TrueNAS Scale: issue setting up home NFS share for AD users

[eepha0UC]

Hi,

I'm trying to setup a home NFS share for AD users. The TrueNAS scale has been joined to the Active Directory and it has a "home" dataset where I would like the home folders to be automatically created for all domain users (when they first login). I've set ACL on the dataset to allow connection from domain users

root@aspmnas01[/mnt/StoragePool]# getfacl /mnt/StoragePool/home getfacl: Removing leading '/' from absolute path names # file: mnt/StoragePool/home # owner: root # group: root user::rwx group::r-x group:ALL\\cluster\040users:rwx mask::rwx other::r-x

However, the ACL rules are not preserved when I mount the NFS on a remote linux system:

[admin@ad-test ~]$ getfacl /mnt/nfs/home getfacl: Removing leading '/' from absolute path names # file: mnt/nfs/home # owner: root # group: root user::rwx group::rwx other::r-x

Also, the user domain user IDs seem to differ between the TrueNAS and Linux systems.

Any advise on how to setup this type of configuration would be greatly appreciated? The idea would be to a have home dataset in TrueNAS Scale where user folders can be created (domain users only) and mounted through NFS on different linux systems. ACLs will be set on that dataset to enforce certain permissions coming from groups defined in the Domain Server. Also, any hints on how to automatically initialized the user home directories on first login (say from a SSH connection on the Linux machine) would be appreciated?

Many thanks

 

[anodos]

Hi,

I'm trying to setup a home NFS share for AD users. The TrueNAS scale has been joined to the Active Directory and it has a "home" dataset where I would like the home folders to be automatically created for all domain users (when they first login). I've set ACL on the dataset to allow connection from domain users

root@aspmnas01[/mnt/StoragePool]# getfacl /mnt/StoragePool/home getfacl: Removing leading '/' from absolute path names # file: mnt/StoragePool/home # owner: root # group: root user::rwx group::r-x group:ALL\\cluster\040users:rwx mask::rwx other::r-x

However, the ACL rules are not preserved when I mount the NFS on a remote linux system:

[admin@ad-test ~]$ getfacl /mnt/nfs/home getfacl: Removing leading '/' from absolute path names # file: mnt/nfs/home # owner: root # group: root user::rwx group::rwx other::r-x

Also, the user domain user IDs seem to differ between the TrueNAS and Linux systems.

Any advise on how to setup this type of configuration would be greatly appreciated? The idea would be to a have home dataset in TrueNAS Scale where user folders can be created (domain users only) and mounted through NFS on different linux systems. ACLs will be set on that dataset to enforce certain permissions coming from groups defined in the Domain Server. Also, any hints on how to automatically initialized the user home directories on first login (say from a SSH connection on the Linux machine) would be appreciated?

Many thanks

The correct tool for reading an NFSv4 ACL from a NFS client is `nfs4_getfacl`. IIRC the NFS client in Linux does not have an xattr handler for POSIX ACLs. If this is an NFSv3 mount then ACLs aren't supported.

 

[anodos]

Also, the user domain user IDs seem to differ between the TrueNAS and Linux systems.

This is because as an admin the onus is on you to determine how you're going to map Unix IDs in AD. Are you using LDAP schema extensions (RFC2307, MS-SFU, etc)? Are you just using the algorithmic backend for SSSD? What software are you using to join other Linux systems to AD? We have configurable idmap backends in our product, but in general you should probably read up on such things and plan it out accordingly.

 

[eepha0UC]

thank @anodos ; much appreciated your response to my post. It was really helpful.

Regarding the differences in the TrueNAS Scale vs our Linux system UIDs mapping: after enabling SSSD Compat in the idmap configuration in TrueNAS we are now able to match the UID on both systems. On TrueNAS we are using the default backend (RID), and in the linux system we are using realm to join (as described in https://docs.rockylinux.org/guides/security/authentication/active_directory_authentication/).

Regarding the ACL issue: both NFSv4 and `NFSv3 ownership model for NFSv4` are enabled in TrueNAS. On the linux system, I've installed `nfs4-acl-tools` to run `nfs4_getfacl` but we are still having the same issues.

TrueNAS Scale
root@aspmnas01[~]# getfacl /mnt/StoragePool/home getfacl: Removing leading '/' from absolute path names # file: mnt/StoragePool/home # owner: root # group: root user::rwx user:DOMAIN\\user:rwx group::r-x mask::rwx other::r-x

Linux (Rocky Linux 8.6)
[admin@ad-test nfs]$ nfs4_getfacl /mnt/nfs/home # file: /mnt/nfs/home A::OWNER@:rwaDxtTcCy A::GROUP@:rxtcy A::EVERYONE@:rxtcy

 

[anodos]

thank @anodos ; much appreciated your response to my post. It was really helpful.

Regarding the differences in the TrueNAS Scale vs our Linux system UIDs mapping: after enabling SSSD Compat in the idmap configuration in TrueNAS we are now able to match the UID on both systems. On TrueNAS we are using the default backend (RID), and in the linux system we are using realm to join (as described in https://docs.rockylinux.org/guides/security/authentication/active_directory_authentication/).

Regarding the ACL issue: both NFSv4 and `NFSv3 ownership model for NFSv4` are enabled in TrueNAS. On the linux system, I've installed `nfs4-acl-tools` to run `nfs4_getfacl` but we are still having the same issues.

TrueNAS Scale
root@aspmnas01[~]# getfacl /mnt/StoragePool/home getfacl: Removing leading '/' from absolute path names # file: mnt/StoragePool/home # owner: root # group: root user::rwx user:DOMAIN\\user:rwx group::r-x mask::rwx other::r-x

Linux (Rocky Linux 8.6)
[admin@ad-test nfs]$ nfs4_getfacl /mnt/nfs/home # file: /mnt/nfs/home A::OWNER@:rwaDxtTcCy A::GROUP@:rxtcy A::EVERYONE@:rxtcy

How are you mounting the share on the Linux side?

 

[eepha0UC]

How are you mounting the share on the Linux side?

simply using `<IP_ADDRESS>:/mnt/StoragePool/home /mnt/nfs/home nfs defaults 0 0` on fstab

thanks

 

[anodos]

simply using `<IP_ADDRESS>:/mnt/StoragePool/home /mnt/nfs/home nfs defaults 0 0` on fstab

thanks

That's not enough info. What do you see in relevant line of mount output?

 

[eepha0UC]

apologies;

[admin@ad-test ~]$ sudo umount /mnt/nfs/home [admin@ad-test ~]$ sudo mount -av ... mount.nfs: timeout set for Fri Sep 23 17:14:23 2022 mount.nfs: trying text-based options 'vers=4.2,addr=IP_ADDR,clientaddr=IP_ADDR_CLIENT' /mnt/nfs/home : successfully mounted