Multiple Authentication methods simultaneously (AD and local)

[JayG30]

Hello everyone,

I have a question regarding authentication methods. I currently have a freenas box in a production environment where all users and groups are "local" and use unix permissions. We have been just setting the passwords to be the same as the windows logins so that it automatically logs users into the CIFS shares.

We have now setup a more permanent location and a actual network. With this I've begun the implementation of samba4 as our AD environment. Which led to to wanting to change freenas to sync with our AD for username/passwords. And also to move to ACL based permissions.

So the first question I have is, can I have both AD and local accounts work at the same time to access the CIFS shares? The usernames are going to be the same (first initial, last name) and the password will actually be the same for both types of accounts in most situations. I was thinking if I could run both together perhaps it would allow me time to get the AD authentication working while users still could access the accounts with there local logins.

Second question is would permissions to all the CIFS shares need to be reconfigured because the accounts are now AD instead of local? Like I said, the account names and group names would be the same as the local accounts were. And also, would it be possible to change to ACL permissions at this point?

Thanks for any help

 

[cyberjock]

You can mix AD and local accounts, but I will warn you it doesn't work "quite right". To be short, unless you are willing to be a guinea pig and experiment at your own pace just stick to AD accounts.

As for permissions, yes, they will have to be reconfigured. You could probably script something to handle the conversion, but it's probably one of those things that "if you have to ask you probably can't do it".

If I were you I'd suck it up, move to AD, and redo the ACLs to properly reflect the AD user accounts. Does it suck? Yes. But that's probably the least painful way of handling the situation.

 

[JayG30]

Thanks. That is along what I thought.

My only concern is will there be any conflicting between the two types of accounts since they will have the same username and passwords? Or will it be smart enough to distinguish the two?

I'm still slowly moving users/computers over to the domain. So I'd like people to still be able to login to the shares using the local freenas accounts and work as normal until I get the AD sync working, move everyone to AD, and setup the permissions for the new AD accounts.

 

[cyberjock]

Yeah, there is no way to migrate over to AD over time. You're going to have to flip the switch to AD and do all the migration at once. :(

I could be mistaken, but once you switch over to AD Samba will basically ignore local users with a UID over 999.

 

[JayG30]

Ok. So then I guess my plan of action will have to be, get all computers/users on the AD domain first, then deal with setup and migration of freenas to use AD.
I was sort of hoping I could "test" it out for a bit with a small group of users while the rest continued to do things the same as they do now, then if all went well migrate the rest. But it sounds like this could lead to some problems.

If I was to attempt to setup freenas to use AD on off hours and am unable to get it working 100% in the allotted time, could I just turn the service off and fall back to using local accounts until I another off hour time was available to work on it again? There are only two things that concern me that I'm trying to plan to prevent; people not having access when they need it, and completely destroying the data.


All of it is moot right now because I have to move the freenas server onsite first! At the time of setup I had to place it at a remote location along with a client/server OpenVPN setup. So freenas won't be able to see my resolve my AD right now.

Just getting my plan situated right now so I can get it done as quickly and with as little downtime as possible.

 

[cyberjock]

If I was to attempt to setup freenas to use AD on off hours and am unable to get it working 100% in the allotted time, could I just turn the service off and fall back to using local accounts until I another off hour time was available to work on it again? There are only two things that concern me that I'm trying to plan to prevent; people not having access when they need it, and completely destroying the data.

Assuming that the permissions for both the AD users and the local users exist, yes. But that's going to be harder to do than you might think.

To be honest, I still stand by my comment above about going all-in and be done with it. Most things with file servers are an "all-in" or "all-out". This is why you test it in a lab first so you don't lose your job when 1/2 the company can't get their work done. :P

Or simply move everyone to AD, make it a free for all and tell people to move their own data. Of course, this may not be legal, practical, or even possible for your company.