SMB share broken by implementing Active Directory Domain Controller

[averyfreeman]

Hi,

So I have set up Active Directory on my Freenas box and now I can't access the share I used to have.

I tried to set up a new dataset from scratch and I can't access that, either.

ZFS dataset permissions have an AD user as the owner and DOMAIN\Domain Users as group.

Nothing I do seems to help. I have followed at least 3 guides, 2 versions of the manual, tried to access the share through the MMC console, etc. I've been at it for the entire day and it's driving me crazy.

I am logged into AD just fine, wbinfo -u -g -t all work great, and I can see the names on the AD server from the ZFS dataset permissions menu.

I've tried EVERYTHING I can think of: Changing the SMB protocol version, binding, not binding, manually allowing different hosts or IP wildcards, different default directory and file masks, etc.

I'm starting to seriously wonder if there isn't some sort of bug that's just going to make this impossible.

Any ideas?





EDIT: I removed the part of this post where I had dumped my config, the settings had been through so many iterations I had no idea where I started. I'll post my testparm dump in another post from a cleaner FreeNAS install.

 

[anodos]

PM me a debug tarball.

 

[averyfreeman]

The error is reproducible:

I set up another install of Freenas 11-u1 on a different VMDK file linking to the same dataset and re-setup everything, following this guide to the word:

https://www.mai-hawaii.com/FreeNAS-AD/FreeNAS_9.3.x_setup

Although this guide is on an outside site, it's essentially the same as the one in the forum, just for a newer version of FreeNAS (9.3 vs 9.1). I followed the two of them together doing as little to change the defaults as possible.

Cannot access SMB share even though I'm logged into the Windows Domain as the user who owns the dataset, and the group is set to my domain user's primary group:

Code:

root@freenas:/mnt/tank # ls -la
drwxrwxr-x+ 22 HAPPY\avery  HAPPY\domain users	32 Jul 18 22:14 Avery
root@freenas:/mnt/tank #

end of /var/log/debug.log:

Code:

Jul 18 22:24:57 freenas uwsgi: [ws4py:360] Closing message received (1000) 'b'''
Jul 18 22:25:22 freenas sshd[16230]: pam_winbind(sshd): valid_user: wbcGetpwnam gave WBC_ERR_DOMAIN_NOT_FOUND

EDIT: Jul 20: Here's my testparm dump:

Code:

Welcome to FreeNAS
root@freenas:~ # testparm
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[Avery]"
Processing section "[TestShare]"
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
		dos charset = CP437
		multicast dns register = No
		realm = DOMAIN.COM
		server string = FreeNAS Server
		workgroup = DOMAIN
		domain master = No
		lm announce = Yes
		local master = No
		preferred master = No
		nsupdate command = /usr/local/bin/samba-nsupdate -g
		client ldap sasl wrapping = plain
		logging = file
		max log size = 51200
		kernel change notify = No
		panic action = /usr/local/libexec/samba/samba-backtrace
		pid directory = /var/run/samba
		disable spoolss = Yes
		load printers = No
		printcap name = /dev/null
		server min protocol = SMB2
		allow trusted domains = No
		map to guest = Bad User
		obey pam restrictions = Yes
		security = ADS
		server role = member server
		deadtime = 15
		hostname lookups = Yes
		max open files = 234812
		template homedir = /mnt/tank/homes/%D/%U
		template shell = /bin/sh
		winbind cache time = 7200
		winbind enum groups = Yes
		winbind enum users = Yes
		winbind offline logon = Yes
		winbind refresh tickets = Yes
		dns proxy = No
		idmap config happy: range = 20000-90000000
		idmap config happy: backend = rid
		idmap config *: range = 90000001-100000000
		idmap config * : backend = tdb
		store dos attributes = Yes
		strict locking = No
		directory name cache size = 0
		dos filemode = Yes
		acl allow execute always = Yes
		ea support = Yes
		create mask = 0666
		directory mask = 0777


