Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

SMB Trusted Domain Sharing

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

turboaaa

Member
Joined
Dec 31, 2017
Messages
35
Trying to create an SMB shared for Windows clients on different domains. Currently the share permissions are set for domain users on the domain FreeNAS is enrolled in. Normally I use authenticated users to allow users from other domains to connect, but I am unable to add this group in the wizard.

Active Directory settings have "Allow Trusted Domains" checked and "Use Default Domain" unchecked.

FREENAS-MINI-XL
OS Version:
FreeNAS-11.2-U6
(Build Date: Sep 17, 2019 0:16)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,651
Trying to create an SMB shared for Windows clients on different domains. Currently the share permissions are set for domain users on the domain FreeNAS is enrolled in. Normally I use authenticated users to allow users from other domains to connect, but I am unable to add this group in the wizard.

Active Directory settings have "Allow Trusted Domains" checked and "Use Default Domain" unchecked.

FREENAS-MINI-XL
OS Version:
FreeNAS-11.2-U6
(Build Date: Sep 17, 2019 0:16)
If you're configuring trusted domains, you _must_ generate an explicit idmap configuration for the trusted domain and add it as a series of auxiliary parameters under Services->SMB. Although it is possible to use "authenticated users" to grant these permissions, it is better on FreeNAS to add explicit entries granting access to "DOMAIN1\domain users" and "DOMAIN2\domain users" if you want to grant access to domain users from both domains. The reason for this is that the mapping of "AUTHENTICATED_USERS" to a local unix group is stored in /var/db/samba4/winbindd_idmap.tdb, which is not guaranteed to survive boot device failure or system restoration from a backed-up config file.
 

turboaaa

Member
Joined
Dec 31, 2017
Messages
35
Thanks for pointing me in the right direction, looks like I have some reading to do on the auxiliary parameters.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,651
Thanks for pointing me in the right direction, looks like I have some reading to do on the auxiliary groups.
You can type "testparm -s" in the shell to see your current running smb.conf file. There are a series of "idmap" parameters that contain the short-form of the name of the AD domain you've joined. These are the ones you want for your trusted domain. You just need to make sure the low and high ranges don't overlap ranges for the default domain (*), and your primary domain.

Once you have configured your server for access from the trusted domain, you will need to clear the winbindd resolver cache and the webui cache.
 

turboaaa

Member
Joined
Dec 31, 2017
Messages
35
One of my mounts already allowed users from more than one domain to connect. When I was comparing the permissions on the datasets I found that the one that worked had the following. Copying it to the other data set granted access and things started working. I was able to use the ACLs within the dataset to further restrict access.

setfacl -m everyone@:r-x---a-R-c---:fd-----:allow

I understand the read and execute, and I think "a" is for reading attributes. Do you know the meaning of "R", "c", and "fd"? What are the implications of doing this that I may be overlooking?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
6,651
One of my mounts already allowed users from more than one domain to connect. When I was comparing the permissions on the datasets I found that the one that worked had the following. Copying it to the other data set granted access and things started working. I was able to use the ACLs within the dataset to further restrict access.

setfacl -m everyone@:r-x---a-R-c---:fd-----:allow

I understand the read and execute, and I think "a" is for reading attributes. Do you know the meaning of "R", "c", and "fd"? What are the implications of doing this that I may be overlooking?
R - read extended attributes, c - read permissions, f - file inherit, d - directory inherit. These are covered here: https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/
 
Top