CIFS and AD User authentication

[berrick]

Currently Freenas version is 9.1.1 (only 4gb ram) and part of an AD enviroment.

Everything is working and has been for some time so don't wish to upgrade untill I can get hardware with at least 8gb of ram.

I would like to beef up security of the CIFS UFS share using AD user accounts but all ways I have tried thus far have resulted in getting a windows error "You dont have permissions to access ......."

Any pointers would be appreciated.

TYIA

 

[dlavigne]

Were you able to figure this out?

 

[berrick]

I haven't :( From what I have read it's possible. Need help from "unix" guru's

 

[dlavigne]

Well, any unix gurus would need to know exactly how you have it configured and what the errors in /var/log/messages say...

 

[berrick]

I eventually found time to backup my data and try this again. I have now managed to get this working, in a fashion. I say in a fashoin as it works but not the way I thought it would. This is probably due to lack of knowledge on my part so would be greatful for comments to increase my understanding.

• I created a fresh zfs volume with a dataset called media
• on the change permission page of the dataset I change ACL type to windows and ticked Set recursively
• created a cifs share with browsable to network, inherit owner and inherit permission set

At this point even though I selected the AD users and groups I wanted to use for Owner (user) and Owner (group), in the gui they didn't seem to be applied. To be sure they were applied I used the following cli (obviously change domain name to yours etc etc)

chown "DOMAIN NAME\administrator":"DOMAIN NAME\security group" /mnt/zfs volume/dataset

I still had trouble with stuff like access which turned out to be down to the unix permissions applied to the dataset. When I checked the permissions from the cli the read permissions where missing on owner, groups and others (this is also what the gui showed if memory serves). When I change these to my needs (0755) it worked.

Well It works as far as administrator has completed control and members of the AD security group can do all but delete (this is what I need)
but, and this is where my lack of knowledge comes in, in a windows enviroment how can I add users and set their permissions as I would with any normal windows shares??

 

[dlavigne]

The Windows permissions on the FreeNAS side are meant as a starting point to access the share. All fine-tuning of users/group perms should happen on the windows side.

 

[berrick]

All fine-tuning of users/group perms should happen on the windows side.

I understand this but I was having problems when trying to apply them. I left things alone for a day as had other stuff to do. When I checked which permissions had been applied the two permissions I set Owner (user) and Owner (group) had been applied twice to every thing. First they were applied to the folder or file only and the second time they were inheritted from the root (ie the share I had created in windows). I didn't help in that the VM I was using to test permissions seemed to be delayed in picking them up.

Since I have tydied this up and ensured consistancy things seem OK and if I make further changes to permissions it works as expected