Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Urgent: Lost ID Mapping when demoted DC to Domain Member

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

JimKusz

Junior Member
Joined
Sep 10, 2018
Messages
19
Hi all:

I have a FreeNAS system that has been in production for many years now (over 7?). Over the course of that time, the network it was in evolved. Initially, the FreeNAS server was the only server, and so we set up Active Directory Server under it (again, years ago). Over time, the network grew and so did our servers, so we added Microsoft AD servers. This past night, I was finally successful in being able to demote the FreeNAS server from active AD server duties. This also allowed me to update to FreeNAS 11.3-U5 (was on the 11.2 train).

So, after demoting, I still needed it to be a member of the domain, so I joined it to the domain using the Active Directory Directory Services function. After a few goes, I got it running, and (aside from a wierd dns/ip issue that will be the subject of a future post), its working.

Unfortunately, all our permissions and ownerships are now also broke. I was expecting that the ACLs would still work, as I though the SIDs used in them were from AD, but it appears I was mistaken.

Is there any way to "get back" the old ID mapping?

I'm sure this isn't enough detail, but I'm not even sure what would be sufficient...

Here's an example from an ssh session where it shows some internal UID/GID mapping:
Code:
drwxrwx---+ 15 3000253                wheel  15 Aug 26  2019 melody
drwxrwx---+ 15 3000222                wheel  15 Jun 12  2019 nichelle
drwxrwx---+ 15 3000294                wheel  15 Dec 18  2019 nicoleb
drwxrwx---+ 15 3000282                wheel  15 Oct 29  2019 PaytonF
drwxrwx---+ 15 3000284                wheel  15 Nov  4  2019 Robyn
drwxrwx---+ 15 3000311                wheel  15 Feb  3  2020 roxanne
drwxrwx---+ 17 CYS-PUW\scott          wheel  19 Jan  9  2019 scott
drwxrwx---+ 15 CYS-PUW\sharon         wheel  15 Jan  7  2019 sharon


The two that show CYS-PUW\ usernames are ones I chown'ed in the console, and they now work (mostly). However, that was replacing the permissions with new ones. In this directory, its a "user home directories" share, and nobody (not even administrator) can see the list of directories in windows (and they used to be able to...). I haven't found a fix for that, but for the moment its not breaking things.

What is breaking things is our main data share. Its not user-specfic, but different folders do have different permissions, and users do need the ability to write in them. This is full on Windows ACLs land, and all these permissions were set from a windows computer (while the FreeNAS server was an AD controller). Now, critical pieces are showing up just as SIDs (unresolvable), and other pieces have been added/changed. More importantly, no user (not even administrator) can change the permissions (I get a "Failed to enumerate objects in the container. Access is denied." error).

I found the "Administrator Group" option in the smb service settings, but that has not had any effect.

I'm hesitant to try and edit the ACLs through the freenas web gui, as my attempts to use it to fix the user share was only somewhat successful, and this share has a LOT of files (probably in excess of million -- its about 60TB of data), and different parts of the tree have different permissions. Then again, making changes to those permissions in windows usually takes about 3-4 hours per subtree (and permissions are usually consistent within a subtree).

So, I desperately need to either recover the old ID Mapping system from when FreeNAS was an AD Controller, or have the means to change them recursively (and not get permission denied), preferably in a much faster, more efficient means than traditional windows permissions change.

Thank you in advance!
 

blanchet

Senior Member
Joined
Apr 17, 2018
Messages
329
  • If you have not upgraded the pool, you can revert back to FreeNAS 11.2 by using the menu System | Boot
  • To change the ACL from the command line, you have to use setfacl(1)
 

JimKusz

Junior Member
Joined
Sep 10, 2018
Messages
19
Thanks, but that isn't really going to work. The root problem isn't the version of freenas, its that freenas was demoted from an AD, which is the end goal anyway. Demoting it caused all the user account IDs to remap.

In the end, I found I could bulk replace ACLs from the command line, and ended up replacing / resetting all the permissions for the entire server....
 
Top