Call for help from those with functional AD Integrated Private Shares

[unraidster]

Hi Everyone,

 

Some of us are experiencing issues with samba AD integration for file shares in Unraid. It seems to only impact setups with a specific file share configuration (I have a separate thread on the issue here: link).

 

I would like to know if there are any Unraid users out there using a working configuration similar to the config described below. If you are, would you be able to provide a rough overview of how you have configured your file shares please? I hope this will help identify a configuration setting that may be causing our configuration to break after upgrading from 6.9.2.

 

Unraid File Share Configuration

• Unraid 6.10.3 +
• AD Joined Unraid server
• Private File share where only members of a specific AD group can access the share.
• Those that are not members of the group are denied access to the share.
• Docker containers can access the share, read/write etc. Any content created/modified by the docker container can be read/written/deleted by AD users that are members of the file share’s access group.

 

Any additional information you are able to provide about your setup will be useful for context, such as:

• Unraid Version
• IDMAP configuration (hash, tdb, rid etc) (or the output from testparm)
• Type of account used for initial AD User and Initial AD Group

 

Thank you in advance for any input you are able to provide.

 

[fredskis]

I recently hopped on the Unraid wagon and in passing, seeing the Active Directory support in the SMB settings thought it was more mature than it is... 

 

I'm not very hopeful that AD permissions currently work on Unraid from my configuration and the various threads in this subforum. 

I tried following this guide, How To: Active Directory on unRAID 6, but it just resulted in removing access entirely. 

I come from an enterprise IT background with much experience on the Windows Server side and am probably only at a hobbyist level of expertise with Linux and Samba. I don't want to have to dig into config files and potentially cause issues with updates and overriding GUI, currently stumped and considering just reverting back to regular non-AD SMB. 

[WormTX]

I struggled getting AD permissions to work for over a day and finally just gave up. Like you, I followed that guide but just ended up with broken access. If I restored the permissions from the Unraid side then it would completely ignore the AD permissions (users with read-only access could modify files.) I could get it somewhat working by granting ownership of the files to an AD account then recursively enabling inheritance to all folders & files. That fixed read-only but now other read-write users got denied access by the ownership even though they had the proper permissions. I also come from an enterprise IT background and setting up a basic SMB share with on Windows servers or other NAS devices like Synology, QNAP, or even Isilon has never been this frustrating. I ended up changing the SMB settings back to Workgroup and used the Credential Manager on all the clients to map to local Unraid accounts. It appears to be working but I would have preferred using AD accounts and groups to control access.

Overall I have been very happy with Unraid but I would love to see a focus on improving more security focused items. Reading through the forums while troubleshooting the AD permissions I found very little information on configuring AD and would constantly see replies for general SMB issues about how it's meant to be a home product or disabling security features to get it to work. Improvements like adding an MFA option is often met with resistance and comments like "just don't connect it to the internet." Yes, most users of the product are going to be fine with the out of the box setup, but I'm sure there are plenty of us who would like the simplicity of the array setup but would like things like better AD integration or MFA.

[fredskis]

You've very much echoed my sentiments. 

 

For me, a frustrating security aspect, which I thought granular AD permissions could solve, is that with Unraid local user access, access is granted at a share level, and there is no way to share a subfolder separately so I need to grant users full read or read/write access to the whole share when I only want to provide access to part of it. 

 

I guess that thinking leans to creating lots of individual Unraid shares, but then you're at a loss when moving files between shares, being forced to "copy+delete" rather than being able to "move" as well as the overhead of managing multiple shares and not being able to logically group them.

 

Coming from a mentality of least-privilege access makes me internally scream trying to figure out a way to securely store and separate my family's photo libraries with individual user accounts, while avoiding granting too much access - understanding these are running on "regular users'" computers where they may be exposed to malware or ransomware from less-educated users feels like I'm opening up security holes I shouldn't have to  

[unraidster]

Hi,

 

I am still trying to find a solution. I sent a message into the samba mailing list and have received some help and feedback but I am still unable to get an Unraid version newer than 6.9.2 working. My plan was/is to update this thread with a method/process if I find a way to get AD integration working again. Unfortunately, I have had to stay on 6.9.2 as updating breaks my configuration. 

 

@fredskis - are you using AD principals to secure access to your shares (even if it was a more limited configuration that you wanted) or did you stick to non-AD user access? If you are using AD principals, are you able to feedback any info about how you have configured that?

 

I’ll post an update in my post with all of the issue’s technical details when I get some time.

 

Thank You

[fredskis]

Interesting that it seems to work with 6.9.2? Definitely sounds like it's simply a regression. 

I only started using Unraid recently so it hasn't "worked" for me in any acceptable manner. 

 

When I joined the Unraid server to the domain, I was able to use any AD principal to access the shares, however, there was no way to limit what they could do. By default the EVERYONE principal has full control which defeats the purpose of security. Attempting to remove that (after adding suitable AD users or groups) would just completely kill access and I needed to restore permissions using the built-in tool, which then reverted to nobody/users and removed AD access. 

 

I'm sure there's a way to get it working by dealing with the ACLs directly but by that point, what is the value of the Unraid licence I've purchased?

I previously had minimal Debian servers, joined to the domain, allowing me to authenticate with domain accounts and control their access but I am trying to avoid manual configuration in Unraid as I worry it may be overridden in upgrades or simply reboots. 

 

Reminds me of another annoyance which I hadn't bothered digging into yet... when Unraid server is joined to the domain, it doesn't register its IP addresses in DNS, whereas, my other Debian boxes do (ensuring correct config in /etc/resolv.conf and DCs in /etc/hosts)... sorry more digressions

[kontraschub]

Same experience here. I don't get Unraid and AD running together. If there is someone out there who has this combination going, it's still not something you can rely on. 
Last weekend I evaluated TrueNAS Scale because of these problems and it works without any problems. 
Unfortunately TrueNAS can't pass TPM and Windows VM's, so reliable operation of Windows 11 is not possible. I would need AD integration and Windows 11, but now I'm stuck.