*New 12.1 series Release:
2019-11-08: XigmaNAS 12.1.0.4.7091 - released!

*New 11.3 series Release:
2019-10-19: XigmaNAS 11.3.0.4.7014 - released


We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[SOLVED] AD Group Permissions not recognized on NAS4FREE Shares

Authenticating XigmaNAS users using Active Directory or NT PDC
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
Jdo300
NewUser
NewUser
Posts: 7
Joined: 25 Jul 2017 21:51
Status: Offline

[SOLVED] AD Group Permissions not recognized on NAS4FREE Shares

#1

Post by Jdo300 » 22 Oct 2017 22:44

Hello All,

I have setup a SAMBA Active Directory Server and I connected it to my NAS4FREE file server (build 11.0.0.4). I have the Active Directory connection working great. I can mount the shares using the AD server and my users can brows shares on the attached NAS4FREE share drive. BUT I'm having some issues with the NTFS share permissions for Active Directory Security Groups.

To troubleshoot this issue, I created three virtual machines, one for the SAMBA AD server, one for the NAS4FREE file server, and one for a test Windows 10 client to login to the domain.

After setting everything up, from within the NAS4FREE GUI, I created a share \\NAS4FREE\DATA-ROOT. Inside this share, I added two folders for the experiment. One is "Engineering", and the second is "Management". I then created two more shares. one to map directly to the Engineering folder, and one for the Management Folder.

I then logged into my Windows 10 test box under the AD admin account and mapped a new network drive directly to the DATA-ROOT share. I set the Share permissions for the folder to the following:

Everyone - Full Control

I then set the NTFS permissions for the DATA-ROOT Folder to the following:

"Domain Admins" - Full Control - This Folder, Subfolders, and Files
"Domain Users" - Read & Execute - This Folder Only

I then went to the Engineering subfolder and added the following NTFS permission

"Engineering" - Full Control - This Folder, Subfolders, and Files.

Ok, so now my test file structure is setup. In my test active directory, I created a user (Jason in this case), and assigned the user to the Engineering Global Security Group. I then logged into the windows 10 box as the Jason user, and mapped a network drive to the same DATA-ROOT folder. As expected, I could see the Engineering folder and not the Management folder.

Now here is where things get weird. Under my Jason user. I can open the Engineering folder and subfolders, rename files, and delete files. However, if I, lets say, create a new text file, open it, and type some text, and then attempt to save it. I get an Access Denied error saying that the file is marked read only. however, I gave all users in the Engineering group Full Control of the folder and all files and folders inside. I'm not sure what is going on.

Now, If I simply add the Jason user directly to the Engineering folder and give it "Full Control - THis Folder, Subfolders, and Files", then everything magically works and I can save files that I open to modify.

I'm wondering if there could be any settings in NAS4FREE that could be affecting this behavior? One thing I noticed is that when I go to the Information page on the NAS4FREE GUI and click on "MS Domain", it only lists the Active Directory users, but not any of the groups. Could it be that N4F is not properly recognizing permissions for Active Directory security groups? If not, any other ideas about what could be wrong here?

Thanks,
Jason O
Last edited by Jdo300 on 13 Nov 2017 23:12, edited 1 time in total.

Jdo300
NewUser
NewUser
Posts: 7
Joined: 25 Jul 2017 21:51
Status: Offline

Re: AD Group Permissions not recognized on NAS4FREE Shares

#2

Post by Jdo300 » 13 Nov 2017 23:06

OK. After putzing around with this for several weeks, I finally found the issue. It was not the AD groups themselves that were broken. It was a problem with the ACL and DOS attribute settings, which were not being properly saved when new files were created in the folders. For anyone else out there who runs into this problem, I changed the following settings to fix it:

1. Change the "ACL Inherit" setting under Disks > ZFS > Datasets > Dataset > Edit Dataset) to "Passthrough - Inherit all entries" to allow the Write and change owner Permission to be inherited for new files. Make sure that you make the changes for all datasets that need Active Directory ACL support.

2. Change the "ACL mode" setting under Disks > ZFS > Datasets > Dataset > Edit Dataset) to "Passthrough - Do not change ACL" to allow the Write and change owner Permission to be inherited for new files. Again, make sure that you make the changes for all datasets that need Active Directory ACL support.

3. Finally, go to Services > CIFS/SMB > Advanced Settings (bottom section) > Store DOS Attributes = TRUE.

All my users and group permissions are working normally now! NOTE: This applies to NAS4FREE version 11.0.0.4.

- Jason O

BodgeIT
Starter
Starter
Posts: 72
Joined: 03 Jul 2012 17:39
Location: London
Status: Offline

Re: [SOLVED] AD Group Permissions not recognized on NAS4FREE Shares

#3

Post by BodgeIT » 16 Dec 2017 10:33

Thanks Jason, v useful. I have a similar settup and was also having issues so I've adjusted my settings accordingly and will test.
I hadn't had the time to work through the issue so #timesaver!
NAS4Free: 11.2.0.4 - Atomics (rev: 6315) amd64-embedded
Mobo: Supermicro X9SCL-F, CPU: Xeon E3-1230v2; RAM: Crucial 32GB ECC
System: IBM M1015it SAS controller(SAS2008 v20); Intel Dual 1Gb Server Nic; Zalman 600W PSU;

Storage: Raidz1(3x WD Red 3TB), Raidz1(3x WD Red 2TB), UFS(1x 0.5TB) Utility disk, 64Gb SSD Transcode disk

Post Reply

Return to “Active Directory”