[Avery]
		path = "/mnt/tank/Avery"
		veto files = /.snapshot/.windows/.mac/.zfs/
		read only = No
		vfs objects = zfs_space zfsacl streams_xattr aio_pthread
		zfsacl:acesort = dontcare
		nfs4:chown = true
		nfs4:acedup = merge
		nfs4:mode = special


[TestShare]
		path = "/mnt/tank/TestShare"
		veto files = /.snapshot/.windows/.mac/.zfs/
		read only = No
		vfs objects = zfs_space zfsacl streams_xattr aio_pthread
		zfsacl:acesort = dontcare
		nfs4:chown = true
		nfs4:acedup = merge
		nfs4:mode = special


[homes]
		comment = Home Directories
		path = "/mnt/tank/homes/%D/%U"
		veto files = /.snapshot/.windows/.mac/.zfs/
		read only = No
		valid users = %D\%U
		vfs objects = zfs_space zfsacl streams_xattr aio_pthread
		zfsacl:acesort = dontcare
		nfs4:chown = true
		nfs4:acedup = merge
		nfs4:mode = special
root@freenas:~ #

Now at this point, I can access the share fine from \\freenas.local

'Avery' dataset/share works fine. Homes points back to 'Avery' when logged in as Avery. Tried to log in as another user and doesn't work.

Things are getting better but still confused.
1) Why does \\freenas.local work but not \\freenas or \\freenas.domain.com ? I have avahi turned off and .local is not the name of the domain.

2) How do I set up homes so it can be accessed by everyone and each person has their own folder inside it?

 

[anodos]

The error is reproducible:

I set up another install of Freenas 11-u1 on a different VMDK file linking to the same dataset and re-setup everything, following this guide to the word:

https://www.mai-hawaii.com/FreeNAS-AD/FreeNAS_9.3.x_setup

Perhaps that means the guide is outdated or wrong or that you misconfigured FreeNAS in a way that's not covered in the guide you found.

 

[anodos]

Can anyone explain to me why this is necessary? And why it can't be done with the GUI if it's a prerequisite to being able to access a share using AD?

It isn't a prerequisite or necessary. I've configured multiple FreeNAS servers as AD domain members. Your procedure isn't required.

 

[averyfreeman]

I'd like to figure out why this is the case, and what I can do to fix it. If I have to map AD users to UNIX users using this global argument, it means I'd have to link a user for every share I want to create.

I managed to get sharing to work without
# net rpc rights grant 'DOMAIN\(Desired Group)' SeDiskOperatorPrivilege -U'DOMAIN\(Desired User)'

Seems like I just need to go to the FQDN of the FreeNAS box. Still need the username map though.

Any ideas?

EDIT: I had mapped SeDiskOperatorPrivilege to DOMAIN\Domain Users through a username map linked in [Global]. I do not recommend anyone else do that, it was a mistake.

 

[anodos]

I'd like to figure out why this is the case, and what I can do to fix it. If I have to map AD users to UNIX users using this global argument, it means I'd have to link a user for every share I want to create.

That's wrong. There's no need to do that.

Run the command net rpc rights list accounts --user=DOMAIN\\<domain admin user>
You will see a breakdown of rights granted to each user. BUILTIN\Administrators will have SeDiskOperatorPrivilege
Now run the command net groupmap list. You'll see that BUILTIN\Administrators is mapped to SID S-1-5-32-544.
Now run the command net usersidlist. You'll see that the user accounts that are members of Domain Admins will have the SID S-1-5-32-544.
Any user that has the SID S-1-5-32-544 automatically has SeDiskOperatorPrivilege.

I managed to get sharing to work without
# net rpc rights grant 'DOMAIN\(Desired Group)' SeDiskOperatorPrivilege -U'DOMAIN\(Desired User)'

That is a bad idea. You don't want your users to have SeDiskOperatorPrivilege.

