fredbourdelier
Dabbler
- Joined
- Sep 11, 2022
- Messages
- 27
I've seen some similar questions, but not this exact scenario. Hopefully this one is easy to solve.
To start, let's avoid the 1000 word description and skip to the picture:
View attachment 65422
We're using SMB shares and TrueNAS with AD sync to a domain (all of which work).
More specifically:
We have a sample Domain Admin - someone who's authorized to see the root of the data set and the SMB share we set up at the root (MFGDATA is the data set, SH_MFG_ROOT is the share). Permissions on the root share are set up the way you'd expect:
View attachment 65423
MFG admins and Domain Admins (plus backup/restore functions) can access the root share, and no one else. Works - as expected.
View attachment 65424
We have another share (LDLS_PROCESSDATA_TLS) which is a subfolder a couple of layers down from that root. As expected, the domain admin can see it.
View attachment 65425
/////////////////////////////////
Now: we have a domain user, let's call him Lester.
View attachment 65426
Lester is a domain user, and a member of a couple of security groups - but not an admin.
View attachment 65427
Of particular significance for this issue is the membership in SG_ETI_TLSTEST_RW, because this happens to be the security group with permission to that LDLS_PROCESSDATA_TLS share that's a couple of layers down from the root share:
View attachment 65428
As you can see, Windows reports the group should have R/W permission. Lester is a member of this group. This is reported through Windows security manager (by the admin user, whose permissions work) so we can see that both the AD link and the security permissions for the folder are being seen by Windows as we expect.
Side Comment: You'll also notice that DOMAIN ADMINS group is in there - I tried adding it to see if Domain Users group would make the share work for Lester - didn't change the behavior at all - still fails - so just ignore it.
However, Lester can't access the share:
View attachment 65435
The admin CAN see the contents of the share:
View attachment 65436
This is NOT the expected behavior
In TrueNAS, at the data set level (MFGDATA) and the root share (SH_MFG_ROOT), beyond permissions for admins etc, domain users have traverse permission
View attachment 65429
View attachment 65430
Full Share and file ACL for the LDLS_PROCESSDATA_TLS share that doesn't work for Lester:
View attachment 65431
View attachment 65432
View attachment 65433
View attachment 65434
(Lester is a member of this security group - and should have access because of membership here)
CONFIG:
Fred
To start, let's avoid the 1000 word description and skip to the picture:
View attachment 65422
We're using SMB shares and TrueNAS with AD sync to a domain (all of which work).
More specifically:
We have a sample Domain Admin - someone who's authorized to see the root of the data set and the SMB share we set up at the root (MFGDATA is the data set, SH_MFG_ROOT is the share). Permissions on the root share are set up the way you'd expect:
View attachment 65423
MFG admins and Domain Admins (plus backup/restore functions) can access the root share, and no one else. Works - as expected.
View attachment 65424
We have another share (LDLS_PROCESSDATA_TLS) which is a subfolder a couple of layers down from that root. As expected, the domain admin can see it.
View attachment 65425
/////////////////////////////////
Now: we have a domain user, let's call him Lester.
View attachment 65426
Lester is a domain user, and a member of a couple of security groups - but not an admin.
View attachment 65427
Of particular significance for this issue is the membership in SG_ETI_TLSTEST_RW, because this happens to be the security group with permission to that LDLS_PROCESSDATA_TLS share that's a couple of layers down from the root share:
View attachment 65428
As you can see, Windows reports the group should have R/W permission. Lester is a member of this group. This is reported through Windows security manager (by the admin user, whose permissions work) so we can see that both the AD link and the security permissions for the folder are being seen by Windows as we expect.
Side Comment: You'll also notice that DOMAIN ADMINS group is in there - I tried adding it to see if Domain Users group would make the share work for Lester - didn't change the behavior at all - still fails - so just ignore it.
However, Lester can't access the share:
View attachment 65435
The admin CAN see the contents of the share:
View attachment 65436
This is NOT the expected behavior
In TrueNAS, at the data set level (MFGDATA) and the root share (SH_MFG_ROOT), beyond permissions for admins etc, domain users have traverse permission
View attachment 65429
View attachment 65430
Full Share and file ACL for the LDLS_PROCESSDATA_TLS share that doesn't work for Lester:
View attachment 65431
View attachment 65432
View attachment 65433
View attachment 65434
(Lester is a member of this security group - and should have access because of membership here)
CONFIG:
- Dell R730XD
- 2x Xeon E5-2690 14 core @ 2.6G
- 768 GB ECC DDR4-25600
- 2@Seagate Nytro 960GB SAS SSD 12GB (boot) [HW raid mirror]
- 4@WD200 3.84GB SAS SSD 12GB (MAIN_SSD_POOL) [HBA / TNAS Zdev2)
- 12@Seagate Exos x18 18TB SAS 12GB (MAIN_HDD_POOL) [HBA / TNAS Zdev2]
- DELL PERC H730p mini SAS split bus 8+8 1GB cache
- 2@DELL 1GB copper (builtin)
- 2@DELL 10GB copper (builtin)
- 1@2 port DELL 0xGRFF 10GB SFP+ (add on)
- TrueNAS CORE 13.0-U4 (updated 4/5/23)
Fred