Guest access with Active Directory integration

Status
Not open for further replies.

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
Hi,
I have setup Active Directory integration which is working fine but now I want to use guest access on the same share in order for non AD users to get read only access.
It sort of works already which means when you trying to connect to the share with a non AD account you get a username/password prompt where you can enter a fake username and see the files.
Is there a way to get rid of the logon prompt?

Thanks Timo
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
What are the permissions on the dataset?

By default, the SMB shares are set up to allow "everyone" access to the share. Then, directory permissions are used to prevent read/write access to the files. Thanks to the ACLs, the permissions can be extremely granular.
 

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
I have set the permissions in the following way:
upload_2018-2-26_18-47-38.png


And I can see that everyone has the following rights on the share:
Read & execute
List folder contents
Read
 

Attachments

  • upload_2018-2-26_18-46-59.png
    upload_2018-2-26_18-46-59.png
    30.8 KB · Views: 282

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
What does your share settings look like?

It looks like you are directly sharing your root dataset? Is that correct? If so, you'll want to rework your setup. Sharing your root dataset was allowed by previous versions, but it has never been a supported setup. You'll want to create a child dataset, and share that. This may explain some of the weird behavior.
 

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
It looks like this:
upload_2018-2-26_19-26-56.png


Maybe I should have called it something else than data :smile:
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Ok, so yes, you are sharing the root dataset. What you are seeing there is:

Code:
data (pool)
	data (root dataset)
		jails (child dataset)


What you want is something like:
Code:
data (pool)
	data (root dataset)
		share (child dataset) <-- sharing this dataset via SMB/NFS/Whatever
		jails (child dataset)


Can you please post a screenshot of your share settings?
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Any advanced settings configured?

If we blew away and reconfigured permissions on this share, would that be a problem?
 

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
and I have set the domain level permissions on the share child dataset.
But the result is the same as before.
 

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
I have also activated "Allow empty password" for the SMB service but the behavior is still the same. Non domain users get a log on prompt.
upload_2018-2-26_20-26-32.png
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
I followed the steps and accessing the share with a domain member account works fine but still the read only guest access for machines outside the domain prompts for username and password but you can enter a non existent username and it logs you on.
upload_2018-2-26_21-10-16.png
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Are you trying to connect directly into a share, or are you connecting to the server? I.e., \\freenas\share vs \\freenas
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Hmm, that's interesting. And that's actually important diagnostic info, because that tells us that something is wrong with Samba, not just your share.

Can you post a copy of your smb.conf file? I wonder if something got set in there through an upgrade or an errant setting or something.
 

Timo123

Dabbler
Joined
Feb 26, 2018
Messages
13
smb4.conf:

[global]
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 234803
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
ntlm auth = no
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
null passwords = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
server role = member server
workgroup = <domainname>
realm = <domainname>
security = ADS
client use spnego = yes
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = no
winbind refresh tickets = yes
idmap config <domainname>: backend = rid
idmap config <domainname>: range = 20000-90000000
allow trusted domains = no
client ldap sasl wrapping = plain
template shell = /bin/sh
template homedir = /home/%D/%U
netbios name = FREENAS1
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 1


[software]
path = "/mnt/Volume1/share"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = yes
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare
 

Nick2253

Wizard
Joined
Apr 21, 2014
Messages
1,633
Everything looks correct here to me. I'll need to set up this config in my lab hypervisor when I get home to troubleshoot further.

Just to make sure we're all on the same page as to what should be happening (and what is happening instead), the procedure is:
  • Domain User connects to server. Automatically logged in with appropriate credentials.
  • Non-domain user connects to server. Automatically connected with "guest" credentials. <-- Not happening. Non-domain users getting password prompt
 
Status
Not open for further replies.
Top