SOLVED Another idiot baffled by permissions

[Idiotzoo]

So as far as I can tell I have AD working nicely. I've setup windows ACL and set permissions and just as I thought all was working, most of my users don't have permission to connect.

I've been through the docs but can't find anything that explains how CIFS permissions are set when using AD.

The CIFS shared dataset is owned by Administrator and the group is Domain Admins. I've used a windows client to set permissions on the share contents, which all looks fine, but any user that isn't a member of domain admins can't access the share at all.

So I changed the group to Domain Users and.... no change. I can't find any way of granting access to my users.

I presume I've missed something simple, but the docs are pretty vague on this.

 

[dlavigne]

Did you restart the CIFS and AD services after changing to Domain Users? On the test client, are you logging out in between connection attempts to make sure you're not getting any cached login info? Anything related in /var/log/messages on the FreeNAS system? Can you see the imported users on the FreeNAS system in the permissions of the volume/dataset being shared?

 

[Idiotzoo]

Ok, so after some delay to solve other unrelated problems....

Did you restart the CIFS and AD services after changing to Domain Users?

Yes. I've restarted the freenas box entirely as well.

On the test client, are you logging out in between connection attempts to make sure you're not getting any cached login info?

Yes. I've tried difference clients too.

Anything related in /var/log/messages on the FreeNAS system?

Not that I can see. All I seem to have in there are the powerd errors (it's an AMD system) and info messages about snapshot replication.

Can you see the imported users on the FreeNAS system in the permissions of the volume/dataset being shared?

Yes. I get my AD groups and users in the drop down. Freenas also lets me set AD groups and users from the command line.

Any other ideas how I can go about diagnosing this?

 

[Idiotzoo]

Ok... I think I have this working. As ever, it's a configuration issue. I suspect the problem is a lack of clear information in the freenas docs, coupled with the known bug with setting permissions in the web ui.

I ended up reading some samba docs, which give far more insight into how to set this up than the freenas docs on cifs.

Essentially I did all the permissions setting following the samba docs and setup cifs as per the samba instructions. It seems to work.

What's really weird is I initially had two shares, both with the same permissions. One worked, one didn't.

 

[dlavigne]

Essentially I did all the permissions setting following the samba docs and setup cifs as per the samba instructions.

URL?

 

[Idiotzoo]

http://wiki.samba.org/index.php/Samba_&_Windows_Profiles

I was specifically trying to get windows profiles working, so ended up at this page. Key things I did, not sure which of them helped, were set the cifs permissions defaults to 0700 rather than 0770 and follow the samba 3 instructions in the above link for setting the permissions at the cli.