FreeNAS -> Windows server 2016 AD. Users folder redirection and romaing profiles.

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
Hi Guys, New to freeNAS. Ive setup a FreeNAS pool/dataset etc, and have linked this to a new windows server 2019 installation acting as DCHP, AD, DNS

Having major issues regarding permissions when trying to redirect Folders and/or roaming profiles of users.

Before i type the endless configrations ive done. .....

Does FreeNAS support AD roaming profiles/redirection of folders?

ive basically followed this on the AD:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection

FreeNAS SMB share is set to:
ACL = windows
user= domain/admin (from AD)
Group = domain/users (from AD)

Im not sure the microsoft permissions (on the above link) is working well with freenas permission on the share??
Any tutorials around, my endless searching fails in finding any.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
Hi Guys, New to freeNAS. I've setup a FreeNAS pool/dataset etc, and have linked this to a new windows server 2019 installation acting as DCHP, AD, DNS

Having major issues regarding permissions when trying to redirect Folders and/or roaming profiles of users.

Before i type the endless configrations I've done. .....

Does FreeNAS support AD roaming profiles/redirection of folders?

I've basically followed this on the AD:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection

FreeNAS SMB share is set to:
ACL = windows
user= domain/admin (from AD)
Group = domain/users (from AD)

Im not sure the microsoft permissions (on the above link) is working well with freenas permission on the share??
Any tutorials around, my endless searching fails in finding any.
This will work better in 11.3. In 11.2, you need to change the nfs4:mode to "simple" on all of your SMB shares, and then use `setfacl` to set the ACLs per MS guidelines. owner@ is equivalent in this case to CREATOR-OWNER. For well-known SIDs like S-1-5-32-544, you can look up the corresponding GID by wbinfo --sid-to-gid S-1-5-32-544 and then using it in setfacl setfacl -a 0 g:<gid>:perms:flags:allow.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
This will work better in 11.3. In 11.2, you need to change the nfs4:mode to "simple" on all of your SMB shares, and then use `setfacl` to set the ACLs per MS guidelines. owner@ is equivalent in this case to CREATOR-OWNER. For well-known SIDs like S-1-5-32-544, you can look up the corresponding GID by wbinfo --sid-to-gid S-1-5-32-544 and then using it in setfacl setfacl -a 0 g:<gid>:perms:flags:allow.
thanks for the reply.

that went over my head. any tutorials i can follow?

does that mean, freenas smb needs to be set as same as window server shares? currently im using winserver to set permissions on the folder/share that freenas provides.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
to follow up on the details


FreeNas is Connected to Windows Serve 2019 active directory. and populates the users/groups etc.

Domain test is called = eca.local

i have a pool = "storage"
i have dataset = "profiles" used for roaming/redirection
i have dataset = "files" - i will use this as a genernal storage location

Freenas settings i have is the following pictures:

Freenas AD setting to connect to Server 2019 AD:
AD settings.png

Pool settings:
pool settings.png

Pool permissions:
pool permissions.png

"profiles" Dataset settings:
dataset settings.png

"profiles" Dataset permissions:
dataset permissions.png

"profiles" SMB share settings:
smb share settings.png

On the windows server 2016;
I have the following permissions setup as per microsofts guide linked above

this is for the smb "profiles" share from freenas
win box share perms.png

FYI - Users in the "Domain Users" group.
AD group users.png

What do i need to change? or what have i done wrong.?
does the Group permissions need to match in AD and freenas?

It was somewhat working when i allowed "everyone" on the permissions. but couldnt see user redirected files on the smb share when logged in as admin on the server2019 box.

windows guide to permissions said about making a "redirection user" group, thats why its should in the permissions on server2019. previously it was "domain users" group. hense why freenas is that in pemissions.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
been reading up on nfs4:mode etc
https://www.ixsystems.com/community/threads/methods-for-fine-tuning-samba-permissions.50739/
https://www.ixsystems.com/community...redirection-and-creator-owner-problems.50986/

kinda get what you mean. but lost as to how to do it.:(

i want to control permissions from the windows server explorer not freenas. so need to set freenas zfs to be compatiable with what ever i do in there.

I want a shares for:
  • AD User Profiles (aka roaming profiles and folder redirection)
  • General files share (between all users on the domain)
  • Email files (linking to a email server, prob hmailserver running on the windows server box)
If for example the permissions on the windows server is set as per MS recommendations for Folder redirections. as this link

on the Dataset- \\Freenas\Profiles\

Use the following settings for NTFS Permissions set within explorer on windows server:
  • CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
  • System - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins (group) - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Administrator (user) - Full Control (Apply onto: This Folder, Subfolders and Files)
  • Folder Redirection Users (group) - Special - Create Folder/Append Data + List Folder/Read Data +Read Attributes +Traverse Folder/Execute File (Apply onto: This Folder Only)
What is the nfs4:mode and commands needed on freenas. for this "profiles" data share?
What is the user/group permissions. for this "profiles" dataset?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
What is the nfs4:mode and commands needed on freenas.
Add "nfs4:mode = simple" to _all_ of your SMB shares. Then "service samba_server status" get the PID for winbindd, and "kill -HUP <pid>" to force it to rebuild its cache. Make your share so that it's owned by "domain admins" and edit as you normally would.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
Add "nfs4:mode = simple" to _all_ of your SMB shares. Then "service samba_server status" get the PID for winbindd, and "kill -HUP <pid>" to force it to rebuild its cache. Make your share so that it's owned by "domain admins" and edit as you normally would.
sorry being really dumb. im new at freenas

is the "nfs4:mode = simple" within shell or where do i add it? ditto over commands

if you could list out steps or commands this would be great.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
ive added the "nfs4:mode = simple" to Auxiliary parameters on the SMB share

dataset is changed to
user=domain/admininstrator
Groups= domain/domain admins

when i log into a user account, i see the redirection of my docs and it points to the Freenas dataset profile. i can create files folders etc.

but when i look at same location on the server box in the admin account. the directory is emtpy???
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,543
I've added the "nfs4:mode = simple" to Auxiliary parameters on the SMB share

dataset is changed to
user=domain/admininstrator
Groups= domain/domain admins

when i log into a user account, i see the redirection of my docs and it points to the Freenas dataset profile. i can create files folders etc.

but when i look at same location on the server box in the admin account. the directory is emtpy???
Right, that's because you haven't properly configured permissions for what you want to do. You need an explicit inheriting ACE for your Admin Group at the root of your share. MS has documentation on how to set this up.
 

Solway

Dabbler
Joined
Aug 14, 2019
Messages
25
Anodos

im not sure what im doing wrong. ive even put all permissions down as "everyone" still didnt work.


Sharing>SMB shares

/mnt/Storage/Profiles

Name: Profiles
TICK- Browsable to Network Clients
TICK- Show Hidden Files

VFS = Streams_xattr, zfs_space, zfsacl


Services>SMB
default settings
added "nfs4:mode = Simple" to auxiliary parameters (then shell command "kill -HUP <pid>" pid of winbindd

Pool
permissions for mnt/Storage

ACL windows.
apply user tick = ECA/Administrator
apply group tick = ECA/domain admins

dataset
permissions for mnt/storage/profiles

ACL windows.
apply user tick = ECA/Administrator
apply group tick = ECA/domain admins


For windows server permissions on Profile share etc.
Following MS settings from here (https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-redirection).
i got the following.
screen.png


Client PC thinks its connected to the share, because profile folders directs correctly. but no files show up when view from server admin account?
 
Top