eexodus
Dabbler
- Joined
- Aug 31, 2016
- Messages
- 39
I have FreeNAS 11.3 joined to an AD environment with over 50,000 users. At first this was too much for FreeNAS, but after checking "Disable FreeNAS Cache" most users haven't had any issues. However, a few newer users are having inconsistent permission issues. Permissions are managed by groups. Even though the new user gets added to the correct group and in FreeNAS command line I can "id username" and confirm FreeNAS is seeing them in the right group, they get permission errors when mounting the SMB/CIFS shares. The only reliable workaround I've developed is using the web UI facl editor to add that specific user to the share's permissions. This obviously isn't ideal--each share should give a group access and not individual users.
Looking at Samba logs I'm getting a lot of "pam auth crap domain" for all users, but I don't think this is the cause because most users are getting pam auth crap domain errors. I suspect this is because my organization has a split parent-child domain and FreeNAS is first trying the wrong domain and then the second correct domain. FreeNAS and computers are on the child domain--users are on the parent domain.
I'm seeing winbind and check_ntlm_password authentication for the affected users succeeding so it almost seems like its a facl issue?
Looking at Samba logs I'm getting a lot of "pam auth crap domain" for all users, but I don't think this is the cause because most users are getting pam auth crap domain errors. I suspect this is because my organization has a split parent-child domain and FreeNAS is first trying the wrong domain and then the second correct domain. FreeNAS and computers are on the child domain--users are on the parent domain.
I'm seeing winbind and check_ntlm_password authentication for the affected users succeeding so it almost seems like its a facl issue?