Jail Permissions when using Active Directory

[Caleb Surface]

I am working to get Resilio set up as a plugin, but I can't seem to figure out how to get access to the share permissions working for it. It continues to tell me it's missing write permissions and therefore it won't add the folder. I am using Active Directory, and every share permission is set to "administrator" for the user and "domain users" for the group. Any thoughts on how I could solve this simply? Thanks!

 

[Joshua Parker Ruehlig]

I don't know about windows permission complexities, but to solve unix permission issues I wrote this.
if you show 'ls -l /path/to/files' from the resilio jail we can see what the issue is.

 

[Caleb Surface]

This was my output when running it on one connected share.

Code:

root@resilio_1:/ # ls -l /media/Data/Graphics/

total 405

drwxrwxr-x+ 17 20500  20513	 17 May 28  2016 *Designs for Years*

-rwxrwxr-x+  1 20500  20513  26628 May 27  2016 .DS_Store

drwxrwxr-x+  6 20500  20513	  6 May 28  2016 .TemporaryItems

-rwxrwxr-x+  1 20500  20513	  0 Oct 29 13:19 .windows

drwxrwxr-x+  3 20500  20513	  4 Jan 17  2016 Announcements

drwxrwxr-x+  3 20500  20513	 17 Jan 29  2016 Benn

drwxrwxr-x+ 10 20500  20513	 11 May 28  2016 Caleb

drwxrwxr-x+  3 20500  20513	  4 Dec 31  2013 Children's

drwxrwxr-x+  4 20500  20513	 14 Oct 16  2015 Fonts

drwxrwxr-x+  3 20500  20513	  8 Dec 31  2013 God Cares for Servicemen

drwxrwxr-x+  2 20500  20513	  4 Sep 17  2014 Homeschool Group

drwxrwxr-x+ 26 20500  20513	 31 Oct 29  2013 Icon Sets

drwxrwxr-x+  4 20500  20513	  5 Dec  2  2015 Ideas

drwxrwxr-x+ 10 20500  20513	 11 Sep 23  2015 Identity

drwxrwxr-x+  4 20500  20513	 30 Jun 16  2012 Illustrations

drwxrwxr-x+ 26 20500  20513	 27 May 20  2016 Lindamood

drwxrwxr-x+  3 20500  20513	  3 Aug 28  2015 Mailing

drwxrwxr-x+  2 20500  20513	  6 May 31  2016 Maps

drwxrwxr-x+  3 20500  20513	  6 Mar  3  2016 Postcard

drwxrwxr-x+  7 20500  20513	  8 Feb 29  2016 Publications

drwxrwxr-x+  6 20500  20513	 11 Apr 14  2016 Resource Examples

drwxrwxr-x+  5 20500  20513	  6 Jan  1  2016 Sermon Designs

drwxrwxr-x+  2 20500  20513	 12 Jan  9  2014 Still Church

drwxrwxr-x+  2 20500  20513	170 May 16  2016 Stock Images

drwxrwxr-x+ 14 20500  20513	 26 Aug 13  2014 Tracts

drwxrwxr-x+  2 20500  20513	  5 Aug  1  2015 Videos

drwxrwxr-x+  3 20500  20513	  6 Dec 28  2014 Website Banners

drwxrwxr-x+  2 20500  20513	  9 Jun  3  2015 Welcome

drwxrwxr-x+ 17 20500  20513	 18 Jul 23  2015 ???Designs for Years???

root@resilio_1:/ # 

 

[Joshua Parker Ruehlig]

those files allow owner and group writing. you either need resilio to run as a user with a UID of 20500, or be in a group with GID 20513.
see solution 2 or 3 here...
https://forums.freenas.org/index.ph...-plugins-write-permissions-to-your-data.27273

also you have windows ACLs enabled, so that may add additional complications but I don't have experience with them

 

[Caleb Surface]

those files allow owner and group writing. you either need resilio to run as a user with a UID of 20500, or be in a group with GID 20513.
see solution 2 or 3 here...
https://forums.FreeNAS.org/index.ph...-plugins-write-permissions-to-your-data.27273

also you have windows ACLs enabled, so that may add additional complications but I don't have experience with them

Looks like that solved the issue. I had seen that thread before and tried it, but I wasn't connecting what group or user ID to use. Thanks for the help!

 

[Caleb Surface]

And just kidding. It only partially worked. So it made some of the folders accessible, but not all.

 

[Joshua Parker Ruehlig]

I assume it has to do with windows ACLs then, since all the folders you show have the same permission levels

 

[Caleb Surface]

Okay, so this is what actually shows up when I execute to the path of my attached storage to the jail. As you can see, it's slightly different. I tried creating a user "administrator" in the jail and a "domain users" group that the user is a part of, then I made the plugin run under that user, but still nothing.

Code:

root@resilio_1:/ # ls -l /media/Data/
total 62
drwxrwxr-x+ 19 administrator  domain users  27 Dec  3 13:52 Finances
drwxrwxr-x+ 30 administrator  domain users  32 Dec  3 13:21 Graphics
drwxrwxr-x+ 14 administrator  domain users  18 Nov 24 16:36 Installers
drwxrwxr-x+ 16 administrator  domain users  18 Nov  4 14:06 Office

 

[Joshua Parker Ruehlig]

According to unix permissions resilio user should be able to write to those folders. As I said it is an issue with Windows ACLs. I do not help with those since I don't know anything about Windows.

 

[Caleb Surface]

According to unix permissions resilio user should be able to write to those folders. As I said it is an issue with Windows ACLs. I do not help with those since I don't know anything about Windows.

I know. I was just trying to keep info flowing so if someone who can help sees the thread. Thanks for trying.

 

[Joshua Parker Ruehlig]

no prob, goodluck!

 

[Caleb Surface]

I don't know if it's worth starting a new thread at this point for this, but as I've been doing some digging, I think one of the following two options are my only courses of action:

1. Install Samba in the jail and have an AD user running the plugin.
2. Map the shares via smb and authenticate using an AD account.

Any thoughts on these options or has anyone actually done either successfully?

 

[Incogito]

Hi,

Have you succeeded with setting up Resilio Sync alongside with AD ?
I am looking to implement a similar setup.

 

[Caleb Surface]

Hi,

Have you succeeded with setting up Resilio Sync alongside with AD ?
I am looking to implement a similar setup.

I ended up just running a Windows 7 virtual machine with the drives mapped specifically for syncing Resilio. Kinda frustrating, but oh well. I may try again with this once I get FreeNAS 10 up and running, but till then this works fine.

 

[Incogito]

Thanks for you quick reply. I was also thinking about going that way if things got too complicated.
Why not run directly on the AD controller instead of a separate VM, by the way ?

EDIT: I've been assuming this a Windows AD controller.

 

[Caleb Surface]

Thanks for you quick reply. I was also thinking about going that way if things got too complicated.
Why not run directly on the AD controller instead of a separate VM, by the way ?

EDIT: I've been assuming this a Windows AD controller.

It is a Windows AD controller. The reason I did it on a separate VM is because I just, in general, prefer to keep "applications" for my servers separated out. The only thing my AD server does is AD. The only thing my network controller server does is network controlling. So on and so forth. So basically Windows 7 does an auto-login to my account, maps certain drives on login, and resilio opens and begins syncing. Not the most elegant solution, but it works!