Any ideas?

It seems like you went through an outdated guide on $randomwebsite and maybe ended up with a broken config. I can't say for sure what is wrong without seeing a debug tarball. I can't view private bugs on the FreeNAS bugtracker.

 

[anodos]

Try removing the hosts allow = 0.0.0.0 parameter from your share. Most likely it's what is locking you out of the share.

 

[averyfreeman]

I ran:

Code:

net rpc rights list accounts --user=DOMAIN\\user

I see the privileges assigned to different groups and accounts. Yes, looks like domain users have

Code:

SeDiskOperatorPrivilege

so I will have to fix that. This server is not in production so OK for now.

Thanks for the help

 

[averyfreeman]

OK, back. So here's the results:

Code:

# net groupmap list

user (S-1-5-21-704179525-522738183-1905452507-1001) -> users

Administrators (S-1-5-32-544) -> BUILTIN\administrator

Users (S-1-5-32-545) -> BUILTIN\users

Looks like BUILTIN\Users are S-1-5-32-545 and BUILTIN\Administrators is S-1-5-32-544. These are unique identifiers I take it?

The user I was trying to use to connect to the share is a member of the Administrators group in AD.

How do I PM you a debug.log?

 

[anodos]

Your posts are a bit confusing. The smb.conf you posted indicates that you have set hosts allow = 0.0.0.0 on your share, and that your server is an AD member server (not domain controller). Please provide details about your network / plans. Are you joining the FreeNAS server to an existing domain as a member server or are you trying to configure FreeNAS as an AD DC?

 

[averyfreeman]

More info:

If I try to run net rpc, etc. commands as root I get errors. For instance,

Code:

root@freenas:~ # net rpc rights list
Enter root's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] CD 6C 68 94 C6 B9 4B 35   93 34 23 D2 81 C8 E1 BE   .lh...K5 .4#.....
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

But if I SSH in using a domain user I can run them fine:

Code:

$ net rpc rights list
Enter DOMAIN\administrator's password:
	 SeMachineAccountPrivilege  Add machines to domain
	  SeTakeOwnershipPrivilege  Take ownership of files or other objects
			 SeBackupPrivilege  Back up files and directories
			SeRestorePrivilege  Restore files and directories
	 SeRemoteShutdownPrivilege  Force shutdown from a remote system
	  SePrintOperatorPrivilege  Manage printers
		   SeAddUsersPrivilege  Add users and groups to the domain
	   SeDiskOperatorPrivilege  Manage disk shares
		   SeSecurityPrivilege  System security

 

[averyfreeman]

And even more:

So I have taken out username map =
from the auxiliary parameters and I can access the share in Windows now, but it has to be from freenas.local. Can't be \\freenas or \\freenas.domain.com - those both stopped working. But \\freenas.local seems to be ok. Strange because I turned avahi off.

Also tried downgrading to SMB2 as per bug mentioned in this thread: https://forums.freenas.org/index.ph...b2-signature-for-message-after-upgrade.18323/

Will turn it back to SMB3 because I am still getting:

Code:

root@freenas:~ # net rpc rights list --user=HAPPY\administrator
Enter HAPPYadministrator's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] 8B B4 B1 B0 0B 52 9B 87   E3 1C 0E 57 3B EC 7F 12   .....R.. ...W;...
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

Even when trying to execute net commands as a domain user from the local account. Not sure what that's about, any ideas?

Oh, I also changed the root tank directory to windows permissions but I left the owner root:wheel. Do you think that may have been why I couldn't access it initially?

 

[averyfreeman]

One last thing:

Now that I've gotten rid of the username map in [Global] I also cannot manage the computer in my RSAT MMC (Computer Management - compmgmt.msc) using either \\freenas or \\freenas.happy.hut. A lookup of computers still shows \\freenas and when it tries to connect it renames it the FQDN \\freenas.domain.com. BUT, if I manually connect to \\freenas.local in Computer Management I can manage it (the shares, users, etc.) just like before.

