Moving away from AD (lots of issues)

[Steiner-SE]

Not sure what subforum this should go in so I hope admins can move it to the most appropriate place.
I have a big mess on my hand now as I started settings up the NAS under the domain controller but now have decided to move away from it and just run my machines in a workgroup. If I remove the NAS from the domain I lose access to all shares, If I keep it on the domain both domain and non domain machines have some access to it.
I've probably made a big mess of permissions and ACLs during this. Folders and files created from a non domain machine is only workable from said machines and vice versa for domain machines. It seems I can not change owner or permissions from windows to remedy this either.
I have created a user and group on the nas and I can set the user as owner in filesystem permissions (from the nas), but can not set the group, it's stuck as "wheel".

What I really want to do here is:
A: Remove the NAS from domain but keep it fully accessible.
B: Remove all machines from domain and be in a workgroup instead, and retain access to NAS and each other.
C: Make all shares/files etc accessible and editable under above conditions.

I'm not quite sure in what end to start or exactly what needs to be done here since Windows won't allow me to add or change permissions/owner for any files and folders (Says I need permissions but doesn't allow me to give credentials for said permissions).
Machines on the VM/machine side are Windows 10 pro/enterprise, Server 2016 and Server 2019.
I'm setting up local users on all machines with the same name/pass as the account I set up on the NAS (think that is needed?) and make those administrators.

This is all a bit of a jungle to me and I fear I've made a big mess of it all after my move from Xpenology to TrueNAS Core (TrueNAS being a bit more involved than Synology).

 

[anodos]

Not sure what subforum this should go in so I hope admins can move it to the most appropriate place.
I have a big mess on my hand now as I started settings up the NAS under the domain controller but now have decided to move away from it and just run my machines in a workgroup. If I remove the NAS from the domain I lose access to all shares, If I keep it on the domain both domain and non domain machines have some access to it.
I've probably made a big mess of permissions and ACLs during this. Folders and files created from a non domain machine is only workable from said machines and vice versa for domain machines. It seems I can not change owner or permissions from windows to remedy this either.
I have created a user and group on the nas and I can set the user as owner in filesystem permissions (from the nas), but can not set the group, it's stuck as "wheel".

What I really want to do here is:
A: Remove the NAS from domain but keep it fully accessible.
B: Remove all machines from domain and be in a workgroup instead, and retain access to NAS and each other.
C: Make all shares/files etc accessible and editable under above conditions.

I'm not quite sure in what end to start or exactly what needs to be done here since Windows won't allow me to add or change permissions/owner for any files and folders (Says I need permissions but doesn't allow me to give credentials for said permissions).
Machines on the VM/machine side are Windows 10 pro/enterprise, Server 2016 and Server 2019.
I'm setting up local users on all machines with the same name/pass as the account I set up on the NAS (think that is needed?) and make those administrators.

This is all a bit of a jungle to me and I fear I've made a big mess of it all after my move from Xpenology to TrueNAS Core (TrueNAS being a bit more involved than Synology).

TrueNAS has an issue with the ACL manager preventing it from operating as expected and somewhat complicating ACL management. This is being fixed in BETA2 which should be released soon-ish.

 

[anodos]

That said, have you filed any bug reports about the AD issues or reported them here? Since TrueNAS Core is in BETA, this is an opportunity to help out in fixing issues.

 

[Steiner-SE]

Before I do that I need to understand if I actually have issues or just screwed something up. I can access shares/files/and folders and can add/remove etc. Just not the same combinations from different machines or depending on if the share is new or old. Looking at permissions from windows side some have TRUENAS\SecuAdmin (local) set and some have SECUNET\SecuAdmin (domain user). The share that seems to work best have both set and I bet if I remove either (if I even could) I would again have the issues from above.

One q to start somewhere, am I supposed to be able to change the group associated with a dataset? I managed to change the owner (as I had initially set it owned by root) and that worked fine, but the group is stuck as wheel and not the new "Global" group which the owner user is a member of.

 

[anodos]

Generally speaking, you're better off adding additional entries (Domain and Local) that grant access as you want them (rather than manipulating owner / group).

 

[Steiner-SE]

Generally speaking, you're better off adding additional entries (Domain and Local) that grant access as you want them (rather than manipulating owner / group).

Yeah, I have a lot to learn, not sure why I thought setting up an MS ADDC was a good idea, been more hassle than it's worth. Think I'm getting there though.

OK, think I know what I need to do. Need to go to every machine disconnect all shares and reconnect them, making sure I connect as TRUENAS/SecuAdmin and not SECUNET/SecuAdmin. Then by making sure TRUENAS/SecuAdmin has permission on all files it seems to work. Setting both to have permissions recursively should solve all issues (I think, but also think that is just what you said :) ).