Non-Administrator AD Users Cannot Access SMB Shares

[bttruman]

Hi there,

Recently we migrated from FreeNAS running on a spare computer to a TrueNAS Mini X+. Since then, however, I can't get AD Users that aren't in the Domain Admins group to access any shares.

I searched the Forums and found related topics, but nobody ever posted as resolution to the problem:

• https://www.truenas.com/community/t...e-directory-users-cannot-access-shares.71068/
• https://www.truenas.com/community/threads/cannot-access-freenas-share.80679/

Migration was done by uploading the existing system's configuration to the new one, and then using Snapshots and Replication to sync the data between the two. Everything is sorted out with the Active Directory, NetBIOS, and HostNames so they aren't in conflict, and I can see all of my AD Users and Groups when going to modify the Permissions on the various Datasets in the Pool. Running

Code:

getent group

returns me all of the groups on the AD, so I know everything is connected up properly.

I've read the documentation, searched the forums, and tried everything I can think of:

• Deleting the shares and datasets, and recreating them manually
• Pulled it off the AD, deleted the Computer from it, and recreated it - both with and without previously creating the computer object in there.
• Used the Share ACL both instead of, and also in addition to the Filesystem ACL
• Checked/Set/Changed the permissions to the shares through Windows (Authenticated as a Domain Admin)
• Set the ACL to Everyone with only Read, Modify, and Full Control

Everything looks correct, but I can't get any access to users that aren't Domain Admins. The only thing I can think is that instead of setting the parent group to Domain Admins that I should set it to Domain Users, but then I would have to go in and explicitly deny people access.

Does anyone have any advice on where I could check next?


Thanks for any and all advice!

-BT

 

[Samuel Tai]

See https://www.truenas.com/community/t...ely-incompatible-with-active-directory.95928/ for a similar situation, which ended up being due to hardening policies within AD.

 

[anodos]

What are permissions on /mnt/Storage and /mnt/Storage/Main?

`getfacl /mnt/Storage`
`getfacl /mnt/Storage/Main`

 

[anodos]

Maybe also `getfacl /mnt/Storage/Main/TempShare` since you have a non-standard permissions set.

 

[bttruman]

Thank you both for your responses!

Maybe also `getfacl /mnt/Storage/Main/TempShare` since you have a non-standard permissions set.

For /mnt/Storage:

Code:

root@tei-nas:~ # getfacl /mnt/Storage
# file: /mnt/Storage
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

For /mnt/Storage/Main:

Code:

root@tei-nas:~ # getfacl /mnt/Storage/Main
# file: /mnt/Storage/Main
# owner: TECHNOLOGYENGIN\tei-nasadmin
# group: TECHNOLOGYENGIN\domain admins
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

And for /mnt/Storage/TempShare:

Code:

root@tei-nas:~ # getfacl /mnt/Storage/Main/TempShare
# file: /mnt/Storage/Main/TempShare
# owner: TECHNOLOGYENGIN\tei-nasadmin
# group: TECHNOLOGYENGIN\domain admins
         everyone@:rwxpDdaARWc---:fd-----:allow
            owner@:rwxpDdaARWcCo-:fd-----:allow
            group@:rwxpDdaARWcCo-:fd-----:allow
         everyone@:--------------:fd-----:allow

And just to show a little comparison, here's a different share that shouldn't be accessible to everyone called Admin:

Code:

root@tei-nas:~ # getfacl /mnt/Storage/Main/Admin
# file: /mnt/Storage/Main/Admin
# owner: TECHNOLOGYENGIN\tei-nasadmin
# group: TECHNOLOGYENGIN\domain admins
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWc--s:fd-----:allow
user:TECHNOLOGYENGIN\mstinson:rwxpDdaARWcCos:fd-----:allow
group:TECHNOLOGYENGIN\accountingadmin:rwxpDdaARWcCos:fd-----:allow
user:TECHNOLOGYENGIN\qbdataserviceuser22:rwxpDdaARWcCos:fd-----:allow
user:TECHNOLOGYENGIN\qbdataserviceuser25:rwxpDdaARWcCos:fd-----:allow
user:TECHNOLOGYENGIN\teamcity:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

 

[anodos]

Ah, you cut off traverse rights for anyone who isn't a member of "Domain Admins" in " /mnt/Storage/Main"

setfacl -a 0 everyone@:xaRc::allow /mnt/Storage/Main

 

[anodos]

That command will grant S-1-1-0 (everyone) ability to traverse /mnt/Storage/Main.

 

[anodos]

Unix in general has no equivalent of Windows "Bypass traverse checking". See following STIG for more info: https://www.stigviewer.com/stig/windows_server_2012_2012_r2_member_server/2015-06-26/finding/V-26475

 

[bttruman]

Ah, you cut off traverse rights for anyone who isn't a member of "Domain Admins" in " /mnt/Storage/Main"

setfacl -a 0 everyone@:xaRc::allow /mnt/Storage/Main

By George, that's done it! Thank you so much!!

Just to recap for anyone that's found this post, I had set the parent dataset's permission to not include Traverse rights for Everyone. So that meant that despite the child dataset having the correct permissions, Users weren't able to get past the parent dataset's permissions in order to check to see if they could access the shares within it.

Such a simple mistake. Thanks again, @anodos!