AD Users home drive and SFTP

[Pabs]

Hi,

Is there a way to:

Import a specific AD user into TrueNAS's users section, this would then allow us to set their home directory to a different location than /home/DOMAIN/user

Thanks!

 

[anodos]

Hi,

Is there a way to:

Import a specific AD user into TrueNAS's users section, this would then allow us to set their home directory to a different location than /home/DOMAIN/user

Thanks!

If you create a dataset for the AD homes, and then create an SMB share pointing to it with the `homes` configuration checked, then this path will be used as the home directory for AD users. This may require restarting SMB service.

 

[Pabs]

If you create a dataset for the AD homes, and then create an SMB share pointing to it with the `homes` configuration checked, then this path will be used as the home directory for AD users. This may require restarting SMB service.

Thank you!!
That did the tick, on to document it!!

 

[Pabs]

If you create a dataset for the AD homes, and then create an SMB share pointing to it with the `homes` configuration checked, then this path will be used as the home directory for AD users. This may require restarting SMB service.

The interesting part is that FTP users can see other users folders, can't seem to figure out the permissions scheme where they cannot get out of their respective home folder

 

[anodos]

The interesting part is that FTP users can see other users folders, can't seem to figure out the permissions scheme where they cannot get out of their respective home folder

FTP or SFTP (via SSH)? The latter can be manually configured to provide an sftp chroot (requires auxiliary parameters).

 

[Pabs]

FTP or SFTP (via SSH)? The latter can be manually configured to provide an sftp chroot (requires auxiliary parameters).

Interestingly enough the Friday change worked, which was to strip permissions at the vdev level and let TrueNAS sort it out based on their AD names....

The one thing that I've noticed is that they can browse out to /mnt/Pool1.... other dirs except the ad_homes vdev, is there a way to state that sFTP can only see their home dir and nothing else?

Also, is there a way to assign a set space quota for their home directories? ie: 5gb per user or something like that

Thanks,

 

[anodos]

Interestingly enough the Friday change worked, which was to strip permissions at the vdev level and let TrueNAS sort it out based on their AD names....

The one thing that I've noticed is that they can browse out to /mnt/Pool1.... other dirs except the ad_homes vdev, is there a way to state that sFTP can only see their home dir and nothing else?

Also, is there a way to assign a set space quota for their home directories? ie: 5gb per user or something like that

Thanks,

You would need to set an SFTP chroot. There are various instructions around the internet regarding how to do this. C.F. https://wiki.archlinux.org/title/SFTP_chroot

I haven't written up anything TrueNAS-specific since it requires using auxiliary parameters. In principle it's the same though (but many of CLI steps in the arch example (such as keys and things) can be do via TrueNAS webui. I'd recommend figuring out required configuration changes in a VM and not your production server since mistakes in ssh config can be somewhat difficult to undo in some situations (like server sitting in remote datacenter without IPMI access).

 

[anodos]

It's also important to note that pam_winbind allows quite a variation of user names for AD users when authenticating via SSH.

Code:

root@truenas[~]# id joiner@BILLY.GOAT
uid=100001104(BILLY\joiner) gid=100000514(BILLY\domain users) groups=100000514(BILLY\domain users),100001104(BILLY\joiner),100000573(BILLY\denied rodc password replication group),100000513(BILLY\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

root@truenas[~]# id Joiner@BILLY.GOAT
uid=100001104(BILLY\joiner) gid=100000514(BILLY\domain users) groups=100000514(BILLY\domain users),100001104(BILLY\joiner),100000573(BILLY\denied rodc password replication group),100000513(BILLY\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

root@truenas[~]# id BILLY\\joiner    
uid=100001104(BILLY\joiner) gid=100000514(BILLY\domain users) groups=100000514(BILLY\domain users),100001104(BILLY\joiner),100000573(BILLY\denied rodc password replication group),100000513(BILLY\domain admins),90000002(BUILTIN\users),90000001(BUILTIN\administrators)

So there are two distinct naming conventions and they are case-insensitive. This doesn't mesh particularly well with openssh user directives, and so in AD environments you should exclusively use group names, which do not rely on validating strings passed from users.

 

[Pabs]

Ultimately the goal is to have users upload files and these files being accessible to other internal tools.

In the last iteration moved to using local files, but the main issue which I had was related to permissions and newly created files :(

 

[anodos]

Ultimately the goal is to have users upload files and these files being accessible to other internal tools.

In the last iteration moved to using local files, but the main issue which I had was related to permissions and newly created files :(

Add an ACL entry granting the uid/user for internal tools FULL_CONTROL (or READ if that's more appropriate) of dataset that is being shared out. If an entry has the INHERIT flag set, then it will be automatically included in ACL of all newly created files.

 

[Pabs]

Add an ACL entry granting the uid/user for internal tools FULL_CONTROL (or READ if that's more appropriate) of dataset that is being shared out. If an entry has the INHERIT flag set, then it will be automatically included in ACL of all newly created files.

After applying the suggestion when a new home directory gets created the user doesn't seem to have access to it even though inherit has been applied at Dataset level :s
Do get access to previously existing ones though

Thx

 

[Pabs]

Add an ACL entry granting the uid/user for internal tools FULL_CONTROL (or READ if that's more appropriate) of dataset that is being shared out. If an entry has the INHERIT flag set, then it will be automatically included in ACL of all newly created files.

Currently have the permissions setup as the below screenshot and nothing :(
Every time a new home folder gets created for FTP is like if the permissions didnt apply to it, goes for the local user ones ass well as for the one at the very top
No access unless you then reapply permissions and set it to: Apply permissions recursively

thoughts?