psychofaktory Posted September 16, 2022 Share Posted September 16, 2022 (edited) Hello, I have the following constellation: A Unraid server is included as a member in a domain. Administrator" is specified as the "AD initial user". Domain-admins" is specified as the "AD initial group". With the application of the setting, all shares under /mnt/user are provided with the owner "administrator", the group "domain-admins" and the rights "rwxrwxrwx". In addition to the Unraid default shares, I have created a "Lehrer" share and a "Schueler" share. Only teachers should have write access to the "Lehrer" share. However, a service user "Scan" should be able to store files in the subfolder "Scan". Teachers should have write access to the "Schueler" share. Pupils should only see a sub-folder "General" to which they should have read rights, as well as see a folder for their own class and have write rights to it. At the same time, the shares are integrated as external shares in a Nextcloud docker. From Windows, I can then access the shares with the user "Administrator" and assign further permissions via "Properties" -> "Security". In the standard configuration, everyone has access everywhere. To restrict this, I change the group for the share "Lehrer" in Unraid to the AD group "Lehrer", and for the share "Schueler" to the AD group "Schueler". The rights are set recursively to "rwxrwx---". I then assign more granular permissions from Windows. With the SMB extras hide unreadable = yes access based share enum = yes I was able to activate the access-based enumeration and thus only display the folders for the users who have the corresponding permissions. Otherwise, however, the configuration only works to a limited extent. With this variant, the members of the AD group "Lehrer" do not have access to the share "Schueler". In addition, the shares can no longer be accessed in Nextcloud. If I change the group to "users", the shares can be accessed in the Nextcloud again. With this variant, however, students and teachers can no longer access the shares. If I remove the default users and groups from the security properties of the share in Windows, these permission entries always remain: If, for example, the AD group "Lehrer" is included in the "Lehrer" share with the "Change" authorisation, "Full access" appears instead of "Change" after "Apply". However, the teachers do not have access to the share. I have already made the request in the German-speaking part of the forum. You can find more information there: What do I have to configure so that the shares and the respective subfolders can be accessed from the defined AD groups as well as from Nextcloud Docker? Edited September 20, 2022 by psychofaktory Quote Link to comment
Frank1940 Posted September 16, 2022 Share Posted September 16, 2022 You might want to read through this thread about AD issues as there are some recommendations about configuring SMB for use with AD there. https://forums.unraid.net/bug-reports/stable-releases/6103-intermittent-smb-issues-after-6102-upgrade-r2028/ Quote Link to comment
trurl Posted September 16, 2022 Share Posted September 16, 2022 split from that old thread 1 Quote Link to comment
psychofaktory Posted September 20, 2022 Author Share Posted September 20, 2022 (edited) Many thanks for the tip about the bug report. The solution explained there sounded promising. I have applied it accordingly. Unfortunately, however, this resulted in some unattractive changes: the UNIX share permissions of all directories were changed to owner:administrator and group:domain-admins. Also those of the appdata directory. before, despite the domain connection, I could create local Unraid users and give them permissions on the share. However, after the adjustment, the locally created users no longer had access to the shares. when I then wanted to remove a locally created user and add it again, I unfortunately found that the user could no longer be added. I then wanted to leave the domain again in order to be able to rejoin it. However, I discovered that I could no longer leave the domain because the "Leave" button had no function. What a terrible mess with the SMB permissions once you have joined an AD! A real nightmare! Edit: I then reset the permissions as recommended by @mgutt. Now I was horrified to discover that the permissions of the share order under /mnt/user (without inheritance to the subfolders) were reset to owner:administrator and group:domain admins without my intervention. Edited September 20, 2022 by psychofaktory Quote Link to comment
Frank1940 Posted September 20, 2022 Share Posted September 20, 2022 10 minutes ago, psychofaktory said: Many thanks for the tip about the bug report. Don't be afraid to post up your experiences (or point to this thread) in that thread. The more input, the more likely there is to be a satisfactory solution. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.