Active Directory Permissions for Use in Windows Problems

[Evenimous]

Hello helpful forum, I'm using UnRAID version 6.9.2.

 

I have a few questions regarding file and directory permissions for UnRAID shares when using Active Directory that I wanted to ask outwardly, and I've seen similar issues brought up by others here on the forum, but not specifically the issue I'm having. Long story short for my actual questions;

1. How may you quickly and efficiently change the permissions of the shares that already contain TBs of data for Windows users? This ISN'T the "SMB Security Settings" or "SMB User Access" that are mentioned in the settings of a share, as when you are connected to an Active Directory, it seems to me that you are unable to access the SMB shares as the UnRAID User accounts. I elaborate more below.
2. Windows seems to manually go through each file when changing permissions for them. Is there a way to do this locally on the server with a tool like CACLS or ICACLS, as shown here? Also, I'm aware of the new permissions tool, though it doesn't suit my needs, as I'm not able to connect with those UnRAID users anyways. Also, the same applies to chmod -R 777.
   1. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
   2. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cacls

 

User @CallOneTech mentions in his post (see at bottom of my post), which references a similar problem to the one I am having.

• In the first edit, he mentions how his UNRAID is not listed anywhere on his AD Domain. For me, my UnRAID machine connected up flawlessly to my AD Domain, and was automatically listed as a computer in the domain. You can see this in my attached photo. I figured this was relevant to bring up given circumstances.
• In his second edit, he mentions how his connection to AD is broken, but that UnRAID doesn't seem to know this. I believe I am having a similar issue, though not all of the time. To elaborate, I've attached a video of me changing file permissions on a folder in one of my shares, and you can clearly see that it WAS working, but then suddenly the domain groups stop appearing correctly, and show as a string of characters, and then the permissions changing stops, without giving me any sort of error. I also checked in the webGUI, and connection to the active directory domain was listed as "joined", which is as it should be. This makes it impossible for me to change permissions on large datasets via windows explorer, as it simply won't finish without stopping partway through. 

 

This brings me to the first question I posed at the top. The goal is to set permissions for my active directory domain groups and users, though I'm incapable of changing them, and I'm incapable of accessing the files using the UnRAID Users. I verified the passwords of my UnRAID users, and then attempted to with the credentials set as "domain/user" and its password, in this case, "Sedona/IT", with the appropriate password, though it does not allow me to connect. I tried these things as fixes for that connection problem;

1. Disconnected my personal computer from all of the shares on Sedona. My reasoning is because of the reference under "Windows 'Gotcha'" at the bottom of the page on the UnRAID manual, here: https://wiki.unraid.net/Manual/Shares#Network_access
2. Went to windows "Credential Manager", and deleted the credentials that I had for Sedona, so that I may enter them fresh again when I go to connect.
3. Connected using the various inputs in the "user" field, such as "Sedona/IT", and "IT". None of them work, and if I don't specify that I'm trying to connect to "Sedona" in that user field, it defaults to trying to use my domain as the login. I'm not sure if I'm missing something, and I haven't been able to find someone who's had the same problem as me, as it's niche.

 

 

Edited August 30, 2022 by Evenimous
adding more content, and proofreading my rough draft to make it flow better, be more concise, and make more sense.

[Evenimous]

Update;

 

1.) I have checked over all of the DNS configuration for my UnRAID computer, as I figured that could be a culprit for the weird behavior

• The static ip address, the subnet mask, the network protocol settings, the default gateway, and the dns servers are all set correctly. These are the only things that I have changed from their default values from when I installed the OS, so all is well here.
• When doing some testing regarding DNS, I found that my UnRAID computer is unable to DNS lookup the *name* of the DNS server, though it is perfectly capable of using the IP address of the server. I will look more into this, as I believe you need both to be functional for Active Directory to work appropriately.

2.) I moved and/or deleted all of the data that was in the problem shares out of the share, and then I tried changing the permissions of the share again. I did this from my domain administrative login, as I previously granted domain admins full control of the share. I was unable to, though not in an authoritarian, "you are not allowed" way, but rather that it *looks* as though it has completed and worked, though when you go to check, it hasn't actually done anything. I recorded a video of this, so that I may show it here. You will also notice that it takes an incredibly long time for the security settings to load, as I'm not able to click "edit" in the file explorer window. I believe this is because of the DNS issue I mention above.

