SOLVED Windows share active directory can't see users groups

[alex87alex]

Goog morning,

I have last version of Truenas, I joined it to an fully functional active directory server, this is my configuration:



I can see the nas on the list of objects into active directory:



The problem is that I can't see users and groups of Active Directory when I share a folder:



Can you help me?

Thank you very much

 

[c77dk]

Hi,

You can verify if TrueNAS can see your users/groups using "wbinfo -u" and "wbinfo -g" in CLI.

When coming to 12.0-RELEASE they wouldn't show in dropdowns for me, but I could just type the names and use them that way. Now on 12.0-U1 I can see the users/groups in dropdowns, so something seems to have changed (or the frontend just took some time to catch up on users/groups).

 

[alex87alex]

Thank you for reply

I can see users and groups with wbinfo command but not on gui even if I have the last truenas version

/etc/os-release

Code:

NAME=FreeBSD
VERSION=12.2-RELEASE-p2
VERSION_ID=12.2
ID=freebsd
ANSI_COLOR="0;31"
PRETTY_NAME="FreeBSD 12.2-RELEASE-p2"
CPE_NAME=cpe:/o:freebsd:freebsd:12.2
HOME_URL=https://FreeBSD.org/
BUG_REPORT_URL=https://bugs.FreeBSD.org/

/etc/version

Code:

TrueNAS-12.0-U1 (401ffb1d98)

 

[anodos]

Do the users and groups appear in the output of "getent passwd" / "getent group"?

 

[alex87alex]

Do the users and groups appear in the output of "getent passwd" / "getent group"?

They don't appear

 

[anodos]

They don't appear

Okay. That means you probably have an issue with idmapping. What's the output of testparm -s?

 

[alex87alex]

Code:

[global]
        aio max threads = 2
        allow trusted domains = No
        bind interfaces only = Yes
        client ldap sasl wrapping = seal
        disable spoolss = Yes
        dns proxy = No
        domain master = No
        enable web service discovery = Yes
        kerberos method = secrets and keytab
        kernel change notify = No
        load printers = No
        local master = No
        logging = file
        map to guest = Bad User
        max log size = 51200
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        preferred master = No
        realm = COOLKY.LOCALE
        registry shares = Yes
        security = ADS
        server role = member server
        server string = TrueNAS Server
        template shell = /bin/sh
        unix extensions = No
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind max domain connections = 10
        winbind nss info = rfc2307
        workgroup = COOLKY
        idmap config *: range = 90000001-100000000
        idmap config coolky: range = 100000001-200000000
        idmap config coolky: backend = rid
        idmap config * : backend = tdb
        directory name cache size = 0
        dos filemode = Yes

 

[anodos]

What's the output of cat /etc/nsswitch.conf? Sanity check to make sure we have that generated. Also provide output of midclt call activedirectory.domain_info | jq

 

[alex87alex]

What's the output of cat /etc/nsswitch.conf? Sanity check to make sure we have that generated. Also provide output of midclt call activedirectory.domain_info | jq

/etc/nsswitch.conf

Code:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#


group: files
hosts: files dns
networks: files
passwd: files
shells: files
services: files
protocols: files
rpc: files
sudoers: files

midclt call activedirectory.domain_info | jq

Code:

{
  "LDAP server": "192.168.254.10",
  "LDAP server name": "DC.COOLKY.LOCALE",
  "Realm": "COOLKY.LOCALE",
  "Bind Path": "dc=COOLKY,dc=LOCALE",
  "LDAP port": 389,
  "Server time": 1609867598,
  "KDC server": "192.168.254.10",
  "Server time offset": -3,
  "Last machine account password change": 1609692750
}

 

[anodos]

Your nsswitch isn't set up correctly. Did you start via CLI or webui (there are various very faulty or outdated guides online)? `midclt call etc.generate nss` and then `service winbindd restart`.

 

[anodos]

The time offset is also not great. You should make sure that time is consistent on your computers.

 

[alex87alex]

Your nsswitch isn't set up correctly. Did you start via CLI or webui (there are various very faulty or outdated guides online)? `midclt call etc.generate nss` and then `service winbindd restart`.

I joined to domain via webui, I left the default parameters and I followed the official truenas guide. However the output of first command I think is wrong:

Code:

root@nas[/tmp]# midclt call etc.generate nss
null

The time offset is also not great. You should make sure that time is consistent on your computers.

The time I think is not a problem, with ad we have 5min of tollerance that is not this case

 

[anodos]

I joined to domain via webui, I left the default parameters and I followed the official truenas guide. However the output of first command I think is wrong:

Code:

root@nas[/tmp]# midclt call etc.generate nss
null

That's expected output. nsswitch should be regenerated. After this you should see `winbind` in file and `getent passwd` should show AD users.

The time I think is not a problem, with ad we have 5min of tollerance that is not this case

Right. It's within tolerances, but not a great situation.

 

[anodos]

I joined to domain via webui, I left the default parameters and I followed the official truenas guide.

In that case, if you haven't rebooted the server can you please send me a debug via private message (system->advanced->save debug).

 

[alex87alex]

After last 2 commands now I can view the users and groups. Thank you very much.

I did a debug before regenerate nsswitch, I save an other now and you can compare the twos. I'll send you privately.

Thank you

 

[anodos]

After last 2 commands now I can view the users and groups. Thank you very much.

I did a debug before regenerate nsswitch, I save an other now and you can compare the twos. I'll send you privately.

Thank you

key area I'm concerned with is middlewared.log.

 

[anodos]

Summary: during domain join we add the DC with the PDC emulator FSMO role as the preferred NTP server for the TrueNAS (this is to ensure that time stays consistent / predictable). There was some additional validation outside the scope of the AD plugin that resulted in an unhandled exception in some of the last steps of the AD join, which in turn resulted in an unconfigured nsswitch.conf and lack of user / group cache. It would have appeared as a failed join in the task manager with the text of the NTPClient exception in the failure message. That said, this edge-case should be non-fatal during the domain join and so it'll be fixed in the next release.

 

[ChicagoJay]

I am having very similar issues (wbinfo shows my AD users & groups, but getent does not). I just installed this fresh - version 13.

Is it preferred to necro an old thread, or start a new one, and reference this one?

 

[Samuel Tai]

Don't necro old threads. Start a new one.