Auto create home directory for ad users

[narandr]

Hello Community,

The documentation here is not working. Can some help me?

Home Shares

Describes how to configure a Home Share on TrueNAS CORE.

www.truenas.com

So I want the following scenario, when the ad users try to connect /mnt/Data/private network path, then it should create automatically in this directory the user's private folder with correct permissions, that only user have access. But the Problem is that when I check the option Use as Home Share, the ad user can not connect from MacOS Venutra using SMB protocol. I created the share type using SMB. To connect to the Samba server, I am using the following smb://DOMAINNAMEADDRESS/Users (Users is the share name, and I am using AD username and password).

 

[Samuel Tai]

Configuration options for ixnas

Ixnas provides the following: 1) Directory listing performance improvement by mapping of DOS attributes to flags. We can do this on FreeBSD because we actually have the (READONLY|SYSTEM|HIDDEN|ARCHIVE|SPARSE|...) flags. 2) Improvements in ACL inheritance (no more "ACLs are out of order errors)...

www.truenas.com

 

[narandr]

Configuration options for ixnas

Ixnas provides the following: 1) Directory listing performance improvement by mapping of DOS attributes to flags. We can do this on FreeBSD because we actually have the (READONLY|SYSTEM|HIDDEN|ARCHIVE|SPARSE|...) flags. 2) Improvements in ACL inheritance (no more "ACLs are out of order errors)...

www.truenas.com

Thank you Samuel. But at the moment I can not understand completely, What shall I do? So I have to copy past this parameters in auxiliary parameters?
ixnas:zfs_auto_homedir = True
ixnas:chown_homedir = True

Then turn off "obey pam restrictions" in /etc/local/smb4.conf and restart the service?

 

[Samuel Tai]

Yes, you've got it.

 

[narandr]

Yes, you've got it.

The directory automatically created, when I connected to normal share. But how to connect to the newly created home folder? I have to create another share without parameter Use as Home Share? That the users can connect (this worked)? Because I am getting error in the picture. (MACOS Ventura) left side locations and here is the DOMAIN Full name and the usernames I am getting this error.

 

[Samuel Tai]

Where did you add these auxiliary parameters? To the SMB service or to the home share? You should've added them to the home share, and then deleted any datasets underneath the home dataset.

 

[narandr]

Where did you add these auxiliary parameters? To the SMB service or to the home share? You should've added them to the home share, and then deleted any datasets underneath the home dataset.

I have added them to home share and there is no another subdataset for home share dataset.
/mnt/Data/private (Data is the pool, private is the dataset)

 

[narandr]

I have just manually deleted the folder DOMAINNAME\USER, now it is not creating anymore when I connect to samba server.

 

[narandr]

I have just disconnected all connections, restarted SMB service. And it seems to work. I will continue tomorrow. I also want to define different group quotas for different AD groups.

 

[Samuel Tai]

I also want to define different group quotas for different AD groups.

I don't believe that's possible with the ixnas plugin. @anodos, is there any way to flow through the AD quota to the auto-created user dataset?

 

[narandr]

I don't believe that's possible with the ixnas plugin. @anodos, is there any way to flow through the AD quota to the auto-created user dataset?

I meant, that the user in the whole server maximum have some hard quota, let say in the whole server, for example 250 GB in all datasets.
Likewise, it is in Synology Servers. When you set the group quotas for the defined group, let say 250 GB, then all members in that group have maximum 250GB.

 

[narandr]

Someone knows how I can enable group quotas for datasets or data pools for Active Directory domain groups?

 

[narandr]

It only works when I put in datasets and user quotas for each user; otherwise, it is not practicable. Group quotas generally are not working for local users either. I think if I there is a way to configure group qoutas for local users, then the same way should work for domain users.

 

[narandr]

I could not find any solutions. The group quotas are not working generally.

I don't believe that's possible with the ixnas plugin. @anodos, is there any way to flow through the AD quota to the auto-created user dataset?

Another question is, is it possible to force the group ownership to change? As it inserts by default domain users group?
Can someone tell me how it is possible to change, because "force group=" is notworking for home directory.

 

[Patrick M. Hausen]

At home I run all my shares completely without Windows ACLs. And I use "force user" and "force group". Old school so to speak. Because policy in the family network is that everyone who can authenticate has the same privileges. And I want a nice clean "unixy" set of permissions on disk.

But of course that does not work if you go AD integrated and Windows ACLs.

I don't know if this is of any help, I just get the feeling you are trying to combine two approaches that are fundamentally incompatible.

Maybe describe your goal in a more general fashion and our resident SMB guru @anodos can come up with an idea.

 

[narandr]

At home I run all my shares completely without Windows ACLs. And I use "force user" and "force group". Old school so to speak. Because policy in the family network is that everyone who can authenticate has the same privileges. And I want a nice clean "unixy" set of permissions on disk.

But of course that does not work if you go AD integrated and Windows ACLs.

I don't know if this is of any help, I just get the feeling you are trying to combine two approaches that are fundamentally incompatible.

Maybe describe your goal in a more general fashion and our resident SMB guru @anodos can come up with an idea.

Thank you Patric for the response. I actually want to create quotas for AD groups. So generally if I define AD user quotas on the dataset, it works, with home share dataset also works. But the group quota is not working generally, neither with AD groups nor with local groups.
Or maybe my understanding of group quotas, which comes from Synology NAS, is not the same for TrueNAS. When you define a group quota in Synology, then it is for each user in that group for the whole server.

 

[narandr]

At home I run all my shares completely without Windows ACLs. And I use "force user" and "force group". Old school so to speak. Because policy in the family network is that everyone who can authenticate has the same privileges. And I want a nice clean "unixy" set of permissions on disk.

And what about force group which actually did not work for ad or perhaps also generally, it is maybe for the parameter ixnas:chown_homedir = True which automatically takes the AD Domain Users by default.

 

[Patrick M. Hausen]

force user and force group refer to Unix users and groups so possibly won't work with ACLs. But you can try or ask someone with more knowledge than I have. It's a way for me to keep things simple, ditch all the Windows ACL stuff, user, group, 750/640, done. Definitely not suitable for a corporate environment.

 

[narandr]

force user and force group refer to Unix users and groups so possibly won't work with ACLs. But you can try or ask someone with more knowledge than I have. It's a way for me to keep things simple, ditch all the Windows ACL stuff, user, group, 750/640, done. Definitely not suitable for a corporate environment.

I just tested with group quotas with local groups, and It is working. But group quotas with AD Groups is not working, I have to create for each AD user in User Quota for each Dataset. It is a very time-consuming task.

 

[narandr]

I can not understand, when I set in the TrueNAS gui user quotas, then it is setting a user space quotas in ZFS file system?
And in the GUI it is not possible to set the whole list of AD users to put user quotas, many users at ones. How actually I can put quotas in Data pools, and it applies in all datasets in that pool?
Is there something that I can do in command line? Or though scripts?