Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Active Directory Extras Plugin - Allows Tweaking some AD Settings in Samba

Featured Replies

This is a plugin that adds a page to SMB Settings so we can experiment with some Active Directory settings.  There are settings to adjust the backend database and some cache settings.  The plugin adds a tab 'Active Directory Extras' to the SMB Settings to permit making several AD changes.  The changes are saved and re-applied when the server is started so they don't have to be re-applied.

 

What I am hoping to accomplish is to give users a tool where thay can make some Samba adjustments to try to get the AD feature more robust and reliable.  I've done some research and have found several SMB settings that might help.  In particular the 'idmap cache time' and 'winbind cache time'.  I think these might address the issues with losing share access over time.

 

I do not have a Windows Server, so I can't do any testing.  I have to get all my information from the Unraid Forum.  I have very limited expereience with AD, so I'll need some users to test and help troubleshoot.

 

This plugin will be treated as Beta for the time being and will have to be manually installed.  Being Beta, you understand that there are risks associated with the plugin.

 

The final outcome of these efforts will determine if anything needs to be adjusted in Unraid.  It may be that this turns into a plugin published on CA, or some of these settings may be part of the Active Directory Settings page.

 

The Active Directory Extras plugin is available on CA.

 

Manually install the plugin by going to the Plugins tab and enter the following line to install the plugin:

https://raw.githubusercontent.com/dlandon/active.directory/master/active.directory.plg

 

I would suggest you apply the default settings and let's start there.  Be aware that if you change the backend database, you'll lose all your settings and will have to re-enter them.

 

The plugin default for "idmap cache time" is 3.5 days.  The Samba default is 7 days.

 

The plugin default for "winbind cache time" is 15 seconds.  The Samba default is 5 minutes.

  • Author

I've updated the plugin.  You can update by entering this into the install plugin:

https://raw.githubusercontent.com/dlandon/active.directory/master/active.directory.plg

 

Thanks Dan, 

 

I can confirm that I was able to install the plugin on 6.11.5. (Plugin version: released about 30 minutes ago, i think that was the second version)  My test environment is running with a hash backend and plan to change that when I have a plan to address some other challenges. 

 

I haven't run into the "timeout" issues that some others have but I tested the plugin changing my lab backend from hash to tbd. Using testparm i am able to confirm the [global] configuration has changed from: 

 

        idmap config * : range = 10000-4000000000
        idmap config * : backend = hash

 

to 

        idmap config * : range = 3000-7999
        idmap config * : backend = tdb

 

Some thoughts: 

  • Could the script be made to run on 6.9.2 too? (I will be addressing the idmap config in 6.9.2 before I move over to 6.10.3+ and have fixed my private share issues). 
  • Would there be a way to increase the logging level in samba? (pre-empting troubleshooting on my private share issue)

Thanks for all of your time creating this plugin. 

 

Before.png

After.png

Edited by unraidster

  • Author

The values on the right side are the current settings read from testparm.

 

18 minutes ago, unraidster said:

Could the script be made to run on 6.9.2 too? (I will be addressing the idmap config in 6.9.2 before I move over to 6.10.3+ and have fixed my private share issues). 

I'll set the min version to 6.9.0 on the next release.

 

19 minutes ago, unraidster said:

Would there be a way to increase the logging level in samba? (pre-empting troubleshooting on my private share issue)

What level of debugging would you want?

  • Author
On 4/6/2023 at 2:57 PM, dlandon said:

I'll set the min version to 6.9.0 on the next release.

The latest version will install on Unraid 6.9 and higher.

i found that i had sometime  my "towername" is gone from the net in Total commander and win explorer in Windows , but if i enter manual i can access, not sure if it is belong to this problem ?

 

but it is very rarely

  • 3 weeks later...

@dlandon can you please say if plugin also help for tower name disappears sometime from my local net ? but if enter manually i can enter.

                   or only for shares ? 

  • 2 months later...

Good morning,

I would like to ask a question, I have unraid as a file server, and an active directory (SAMBA) for user and policy management, will your application work as a user access synchronizer? for example when creating, editing or removing in AD, will unraid synchronize and update the user?

  • 4 months later...
  • Author

This is not an AD app.  It is an extra page in SMB settings that permits making a few adjustments to Unraid's AD.

  • 10 months later...
  • Author

I am working on an upgrade to this plugin:

  • Additional settings for Samba related to AD permissions.
  • Backup and restoration of the database so permissions will remain persistent on a reboot.
  • Set initial share and disk permissons specifically for AD.
  • Only 'tdb' will be available as a backend database.