This is very strange.

 

[averyfreeman]

Oh jesus. It gets weirder.

OK, I put SMB3 back on as max protocol and SMB2 as min. Fileshare still working.

Now I'm finding out that if I use user@domain.com for net commands they work fine from local user. Trying the old NT style domain credentials (DOMAIN\user) does not work. Example:

Code:

root@freenas:~ # net rpc rights list accounts --user=administrator@domain.com
Enter administrator@domain.com's password:
BUILTIN\Print Operators
No privileges assigned

BUILTIN\Account Operators
No privileges assigned

BUILTIN\Backup Operators
No privileges assigned

S-1-5-21-704179525-522738183-1905452507-3002
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege

BUILTIN\Server Operators
No privileges assigned

BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege

Everyone
No privileges assigned

S-1-5-21-704179525-522738183-1905452507-1000
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege

HAPPY\Domain Users
SeDiskOperatorPrivilege

 

[anodos]

More info:

If I try to run net rpc, etc. commands as root I get errors. For instance,

Code:

root@freenas:~ # net rpc rights list
Enter root's password:
Bad SMB2 signature for message
[0000] 00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0000] CD 6C 68 94 C6 B9 4B 35   93 34 23 D2 81 C8 E1 BE   .lh...K5 .4#.....
Could not connect to server 127.0.0.1
Connection failed: NT_STATUS_ACCESS_DENIED

But if I SSH in using a domain user I can run them fine:

Code:

$ net rpc rights list
Enter DOMAIN\administrator's password:
	 SeMachineAccountPrivilege  Add machines to domain
	  SeTakeOwnershipPrivilege  Take ownership of files or other objects
			 SeBackupPrivilege  Back up files and directories
			SeRestorePrivilege  Restore files and directories
	 SeRemoteShutdownPrivilege  Force shutdown from a remote system
	  SePrintOperatorPrivilege  Manage printers
		   SeAddUsersPrivilege  Add users and groups to the domain
	   SeDiskOperatorPrivilege  Manage disk shares
		   SeSecurityPrivilege  System security

That's expected behavior.

 

[anodos]

OK, back. So here's the results:

Code:

# net groupmap list

user (S-1-5-21-704179525-522738183-1905452507-1001) -> users

Administrators (S-1-5-32-544) -> BUILTIN\administrator

Users (S-1-5-32-545) -> BUILTIN\users

Looks like BUILTIN\Users are S-1-5-32-545 and BUILTIN\Administrators is S-1-5-32-544. These are unique identifiers I take it?

The user I was trying to use to connect to the share is a member of the Administrators group in AD.

How do I PM you a debug.log?

Those are BUILTIN SIDS on every windows system.

 

[averyfreeman]

That's expected behavior.

Oh, OK Good. Yeah this is the first time I've tried to set up AD so I'm pretty much flying blind. Lots of reading.

 

[averyfreeman]

Your posts are a bit confusing. The smb.conf you posted indicates that you have set hosts allow = 0.0.0.0 on your share, and that your server is an AD member server (not domain controller). Please provide details about your network / plans. Are you joining the FreeNAS server to an existing domain as a member server or are you trying to configure FreeNAS as an AD DC?

This is what I said in the second post:

I set up another install of Freenas 11-u1 on a different VMDK file linking to the same dataset and re-setup everything,

The guide I followed is essentially the same as the one in the forum, it's just been updated a bit for 9.3 (newest one I could find).

I'll go back and clean some of this stuff up so it's not confusing to other people.

 

[averyfreeman]

Perhaps that means the guide is outdated or wrong or that you misconfigured FreeNAS in a way that's not covered in the guide you found.

The guide is definitely outdated (for 9.3) but it was newer than the one in the FreeNAS forums (for 9.1.2.5). I basically followed both of them together (If I remember correctly, the Forum post linked to it).