Hi all:
I have a FreeNAS system that has been in production for many years now (over 7?). Over the course of that time, the network it was in evolved. Initially, the FreeNAS server was the only server, and so we set up Active Directory Server under it (again, years ago). Over time, the network grew and so did our servers, so we added Microsoft AD servers. This past night, I was finally successful in being able to demote the FreeNAS server from active AD server duties. This also allowed me to update to FreeNAS 11.3-U5 (was on the 11.2 train).
So, after demoting, I still needed it to be a member of the domain, so I joined it to the domain using the Active Directory Directory Services function. After a few goes, I got it running, and (aside from a wierd dns/ip issue that will be the subject of a future post), its working.
Unfortunately, all our permissions and ownerships are now also broke. I was expecting that the ACLs would still work, as I though the SIDs used in them were from AD, but it appears I was mistaken.
Is there any way to "get back" the old ID mapping?
I'm sure this isn't enough detail, but I'm not even sure what would be sufficient...
Here's an example from an ssh session where it shows some internal UID/GID mapping:
The two that show CYS-PUW\ usernames are ones I chown'ed in the console, and they now work (mostly). However, that was replacing the permissions with new ones. In this directory, its a "user home directories" share, and nobody (not even administrator) can see the list of directories in windows (and they used to be able to...). I haven't found a fix for that, but for the moment its not breaking things.
What is breaking things is our main data share. Its not user-specfic, but different folders do have different permissions, and users do need the ability to write in them. This is full on Windows ACLs land, and all these permissions were set from a windows computer (while the FreeNAS server was an AD controller). Now, critical pieces are showing up just as SIDs (unresolvable), and other pieces have been added/changed. More importantly, no user (not even administrator) can change the permissions (I get a "Failed to enumerate objects in the container. Access is denied." error).
I found the "Administrator Group" option in the smb service settings, but that has not had any effect.
I'm hesitant to try and edit the ACLs through the freenas web gui, as my attempts to use it to fix the user share was only somewhat successful, and this share has a LOT of files (probably in excess of million -- its about 60TB of data), and different parts of the tree have different permissions. Then again, making changes to those permissions in windows usually takes about 3-4 hours per subtree (and permissions are usually consistent within a subtree).
So, I desperately need to either recover the old ID Mapping system from when FreeNAS was an AD Controller, or have the means to change them recursively (and not get permission denied), preferably in a much faster, more efficient means than traditional windows permissions change.
Thank you in advance!
I have a FreeNAS system that has been in production for many years now (over 7?). Over the course of that time, the network it was in evolved. Initially, the FreeNAS server was the only server, and so we set up Active Directory Server under it (again, years ago). Over time, the network grew and so did our servers, so we added Microsoft AD servers. This past night, I was finally successful in being able to demote the FreeNAS server from active AD server duties. This also allowed me to update to FreeNAS 11.3-U5 (was on the 11.2 train).
So, after demoting, I still needed it to be a member of the domain, so I joined it to the domain using the Active Directory Directory Services function. After a few goes, I got it running, and (aside from a wierd dns/ip issue that will be the subject of a future post), its working.
Unfortunately, all our permissions and ownerships are now also broke. I was expecting that the ACLs would still work, as I though the SIDs used in them were from AD, but it appears I was mistaken.
Is there any way to "get back" the old ID mapping?
I'm sure this isn't enough detail, but I'm not even sure what would be sufficient...
Here's an example from an ssh session where it shows some internal UID/GID mapping:
Code:
drwxrwx---+ 15 3000253 wheel 15 Aug 26 2019 melody drwxrwx---+ 15 3000222 wheel 15 Jun 12 2019 nichelle drwxrwx---+ 15 3000294 wheel 15 Dec 18 2019 nicoleb drwxrwx---+ 15 3000282 wheel 15 Oct 29 2019 PaytonF drwxrwx---+ 15 3000284 wheel 15 Nov 4 2019 Robyn drwxrwx---+ 15 3000311 wheel 15 Feb 3 2020 roxanne drwxrwx---+ 17 CYS-PUW\scott wheel 19 Jan 9 2019 scott drwxrwx---+ 15 CYS-PUW\sharon wheel 15 Jan 7 2019 sharon
The two that show CYS-PUW\ usernames are ones I chown'ed in the console, and they now work (mostly). However, that was replacing the permissions with new ones. In this directory, its a "user home directories" share, and nobody (not even administrator) can see the list of directories in windows (and they used to be able to...). I haven't found a fix for that, but for the moment its not breaking things.
What is breaking things is our main data share. Its not user-specfic, but different folders do have different permissions, and users do need the ability to write in them. This is full on Windows ACLs land, and all these permissions were set from a windows computer (while the FreeNAS server was an AD controller). Now, critical pieces are showing up just as SIDs (unresolvable), and other pieces have been added/changed. More importantly, no user (not even administrator) can change the permissions (I get a "Failed to enumerate objects in the container. Access is denied." error).
I found the "Administrator Group" option in the smb service settings, but that has not had any effect.
I'm hesitant to try and edit the ACLs through the freenas web gui, as my attempts to use it to fix the user share was only somewhat successful, and this share has a LOT of files (probably in excess of million -- its about 60TB of data), and different parts of the tree have different permissions. Then again, making changes to those permissions in windows usually takes about 3-4 hours per subtree (and permissions are usually consistent within a subtree).
So, I desperately need to either recover the old ID Mapping system from when FreeNAS was an AD Controller, or have the means to change them recursively (and not get permission denied), preferably in a much faster, more efficient means than traditional windows permissions change.
Thank you in advance!