[Evenimous]

[Evenimous]

Update 2;

 

1.) After doing some testing, I realized that it's not necessarily that the changes won't propagate, but rather that I don't think UnRAID is capable of setting the "modify" only permission with this user group via the file explorer interface. You can see an example of this with me trying to apply that setting to a brand new share, and a brand new user group. I have attached a video below.

 

2.) I went through and reset the DNS configuration to default, then created it again, and rejoined it to the domain. All seems to be working well now, and I'm able to freely speak through DNS IPv4. You'll notice how it's nearly instant now when I open the security tab for my share in file explorer, rather than having that long loading screen from before.

 

Notes regarding what I learned;

• UnRAID seems to REALLY dislike secondary domain controllers. With the secondary domain controller listed, it didn't seem to want to work, regardless of whether or not it was set as the first or second dns server. I have, for the time being, fallen back to using my PDC as the primary DNS server, and my router as the third DNS server. This is a little bit of a bummer since I don't have redundancy now.
• AD Domains, at least modern ones, seem to primarily want to speak over IPv6. When I do anything domain related from my windows box, it seems to be speaking over IPv6, though whenever anything domain related is done over the UnRAID box, it only has IPv4 available and set for DNS servers, so it only speaks via IPv4. 

[Evenimous]

I just want to be done with this thread, so I'll say what I'm doing to get around this here, and mark it as my solution. I already know this will work, but I wanted to learn a more proper way to do this, hence the rabbit hole I went down. If anybody ever finds a solution to this problem, please leave a reply on this thread for others to see.

 

I'm genuinely disappointed with the Active Directory implementation in UnRAID. I love the operating system for what it is, and everything aside from these permissions has been a breeze. Setup was easy, configuring plugins was easy, the forum is very helpful, and everything is documented in a way that makes it easy to understand. I didn't really have a better alternative that wouldn't have been some ungodly expensive Microsoft product, so it was worth a shot. Regardless, here's what I'm going to do;

1. I'm unable to access my files when the "root" user creates them with any commands like rsync, and I'm not aware of a way to log in as an active directory user in the terminal, since I can't log in as my UnRAID users, so I'll be doing the sinful method of transfer with file explorer one transfer at a time to make sure ownership is from my active directory account. I have approx 6.8TB of data, though a lot of it is in computer images, which tend to be larger in size, so almost half of the data will write sequentially, so it shouldn't be too awful in practice, just tedious.
2.  Create new shares and start fresh for those, to ensure that permissions aren't borked from my previous activity on them. I'm probably not going to copy all of my old data, as this is a great opportunity to organize and get rid of what I don't need.

[nomadgeek]

On 9/1/2022 at 4:19 PM, Evenimous said:

I just want to be done with this thread, so I'll say what I'm doing to get around this here, and mark it as my solution. I already know this will work, but I wanted to learn a more proper way to do this, hence the rabbit hole I went down. If anybody ever finds a solution to this problem, please leave a reply on this thread for others to see.

 

I'm genuinely disappointed with the Active Directory implementation in UnRAID. I love the operating system for what it is, and everything aside from these permissions has been a breeze. Setup was easy, configuring plugins was easy, the forum is very helpful, and everything is documented in a way that makes it easy to understand. I didn't really have a better alternative that wouldn't have been some ungodly expensive Microsoft product, so it was worth a shot. Regardless, here's what I'm going to do;

1. I'm unable to access my files when the "root" user creates them with any commands like rsync, and I'm not aware of a way to log in as an active directory user in the terminal, since I can't log in as my UnRAID users, so I'll be doing the sinful method of transfer with file explorer one transfer at a time to make sure ownership is from my active directory account. I have approx 6.8TB of data, though a lot of it is in computer images, which tend to be larger in size, so almost half of the data will write sequentially, so it shouldn't be too awful in practice, just tedious.
2.  Create new shares and start fresh for those, to ensure that permissions aren't borked from my previous activity on them. I'm probably not going to copy all of my old data, as this is a great opportunity to organize and get rid of what I don't need.

I have very little additional advice - I just wanted to throw you my support behind your frustration with AD integration. It seems to work great when you initially configure it but if anything goes wrong fixing it seems near impossible. I'm seriously thinking I made a big mistake going with unraid for my fileserver; may be moving to FreeNAS in the near future.

Good luck!