SMB Trusted Domain Sharing

turboaaa

Dabbler
Joined
Dec 31, 2017
Messages
36
Trying to create an SMB shared for Windows clients on different domains. Currently the share permissions are set for domain users on the domain FreeNAS is enrolled in. Normally I use authenticated users to allow users from other domains to connect, but I am unable to add this group in the wizard.

Active Directory settings have "Allow Trusted Domains" checked and "Use Default Domain" unchecked.

FREENAS-MINI-XL
OS Version:
FreeNAS-11.2-U6
(Build Date: Sep 17, 2019 0:16)
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Trying to create an SMB shared for Windows clients on different domains. Currently the share permissions are set for domain users on the domain FreeNAS is enrolled in. Normally I use authenticated users to allow users from other domains to connect, but I am unable to add this group in the wizard.

Active Directory settings have "Allow Trusted Domains" checked and "Use Default Domain" unchecked.

FREENAS-MINI-XL
OS Version:
FreeNAS-11.2-U6
(Build Date: Sep 17, 2019 0:16)

If you're configuring trusted domains, you _must_ generate an explicit idmap configuration for the trusted domain and add it as a series of auxiliary parameters under Services->SMB. Although it is possible to use "authenticated users" to grant these permissions, it is better on FreeNAS to add explicit entries granting access to "DOMAIN1\domain users" and "DOMAIN2\domain users" if you want to grant access to domain users from both domains. The reason for this is that the mapping of "AUTHENTICATED_USERS" to a local unix group is stored in /var/db/samba4/winbindd_idmap.tdb, which is not guaranteed to survive boot device failure or system restoration from a backed-up config file.
 

turboaaa

Dabbler
Joined
Dec 31, 2017
Messages
36
Thanks for pointing me in the right direction, looks like I have some reading to do on the auxiliary parameters.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Thanks for pointing me in the right direction, looks like I have some reading to do on the auxiliary groups.
You can type "testparm -s" in the shell to see your current running smb.conf file. There are a series of "idmap" parameters that contain the short-form of the name of the AD domain you've joined. These are the ones you want for your trusted domain. You just need to make sure the low and high ranges don't overlap ranges for the default domain (*), and your primary domain.

Once you have configured your server for access from the trusted domain, you will need to clear the winbindd resolver cache and the webui cache.
 

turboaaa

Dabbler
Joined
Dec 31, 2017
Messages
36
One of my mounts already allowed users from more than one domain to connect. When I was comparing the permissions on the datasets I found that the one that worked had the following. Copying it to the other data set granted access and things started working. I was able to use the ACLs within the dataset to further restrict access.

setfacl -m everyone@:r-x---a-R-c---:fd-----:allow

I understand the read and execute, and I think "a" is for reading attributes. Do you know the meaning of "R", "c", and "fd"? What are the implications of doing this that I may be overlooking?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
One of my mounts already allowed users from more than one domain to connect. When I was comparing the permissions on the datasets I found that the one that worked had the following. Copying it to the other data set granted access and things started working. I was able to use the ACLs within the dataset to further restrict access.

setfacl -m everyone@:r-x---a-R-c---:fd-----:allow

I understand the read and execute, and I think "a" is for reading attributes. Do you know the meaning of "R", "c", and "fd"? What are the implications of doing this that I may be overlooking?
R - read extended attributes, c - read permissions, f - file inherit, d - directory inherit. These are covered here: https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/
 

alek_d

Dabbler
Joined
May 30, 2021
Messages
10
Hi guyes. I'm sorry to bring old post for new life. And Im sorry if I bother you. But there is lack of info in Truenas manpage about these.
Can you help with litle much info about this

"If you're configuring trusted domains, you _must_ generate an explicit idmap configuration for the trusted domain and add it as a series of auxiliary parameters under Services->SMB. Although it is possible to use "authenticated users" to grant these permissions"

I have 2 AD domain controler for both organisations . one is .local (is my primary) second is .com. These two domains is in trusted 2 way mode. My goal to use TrueNAS for both organisations. I want to create different datasets one for .com other for .local and third for .local and .com. They will be accessed through trought SMB shares.
So:
Do they both have to be with RID backend (one is 2012R2 and second is 2008R2 MS servers)
These are my settings, but I'm not sure if they are correct.
1.jpg

I understand that RID mapping should not overlap.
Do I have to change the range of the domain controllers themselves and make it the same in these settings?
How is this done?
What should I enter in the auxiliary parameters section

idmap config **** .COM: backend = rid
idmap config **** .COM: range = range from the second domain
Are they entered correctly?

