Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Active Directory integration #2 - Permissions

Featured Replies

  • 1 year later...

Hey Tom,

 

I know this is an old thread, but I have unRAID joined to my domain and want to start playing with permissions.  I know you guys just are releasing unRAID 6 today.. but anywhere you can point me for how to manage permissions thru AD?

As expected... no reply.  I asked a question back in April on AD and it's status on v6 and got no response.  I've spent many hours trying to find support, but didn't find any so I'm guessing it's dead at this time.  :(

The way I've done this (no idea if it is the best way or not).

 

Ensure that your default permissions are set up correctly and that you have administrative rights.

 

Couple of things to check from your UNRAID server - these should all work.

List all AD users: wbinfo -u

List all AD groups: wbinfo -g

Fun: net rpc rights list accounts -U'bob.jones'

 

Then I played around for ages with chgrp, chmod using g+x . to make stuff stick, and then got deeper using setfacl and getfacl to look at what was going on. For whatever reason I couldn't get things working the way I wanted, so I cheated.

 

From window, I browsed to the share, and set up the permissions I wanted using explorer. All GUI based and worked a treat. The resulting FACL entries for me were this (which should give you a guide if you want to use setfacl instead)

# file: .
# owner: bob.jones
# group: domain\040users
# flags: -s-
user::rwx
user:bob.jones:rwx
group::r-x
group:domain\040admins:rwx
group:domain\040users:r-x
group:media\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:bob.jones:rwx
default:group::---
default:group:domain\040admins:rwx
default:group:domain\040users:r-x
default:group:media\040users:r-x
default:mask::rwx
default:other::---

 

 

Which equates to the following in the windows explorer dialogue:

  • EVERYONE having nothing
  • CREATOR OWNER having special (cannot seem to ditch this)
  • CREATOR GROUP having nothing
  • Me having full control (again think this is because I created the share, and loathe to remove this ;)
  • Domain Admins having full control
  • Domain Users having read only (don't ask; and I won't tell)
  • Media Users having read only (this is a domain group I use for my media server and extenders)

 

 

 

  • 4 weeks later...

I hate to be that guy again... but any chance we can get official documentation on Permissions?

  • 2 weeks later...

I'd be curious too - especially if there is a better way of doing mine.

 

One thing I have run into is plugins / docker apps tend to run as unix users. This means any files created end up (so far anyhow) being owned by nobody or a user that isn't in the AD groups - so I cannot access the files. Similarly I really struggled to get access to network resources from plugins; although I understand that with docker apps I need to mount the remote SMB shares against the base machine and configure access.

 

Media meta-data (from Emby) is a good example of this.

 

I guess what I'm really saying is: would love to see some official guide, and considerations for dockers and virtualisation when running in AD mode.

I'd be curious too - especially if there is a better way of doing mine.

 

One thing I have run into is plugins / docker apps tend to run as unix users. This means any files created end up (so far anyhow) being owned by nobody or a user that isn't in the AD groups - so I cannot access the files. Similarly I really struggled to get access to network resources from plugins; although I understand that with docker apps I need to mount the remote SMB shares against the base machine and configure access.

 

Media meta-data (from Emby) is a good example of this.

 

I guess what I'm really saying is: would love to see some official guide, and considerations for dockers and virtualisation when running in AD mode.

 

The nice thing about LinuxServer.io's dockers is you can set the user/group that it runs as: http://lime-technology.com/forum/index.php?topic=41243.0

 

I'd like an official one as well still :)  It took me WAY to long to figure out how to get it working, and was happy to make an unofficial one.

So you have "run as" working for the standard UNRAID containers or a variation?

 

Sounds interesting...

So you have "run as" working for the standard UNRAID containers or a variation?

 

Sounds interesting...

 

You set an environment variable to the User ID and Group ID before you install it in the docker webgui.  unRAID is 99/100, but you can change it to whatever you want.  Any docker released by linuxserver.io has this and they are in the community apps plugin.  I'm slowly converting my fleet over to this method.

 

 

Edit:

 

I'm also trying to convince tom to add AD credential login for WebGUI and SSH - http://lime-technology.com/forum/index.php?topic=41614.0

Superb, I have added a vote to that thread too, and some comments ;)

 

At the risk of cluttering this thread - are you able to point me in the right direction for setting the environment variables and any considerations? Can this be modified post installation or does it need to be baked in when things are installed?

 

Thanks!

 

 

Superb, I have added a vote to that thread too, and some comments ;)

 

At the risk of cluttering this thread - are you able to point me in the right direction for setting the environment variables and any considerations? Can this be modified post installation or does it need to be baked in when things are installed?

 

Thanks!

 

It can be modified post install.  Head over here for support on that one: http://lime-technology.com/forum/index.php?topic=41243.0

  • 2 years later...

Hi all, I am new to UnRAID and have finally setup my server.

 

I have successfully joined to my DC and modified the permissions on the share following both the guides below

 

https://www.linuxserver.io/2015/07/20/how-to-active-directory-on-unraid-6/

http://www.techyv.com/questions/how-keep-unraid-server-active-directory/

 

In Windows AD, i See the nobody user and also root user and root group.

 

When I have tried to delete these from the windows permissions screen I have lost access to the share and I have had to reset the permissions through UNRAID diagnostics.

 

My assumptions is that these permissions need to be there for unraid to manage the share? is that right?

 

Thanks! 

On 7/25/2015 at 2:37 AM, smdion said:

 

You set an environment variable to the User ID and Group ID before you install it in the docker webgui.  unRAID is 99/100, but you can change it to whatever you want.  Any docker released by linuxserver.io has this and they are in the community apps plugin.  I'm slowly converting my fleet over to this method.

 

 

Edit:

 

I'm also trying to convince tom to add AD credential login for WebGUI and SSH - http://lime-technology.com/forum/index.php?topic=41614.0

 

Smdion how do you find out the user ID or group ID as part of the AD credentials? Is this the actual username / group? or is there a command to obtain and ID from Unraid? 

 

Slowly learning... :)

Worked this out by simply using the Id command in cli :)


Sent from my iPhone using Tapatalk

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.