Home Directory ACLs - User listed as Group

[Elegant]

Hi guys,
When creating a Home Directory through AD I've always noticed that the ACE for the end-user is marked as a group NOT a user which causes a conflict with programs in Linux. I believe this to be a bug but the question would be whether this is FreeNAS or Samba that the bug lies with. You can see an example of this in the attachment group:GAIA\elegant is not a group. Anyone have any ideas? I seem to recall this issue being mentioned before somewhere (not necessarily here) but can't find it. Thanks!

This is with FreeNAS 9.10.2.

 

[anodos]

Hi guys,
When creating a Home Directory through AD I've always noticed that the ACE for the end-user is marked as a group NOT a user which causes a conflict with programs in Linux. I believe this to be a bug but the question would be whether this is FreeNAS or Samba that the bug lies with. You can see an example of this in the attachment group:GAIA\elegant is not a group. Anyone have any ideas? I seem to recall this issue being mentioned before somewhere (not necessarily here) but can't find it. Thanks!

This is with FreeNAS 9.10.2.

I believe the more fundamental problem with using AD home directory is that FreeNAS defaults to nfs4:mode=special. Try adding the following auxiliary parameter for the share that's housing your home directories nfs4:mode=simple.

See discussion here: https://bugs.freenas.org/issues/21603

 

[Elegant]

I actually have nfs4:mode=simple already, this is also the only parameter I have added to that specific share. My screenshot is a bit out of date (extra ACEs) but I attempted this on a new share a couple days ago and had the same result. Something is finding the entry but is not bothering to determine if it is a user or group and just chooses group by default(?).

Are you able to reproduce this as well? I simply make a fake user in AD, give it a home directory on this 'Test' share and getfacl the user's home directory.

 

[anodos]

I actually have nfs4:mode=simple already, this is also the only parameter I have added to that specific share. My screenshot is a bit out of date (extra ACEs) but I attempted this on a new share a couple days ago and had the same result. Something is finding the entry but is not bothering to determine if it is a user or group and just chooses group by default(?).

Are you able to reproduce this as well? I simply make a fake user in AD, give it a home directory on this 'Test' share and getfacl the user's home directory.

I think this is a side-effect of how the RID idmap backend works / interacts with ZFSACL. For instance, if you type id "DOMAIN\Bob" the output will be uid=21112(DOMAIN\Bob) groups=21112(DOMAIN\Bob).
<speculation>There's probably not a quick & easy way to determine whether a SID is for a user or a group, and so the backend just shotgun-blasts UIDS/GIDS based on the RID component of the SID & the idmap range specified in the idmap configuration lines of the smb.conf file </speculation>

Perhaps you can try checking the box for "use default domain". Sometimes this can make unix applications happier. Otherwise, you may need to look into switching idmap backends to AD (RFC2307). This will require properly configuring your AD to support NIS extensions. Once you do this, you will be able to set the UIDs / GIDs for your users and groups through active directory.