SMB shares and AD users

[techie211]

hello all,
new here and new to Truenas. Hoping someone can help me. I have a domain running with all the goodies, AD, DNS, DHCP etc. I synced AD in Truenas and can see all users/groups via shell command and I created an SMB share which can be seen on a user's Win10 box but my issue is, I can't access the shared folder(getting the do not have permissions error) amd I also don't see where I can grant permissions for specific users/groups in Truenas??? Is there a section in Truenas where there's a dropdown that lists all the users? I've done a Google search but all the ones I've come across only describe how to share for local setup. Any help is appreciated.

 

[anodos]

hello all,
new here and new to Truenas. Hoping someone can help me. I have a domain running with all the goodies, AD, DNS, DHCP etc. I synced AD in Truenas and can see all users/groups via shell command and I created an SMB share which can be seen on a user's Win10 box but my issue is, I can't access the shared folder(getting the do not have permissions error) amd I also don't see where I can grant permissions for specific users/groups in Truenas??? Is there a section in Truenas where there's a dropdown that lists all the users? I've done a Google search but all the ones I've come across only describe how to share for local setup. Any help is appreciated.

ACL editor should allow you to select AD users, but the local user/group cache may take time to be built up. Try running the command getent group and check output for the name of the AD group you're interested in, and then type it into the GUI ACL editor as you see it there 'DOMAIN\username' typically. Best results are typically obtained by choosing to set an explicit entry ("group" rather than "group@").

 

[techie211]

ACL editor should allow you to select AD users, but the local user/group cache may take time to be built up. Try running the command getent group and check output for the name of the AD group you're interested in, and then type it into the GUI ACL editor as you see it there 'DOMAIN\username' typically. Best results are typically obtained by choosing to set an explicit entry ("group" rather than "group@").

Thanks for the reply. I'm not getting any AD group listed:

wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5:uucp
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
ladvd:*:78
www:*:80
ntpd:*:123
avahi:*:200
messagebus:*:201
nslcd:*:389
consul:*:469
nomad:*:472
minio:*:473
builtin_administrators:*:544
builtin_users:*:545
builtin_guests:*:546
webdav:*:666
hast:*:845
TEch:*:1000
nogroup:*:65533
nobody:*:65534
media:*:8675309

 

[anodos]

Which shell command? wbinfo -u? This indicates that there's an issue with nsswitch.conf or winbindd idmap configuration. Did you join through the GUI or shell commands? What's output of cat /etc/nsswitch.conf and testparm -s?

 

[techie211]

*** cat /etc/nsswitch.conf output ***
group: files ldap winbind
hosts: files dns
networks: files
passwd: files ldap winbind
shells: files
services: files
protocols: files
rpc: files
sudoers: files

*** testparm -s output ***
Load smb config files from /usr/local/etc/smb4.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
aio max threads = 2
bind interfaces only = Yes
client ldap sasl wrapping = seal
disable spoolss = Yes
dns proxy = No
domain master = No
enable web service discovery = Yes
interfaces = 127.0.0.1 10.x.x.x
kerberos method = secrets and keytab
kernel change notify = No
load printers = No
local master = No
logging = file
max log size = 51200
netbios aliases = truenas01
netbios name = RSD-TRUENAS
nsupdate command = /usr/local/bin/samba-nsupdate -g
preferred master = No
realm = <domain>
registry shares = Yes
restrict anonymous = 2
security = ADS
server role = member server
server string = TrueNAS Server
template shell = /bin/sh
unix extensions = No
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
workgroup = <domain>
idmap config *: range = 90000001-100000000
idmap config * : backend = tdb
directory name cache size = 0
dos filemode = Yes


[TEch]
ea support = No
kernel share modes = No
path = /mnt/PE R630 Pool-1/tech
posix locking = No
read only = No
vfs objects = aio_fbsd streams_xattr shadow_copy_zfs ixnas
nfs4:chown = true

 

[techie211]

Which shell command? wbinfo -u? This indicates that there's an issue with nsswitch.conf or winbindd idmap configuration. Did you join through the GUI or shell commands? What's output of cat /etc/nsswitch.conf and testparm -s?

yes that command. I joined through the GUI. I've included the outputs from both commands

 

[anodos]

Looks like the LDAP directory service is enabled and interfering with the AD service. Try disabling the LDAP service and then running the following two commands:
midclt call activedirectory.stop followed by midclt call activedirectory.start

 

[techie211]

Looks like the LDAP directory service is enabled and interfering with the AD service. Try disabling the LDAP service and then running the following two commands:
midclt call activedirectory.stop followed by midclt call activedirectory.start

Ok, after stopping/starting that service I now see <domain>\'group' after running the 'getent group' command.