Time Machine share settings with Active Directory authentication

Status
Not open for further replies.

dauntless101

Cadet
Joined
Mar 21, 2017
Messages
7
I had this working but it stopped and I'm not sure why. What are the correct Dataset and Sharing permissions so that I can authenticate with my Windows Domain user name/password to access my Time Machine share?

For my Dataset permissions, I have:
Apply owner: checked
Owner (user): nobody
Apply Owner (ground): checked
Owner (group): domain\time-machine users
Apply Mode: checked

Mode:
  • Read: Owner, Group, Other checked
  • Write: Owner, Group checked
  • Execute: Owner, Group, Other checked
Permission type: Unix


For my AFP Share settings, I have:
Path: /mnt/tank/Time-Machine
Name: Time-Machine
Allow List: @time-machine <--- this is my FreeNAS group for Time Machine users from before I was doing AD auth. Does this need to change?
Read-write Access: @time-machine <--again, does this need to be something AD-related?
Time Machine: checked
AFP3 Unix Privs: unchecked (tried both but read to uncheck this elsewhere)
Hosts allow: 10.1.0.1/24 (my LAN)

Here are some screenshots:
anzngm.png

ZBOu7GW.png


Feel like I've tried everything here but apparently not the exact correct combination that I need to get going again:)

Thanks, everyone!
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Is FreeNAS your AD DC or just a member server? In the latter case, perhaps you should try checking the "Use Default Domain" parameter under "Directory Service" -> "Active Directory" -> "Advanced". This will allow you to reference AD users / groups like they are local users / groups. I.e. "time-machine" vs "domain\time-machine". This sometimes makes other unix applications happier.
 

dauntless101

Cadet
Joined
Mar 21, 2017
Messages
7
Is FreeNAS your AD DC or just a member server? In the latter case, perhaps you should try checking the "Use Default Domain" parameter under "Directory Service" -> "Active Directory" -> "Advanced". This will allow you to reference AD users / groups like they are local users / groups. I.e. "time-machine" vs "domain\time-machine". This sometimes makes other unix applications happier.
It's a member server. Alright, I checked the box for "Use Default Domain" and saved it. So my AD group containing Time Machine Users is "time-machine-users". Do I just enter "@time-machine-users" into the Allow List and Read-write Access boxes on the AFP Share settings page? And they will reference the Active Directory groups?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
It's a member server. Alright, I checked the box for "Use Default Domain" and saved it. So my AD group containing Time Machine Users is "time-machine-users". Do I just enter "@time-machine-users" into the Allow List and Read-write Access boxes on the AFP Share settings page? And they will reference the Active Directory groups?
I don't mess with AFP. Assuming that's the correct syntax for referencing local groups, then it should be good.
 

dauntless101

Cadet
Joined
Mar 21, 2017
Messages
7
I don't mess with AFP. Assuming that's the correct syntax for referencing local groups, then it should be good.
Well I need my Macs to pick it up as a Time Machine share so I have to do something with the settings there.
 

dauntless101

Cadet
Joined
Mar 21, 2017
Messages
7
Ok I figured this out. I reenabled AFP3 Unix Privs: on the AFP permissions and applied standard permissions. After setting my domain as default as Anodos suggested I updated the Dataset permissions on the Time-Machine volume to match.

Another problem was that Time Machine on my Macs was trying to authenticate with an old user account (not my domain user). I noticed while watching the FreeNAS console output that the user name was wrong. On my Macs, I simply repointed Time Machine to my FreeNas share which prompted me to reauthenticate with the domain user.
 
Status
Not open for further replies.
Top