The idea here is to get AD working properly and then incorporate these changes into Unraid.  Keep in mind this is beta/test software so be prepared to deal with issues and provide feedback so we can get any kinks worked out.

 

The one thing that can't be done right now is keeping the vfs object acl_xattr on shares when a share change is made.  You can fix that by clicking on the 'Clear Cache' or 'Default' buttons or make a change on the page and click 'Apply' on the AD Extras page.  That will re-apply the 'vfs object = acl_xattr' back to all the shares.  When the changes are made in Unraid, this will no longer be an issue.

 

I do not have a Windows Server and can only do limited testing.  I rely on AI to give me direction.  I will need feedback from the community to verify the changes.

  • Author

The plugin has been extensively rewritten and hopefully the issues are addressed so AD will work properly:

  • Access permissions.
  • Backup and restore of database so AD permission settings will be persistent after a reboot.
  • Minimum Unraid version is now 6.11 so it is using the later Samba releases.

Please provide feedback so we can incorporate the fixes directly into Unraid.

6 hours ago, dlandon said:

The plugin has been extensively rewritten and hopefully the issues are addressed so AD will work properly:

  • Access permissions.
  • Backup and restore of database so AD permission settings will be persistent after a reboot.
  • Minimum Unraid version is now 6.11 so it is using the later Samba releases.

Please provide feedback so we can incorporate the fixes directly into Unraid.

 

the permission caused chaos in my server and had to wipe all my docker system and rebuild all over, took me some time to figure it out. Once I reinstalled my PostgreSQL docker & reinstalled the plugin, all went down again due to the cache permission.

 

Edited by PSYCHOPATHiO

  • Author
3 minutes ago, PSYCHOPATHiO said:

 

the permission caused chaos in my server and had to wipe all my docker system and rebuild all over, took me some time to figure it out. Once I reinstalled my PostgreSQL docker & reinstalled the plugin, all went down again due to the cache permission.

 

Ok.  I know what that is and will update the plugin.  For the moment do a Tools->New Permissions and be sure to exclude appdata.

I have a separate SSD drive for my Nextcloud where permission is annoying to deal with that's why I kept the data folder on its on drive, but that can be fixed.

But I think users should be warned about the permission that going to be applied, every user has their own way of organizing and storing files.

 

I normally do permission on all my drives except the cache & the Nextcloud data storage SSD, perhaps the permission should be kept to the main array to avoid data loss or corruption.

  • Author
2 minutes ago, PSYCHOPATHiO said:

I have a separate SSD drive for my Nextcloud where permission is annoying to deal with that's why I kept the data folder on its on drive, but that can be fixed.

But I think users should be warned about the permission that going to be applied, every user has their own way of organizing and storing files.

 

I normally do permission on all my drives except the cache & the Nextcloud data storage SSD, perhaps the permission should be kept to the main array to avoid data loss or corruption.

Understood.  I thought I had a good idea about setting permissions, and it is a fail.  I am removing it so nothing will be changed in the next release.  Posting fix now.

  • Author
6 minutes ago, PSYCHOPATHiO said:

I have a separate SSD drive for my Nextcloud where permission is annoying to deal with that's why I kept the data folder on its on drive, but that can be fixed.

But I think users should be warned about the permission that going to be applied, every user has their own way of organizing and storing files.

 

I normally do permission on all my drives except the cache & the Nextcloud data storage SSD, perhaps the permission should be kept to the main array to avoid data loss or corruption.

Update and give it a try.  I know setting permissons on shares like appdata is a problem.  I guess there was a mental lapse for a moment thinking I had a better idea.

After I saw half my dockers were down & checked their logs trying to redownload them & failing, then I had to check my firewall(s) 3 of them for port or rule changes I made in the last two hours while configuring the exchange server, then rebooted my server a couple of times & then researched some of the errors & suddenly something FLASHED in my head "a memory of a plugin with permissions" lol

 

Problem solved :)

4 minutes ago, dlandon said:

Update and give it a try.  I know setting permissons on shares like appdata is a problem.  I guess there was a mental lapse for a moment thinking I had a better idea.

Updated with no permission changes 👍

 

thanks for the great plugin

Edited by PSYCHOPATHiO

  • Author
Just now, PSYCHOPATHiO said:

Updated with no permission changes 👍

Let me know how it goes now.

3 hours ago, dlandon said:

Let me know how it goes now.

Took my a couple of hours to restore some of the dockers but all restored, updated plugin & it works as intended or I think. 👍

  • Author
1 minute ago, PSYCHOPATHiO said:

Took my a couple of hours to restore some of the dockers but all restored, updated plugin & it works as intended or I think. 👍

Did you have any issues with private permissions?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.