the bottom of this. I explicitly list myself as having access to my share, assume WESLEYAN\hmeij is that AD freenas admin account...I get prompted when connection is made on windows side, provide password, it fails then with that error. And so long as I can't mount the share I can not use windows explorer on client side to manage permissions. So I need to be able to mount a share via my AD account....if that were working I would then allow access via groups.

I think the problem is like a few posts back on this forum in that "getent fails to provide passwd" post. However from a plain unix server the smbclient authentication via freenas to AD works fine probing freenas for share info.

-Henk

 

[Nick2253]

And so long as I can't mount the share I can not use windows explorer on client side to manage permissions.

Unless you're using "mount" generally, you do not need to "mount" (as in mounted drive) a share to change the permissions. Simply connecting to the share via explorer is sufficient.

I would strongly suggest starting from scratch here, because it's difficult to determine exactly what you've done, and like I said, it should Just Work™.

My workflow is as follows:

• Connect FreeNAS to AD domain.
  
• Create dataset with "Windows" share type.
• Create a new SMB share pointing at this dataset. I check the "Apply Default Permissions" box.
  
• Going back to the dataset, I Change permissions on this dataset to be owned by <Domain>\freenasadmin, group <Domain>\Domain Admins. I make sure "Windows" permission type is set, check all the boxes to apply and set recursively, and then click "Change".
• I log in on my Windows server as <Domain>\freenasadmin (or any domain admin), and browse to \\freenas\.
• I right click on the new share, go to the "Security" tab, and tweak permissions as required.
• Typically, I first add "Storage Admins" with full control, and then pass management off to them.

With this setup, I am able to access shares without any issues if I'm supposed to have permission to access them, and I get prompted for a username/password if I don't.

 

[hmeij]

SOLVED. Bullet by bullet then...

•Connect FreeNAS to AD domain:
upon reboot the string 'Join is OK' flies by on console
directory servives loaded 61 user pages and 16 group pages
root@whitetail:~ # wbinfo -u | wc -l
56661
root@whitetail:~ # wbinfo -g | wc -l
16939
root@whitetail:~ # wbinfo -ug | grep hmeij
WESLEYAN\hmeij
WESLEYAN\hmeijgroup

•Create dataset with "Windows" share type.
dataset testwin with type Windows created

•Create a new SMB share pointing at this dataset. I check the "Apply Default Permissions" box.
testwin share created, default permission checed by default, path /mnt/FirstVol/testwin, no Aux parms

•Going back to the dataset, I Change permissions on this dataset to be owned by <Domain>\freenasadmin, group <Domain>\Domain Admins. I make sure "Windows" permission type is set, check all the boxes to apply and set recursively, and then click "Change".
Storage > Change permissions dataset, applied WESLEYAN\hmeij and WESLEYAN\hmeijgroup
(this is the first time the AD objects appeared, maybe I had to wait...old test hardware), windows type set
(forgot to check recursive, on re-edit AD objects loaded, checked recursive)

•I log in on my Windows server as <Domain>\freenasadmin (or any domain admin), and browse to \\freenas\.

first lets try this, on my linux desktop
[root@hmeij ~]# mount -t cifs //whitetail/testwin /mnt -o username=WESLEYAN\\\hmeij,domain=wesleyan
Password:
[root@hmeij ~]# mount | grep testwin
//whitetail/testwin on /mnt type cifs (rw)
[root@hmeij ~]# touch /mnt/foo
[root@hmeij ~]# ls -l /mnt/foo
-rwxrwxr-x. 1 14317 178456 0 Feb 15 09:14 /mnt/foo

next go to win7 desktop, map network drive (i am logged into our domain, should not prompt)
\\whitetail\testwin
bingo, created new folder

back to freenas server to look at the file system
root@whitetail:~ # cd /mnt/FirstVol/testwin/
root@whitetail:/mnt/FirstVol/testwin # ls -l
total 2
-rwxrwxr-x+ 1 WESLEYAN\hmeij WESLEYAN\hmeijgroup 0 Feb 15 09:01 .windows
drwxrwxr-x+ 2 WESLEYAN\hmeij WESLEYAN\hmeijgroup 2 Feb 15 09:17 folder1
-rwxrwxr-x+ 1 WESLEYAN\hmeij WESLEYAN\hmeijgroup 0 Feb 15 09:14 foo

Yea. Thank you much Nick. Onwards with testing.
-Henk

And to maybe help out the getenv does not list passwd info post, this works in my env
root@whitetail:~ # ls -ldn /mnt/FirstVol/testwin/folder1
drwxrwxr-x+ 2 14317 178456 2 Feb 15 09:17 /mnt/FirstVol/testwin/folder1
root@whitetail:~ # wbinfo --uid-info 14317
WESLEYAN\hmeij:*:14317:178456:Meij, Henk:/home/WESLEYAN/hmeij:/bin/sh
root@whitetail:~ # wbinfo -i WESLEYAN\\\hmeij
WESLEYAN\hmeij:*:14317:178456:Meij, Henk:/home/WESLEYAN/hmeij:/bin/sh




•I right click on the new share, go to the "Security" tab, and tweak permissions as required.
•Typically, I first add "Storage Admins" with full control, and then pass of management off to them.

 

[Nick2253]

I'm glad we could get it working for you!