Any info will be priceless. Thanks a lot for helping the newcommer.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hi guyes. I'm sorry to bring old post for new life. And Im sorry if I bother you. But there is lack of info in Truenas manpage about these.
Can you help with litle much info about this

"If you're configuring trusted domains, you _must_ generate an explicit idmap configuration for the trusted domain and add it as a series of auxiliary parameters under Services->SMB. Although it is possible to use "authenticated users" to grant these permissions"

I have 2 AD domain controler for both organisations . one is .local (is my primary) second is .com. These two domains is in trusted 2 way mode. My goal to use TrueNAS for both organisations. I want to create different datasets one for .com other for .local and third for .local and .com. They will be accessed through trought SMB shares.
So:
Do they both have to be with RID backend (one is 2012R2 and second is 2008R2 MS servers)
These are my settings, but I'm not sure if they are correct.
View attachment 47493
I understand that RID mapping should not overlap.
Do I have to change the range of the domain controllers themselves and make it the same in these settings?
How is this done?
What should I enter in the auxiliary parameters section

idmap config **** .COM: backend = rid
idmap config **** .COM: range = range from the second domain
Are they entered correctly?

Any info will be priceless. Thanks a lot for helping the newcommer.
You need short-forms of names. If you type wbinfo -m with samba started you should see a list of names
 

alek_d

Dabbler
Joined
May 30, 2021
Messages
10
You need short-forms of names. If you type wbinfo -m with samba started you should see a list of names
First thanks a lot for fast response.
When I type wbinfo -m with samba started I have a list of NetBIOS name (in my case NAS), short name of PDC and short name for second DC. What to do next?
 

alek_d

Dabbler
Joined
May 30, 2021
Messages
10
Hello everyone. Sorry for the embarrassment. I managed to deal with my problem and that's why I want to share the solution so that it remains as some kind of knowledge. I especially want to thank @turboaaa for the help he gave me. It turns out that I don't need to set up a second RID for the second domain. I need to strip my ACLs and add the second domain to the Kerberos Realms menu. This solved the problem in general.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hello everyone. Sorry for the embarrassment. I managed to deal with my problem and that's why I want to share the solution so that it remains as some kind of knowledge. I especially want to thank @turboaaa for the help he gave me. It turns out that I don't need to set up a second RID for the second domain. I need to strip my ACLs and add the second domain to the Kerberos Realms menu. This solved the problem in general.

The problem with doing that is that now your SID<-> ID mapping is non-deterministic for the trusted domain. This means permissions can break potentially at any time on it and cannot be easily reproduced if you rsync or replicate data to another server. The correct domain name to use for trusted domains is the short-form name as returned in wbinfo -m.
 

alek_d

Dabbler
Joined
May 30, 2021
Messages
10
Hm. anodos please give me little more info, about it. I will describe step by step what i did till now.
1. Trusted 2 domains two way. Every user from both domains can auth in other one.
2. Domain "A.local" is primary in TrueNAS. Domain "B.com" is secondary.
3. When I type wbinfo -m i have:
BULTIN
Name of TRUENAS STORAGE (just NAS)
Name of 1-st domain (just A without .local)
Name of 2-nd domain (just B without .com)

When I set samba ACL i set it in this way: A\domain admins or B\domain admins. This is a short name from wbinfo -m
I dont use: A.local\domain admins or B.com\domain admins if you mean that. If you dont have mean that.... may be Im too stupid to understand what you say me :(
p.s.
OK. I set second RID, range is not overlaped. Im using short name without .com when I set it. May be this is the missing part of puzzle?

111.png
 
Last edited:
Top