fredbourdelier
Dabbler
- Joined
- Sep 11, 2022
- Messages
- 27
I've seen some similar questions, but not this exact scenario. Hopefully this one is easy to solve.
To start, let's avoid the 1000 word description and skip to the picture:
We're using SMB shares and TrueNAS with AD sync. Behavior is 90% correct as far as users/shares and what they can see, so I have to believe I'm missing something in a permission somewhere.
More specifically:
We have a Domain Admin - someone who's authorized to see the root of the data set and the SMB share we set up at the root (MFGDATA is the data set, SH_MFG_ROOT is the share). Permissions on the root share are set up the way you'd expect:
MFG admins and Domain Admins (plus backup/restore functions) can access the root share, and no one else. Works - as expected.
We have another share (LDLS_PROCESSDATA_TLS) which is a subfolder a couple of layers down from that root. As expected, the domain admin can see it.
/////////////////////////////////
Now: we have a domain user, let's call him Lester.
Lester is a domain user, and a member of a couple of security groups - but not an admin.
Of particular significance for this issue is the membership in SG_ETI_TLSTEST_RW, because this happens to be the security group with permission to that LDLS_PROCESSDATA_TLS share:
As you can see, Windows reports the group (and thus Lester, we hope) should have R/W permission as we expect. This is reported through Windows security manager (by the admin user, whose permissions work) so we can see that both the AD link and the security permissions for the folder are being seen by Windows as we expect.
Side Comment: You'll also notice that DOMAIN ADMINS group is in there - I tried adding it to see if Domain Users group would make the share work for Lester - didn't change the behavior at all - still fails - so just ignore it.
However, Lester can't access the share:
The admin CAN see the contents of the share:
This is NOT the expected behavior
In TrueNAS, at the data set level (MFGDATA) and the root share (SH_MFG_ROOT), beyond permissions for admins etc, domain users have traverse permission
Full Share and file ACL for the LDLS_PROCESSDATA_TLS share that doesn't work for Lester:
(Lester is a member of this security group - and should have access because of membership here)
CONFIG:
Fred
To start, let's avoid the 1000 word description and skip to the picture:
We're using SMB shares and TrueNAS with AD sync. Behavior is 90% correct as far as users/shares and what they can see, so I have to believe I'm missing something in a permission somewhere.
More specifically:
We have a Domain Admin - someone who's authorized to see the root of the data set and the SMB share we set up at the root (MFGDATA is the data set, SH_MFG_ROOT is the share). Permissions on the root share are set up the way you'd expect:
MFG admins and Domain Admins (plus backup/restore functions) can access the root share, and no one else. Works - as expected.
We have another share (LDLS_PROCESSDATA_TLS) which is a subfolder a couple of layers down from that root. As expected, the domain admin can see it.
/////////////////////////////////
Now: we have a domain user, let's call him Lester.
Lester is a domain user, and a member of a couple of security groups - but not an admin.
Of particular significance for this issue is the membership in SG_ETI_TLSTEST_RW, because this happens to be the security group with permission to that LDLS_PROCESSDATA_TLS share:
As you can see, Windows reports the group (and thus Lester, we hope) should have R/W permission as we expect. This is reported through Windows security manager (by the admin user, whose permissions work) so we can see that both the AD link and the security permissions for the folder are being seen by Windows as we expect.
Side Comment: You'll also notice that DOMAIN ADMINS group is in there - I tried adding it to see if Domain Users group would make the share work for Lester - didn't change the behavior at all - still fails - so just ignore it.
However, Lester can't access the share:
The admin CAN see the contents of the share:
This is NOT the expected behavior
In TrueNAS, at the data set level (MFGDATA) and the root share (SH_MFG_ROOT), beyond permissions for admins etc, domain users have traverse permission
Full Share and file ACL for the LDLS_PROCESSDATA_TLS share that doesn't work for Lester:
(Lester is a member of this security group - and should have access because of membership here)
CONFIG:
- Dell R730XD
- 2x Xeon E5-2690 14 core @ 2.6G
- 768 GB ECC DDR4-25600
- 2@Seagate Nytro 960GB SAS SSD 12GB (boot) [HW raid mirror]
- 4@WD200 3.84GB SAS SSD 12GB (MAIN_SSD_POOL) [HBA / TNAS Zdev2)
- 12@Seagate Exos x18 18TB SAS 12GB (MAIN_HDD_POOL) [HBA / TNAS Zdev2]
- DELL PERC H730p mini SAS split bus 8+8 1GB cache
- 2@DELL 1GB copper (builtin)
- 2@DELL 10GB copper (builtin)
- 1@2 port DELL 0xGRFF 10GB SFP+ (add on)
- TrueNAS CORE 13.0-U4 (updated 4/5/23)
Fred