TrueNAS-12.0-U6 is completely incompatible with Active Directory

vadimax

vadimax

Cadet
Joined
Aug 4, 2021
Messages
9
First of to make an AD user group to see a shared folder I have to give that group "Full Control" access. If I give them "Modify" users cannot do anything -- even see the folder. When a user tries to enter the folder the explorer or whatever app it will be just hangs indefinitely.

If I give the group "Full Control" access -- now users see the folder contents, even they can copy a single file from the folder. But when they try to copy a subfolder with multiple files the copy process freezes indefinitely. The mounted resource (share) renders unavailable. I connect to the "frozen" computer and see that the mentioned subfolder copy has managed to copy 2 files only. An attempt to copy the third one ended up in an indefinite deadlock. The deadlock is so severe that I even cannot kill a task with a Task Manager.

And at that moment we are going to purchase an M-50 system to use in a Windows environment...

P.S.: If I mount a share as a domain administrator after a several second delay (10...20) I may access it, but a normal user suffers all the issues I have mentioned above.
 
Last edited:
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
vadimax said:
First of to make an AD user group to see a shared folder I have to give that group "Full Control" access. If I give them "Modify" users cannot do anything -- even see the folder. When a user tries to enter the folder the explorer or whatever app it will be just hangs indefinitely.

If I give the group "Full Control" access -- now users see the folder contents, even they can copy a single file from the folder. But when they try to copy a subfolder with multiple files the copy process freezes indefinitely. The mounted resource (share) renders unavailable. I connect to the "frozen" computer and see that the mentioned subfolder copy has managed to copy 2 files only. An attempt to copy the third one ended up in an indefinite deadlock. The deadlock is so severe that I even cannot kill a task with a Task Manager.

And at that moment we are going to purchase an M-50 system to use in a Windows environment...

P.S.: If I mount a share as a domain administrator after a several second delay (10...20) I may access it, but a normal user suffers all the issues I have mentioned above.
Click to expand...
Can you PM me a debug please?
 
vadimax

vadimax

Cadet
Joined
Aug 4, 2021
Messages
9
Sadly, but no solution, not even an answer what is going on so far. Does that mean that absolutely no one uses TrueNAS with Active Directory ACL? Enterprise ready? Really?!

Just to make things clear: we are going to purchase a M-50 system (some 62000€ value), the order is under way right now. I find a severe malfunction that affects the entire sense of the purchase. I ask the support for help -- they readdress me here because I am not eligible to get support yet. Here I am asked to provide debug information, disk pool ACL.

Done.

Deafening silence...
 
Last edited:
C

c77dk

Patron
Joined
Nov 27, 2019
Messages
468
I think a lot of us are using AD with TrueNAS, but either not seing any problems, or haven't updated to -U6 yet. I fit both categories.

Guess @anodos is busy at the moment (SCALE RC next week), but when he gets to see the dump I recon he will be able to spot if it's something in config or something serverside that needs to be fixed.
 
blanchet

blanchet

Guru
Joined
Apr 17, 2018
Messages
516
Indeed, I have never tried yet to share a directory with Samba, but since I have a running TrueNAS-12.0-u6 server AD integration in the datacenter, I can run a try.
My TrueNAS server is already configured as Timemachine backup server over SMB with AD integration.
smb-setup.png

I create with the webUI
  • a new dataset tank1/testad. I keep the default options for everything except for Share Type = SMB
  • a windows share with the name testad for the directory /mnt/tank1/testad . I keep the default options.
With the shell, I give the ownership of tank1/testad to the group MYDOMAIN\mygroup
Code:
chgrp "MYDOMAIN\mygroup" /mnt/tank1/testad


Then I connect with my regular AD account (not administrator) to \\timemachine\testad from my Windows10 Pro.
It works: I can copy directories with many files, etc. The speed is normal.
Then I ask my colleague to connect to the SMB share with his AD account to make some test: he can also create, view, copy files and directories. The speed is normal.
If I check the permissions Properties | Security | Advanced, I see that MYDOMAIN\mygroup has the Full Control permission on the directory.

Finally, I would say that your ACL setup is correct, so the issue is somewhere else.

Can you list the AD users in the shell with
Code:
wbinfo -b


Could you post the output of
Code:
testparm -s
 
NugentS

NugentS

MVP
Joined
Apr 16, 2020
Messages
2,947
vadimax said:
First of to make an AD user group to see a shared folder I have to give that group "Full Control" access. If I give them "Modify" users cannot do anything -- even see the folder. When a user tries to enter the folder the explorer or whatever app it will be just hangs indefinitely.

If I give the group "Full Control" access -- now users see the folder contents, even they can copy a single file from the folder. But when they try to copy a subfolder with multiple files the copy process freezes indefinitely. The mounted resource (share) renders unavailable. I connect to the "frozen" computer and see that the mentioned subfolder copy has managed to copy 2 files only. An attempt to copy the third one ended up in an indefinite deadlock. The deadlock is so severe that I even cannot kill a task with a Task Manager.

And at that moment we are going to purchase an M-50 system to use in a Windows environment...

P.S.: If I mount a share as a domain administrator after a several second delay (10...20) I may access it, but a normal user suffers all the issues I have mentioned above.
Click to expand...

Well - I am using Active Directory with TrueNAS 12.0U6 - works just fine
 
vadimax

vadimax

Cadet
Joined
Aug 4, 2021
Messages
9
Finally I have discovered the source of the issue. To be true, the same damn issue (exposing itself a bit differently) does exist in Microsoft Windows as well. This is a classified domain, hence the generic GPO looks this way:

Removable Storage Access.png


As a result of these policy settings Microsoft Windows renders all local drives above C: inaccessible (WHY?! They are NOT removable!). TrueNAS does not cut off access to Datasets entirely, but it mutilates this access (you can remotely copy single files, you hang indefinitely when you try to remotely copy folders with multiple files).

When I put TrueNAS into an OU with policies on the picture disabled -- everything works fine.
 
NugentS

NugentS

MVP
Joined
Apr 16, 2020
Messages
2,947
Wonder if this is a TN issue or a Windows issue.
Might be worth raising this as a possible bug on Jira for them to look at and possibly raise the same issue with MS
As you say they aren't removeable and shouldn't be treated as if they are. Presumably a network share from a MS Server is not treated as portable (pointing at TrueNAS being at issue)
 
You must log in or register to reply here.

Similar threads

L
TrueNAS 12.0-u4, Active Directory: subfolders not visible to new ACL users
Replies
0
Views
599
Leeland
L
P
Users can modify owner's permissions on SMB share of dataset
Replies
5
Views
2K
Pheggas
P
B
Problems with permission in CIFS
Replies
2
Views
825
BlazeStar
B
S
SMB and ACL, only granting access to a Subfolder
Replies
0
Views
2K
Schwarzie
S
N
Requesting assistance setting permissions for sub-folders within a dataset
Replies
0
Views
2K
NotMrSavvy
N
Top