Re: 4.5-beta2 Simple Security no access

[smeehrrr]

OK, so I'm not able to get my Unraid servers to join my domain.  Here's what shows in the log:

 

Mar 10 00:44:48 media-four emhttp: shcmd (58): /usr/bin/net ads join -Uphil%MYDOMAINADMINPASSWORDINPLAINTEXT 2>&1 | logger

Mar 10 00:44:48 media-four logger: Failed to join domain: Invalid configuration("realm" set to 'LAFORNARA', should be 'lafornara.com') and configuration modification was not requested

Mar 10 00:44:49 media-four emhttp: shcmd (59): /usr/bin/net ads testjoin -P >/dev/null 2>&1

Mar 10 00:44:49 media-four emhttp: shcmd: shcmd (59): exit status: -1

 

Two things here:

1) Logging my domain admin password in plaintext is evil evil evil.  Really totally unacceptable in every way.

2) I don't know what the invalid configuration is takling about.  This was trying with AD Domain field set to LAFORNARA, setting it to lafornara.com produces the same result.  The domain is fully functional for all the windows machines in my domain and passes all the dcdiag tests.

[Nyago123]

Seeing a couple of errors on the console on startup:

mkdir: invalid option -- o

fuse: bad mount point '/mnt/user0': No such file or directory

 

I'm presuming these correspond to these entries in my syslog:

 

Mar 9 21:20:45 mediaserver emhttp: shcmd (13): mkdir -m 700 /mnt/user0 -o allow_other,attr_timeout=0,entry_timeout=0,negative_timeout=0

Mar 9 21:20:45 mediaserver emhttp: shcmd: shcmd (13): exit status: 1

Mar 9 21:20:45 mediaserver emhttp: shcmd (14): /usr/local/sbin/shfs -cache 0 /mnt/user0

Mar 9 21:20:45 mediaserver emhttp: shcmd: shcmd (14): exit status: 1

 

Not sure if this is impacting functionality.

 

A couple of simple AD related bugs:

1. I couldn't initially join the domain because my normal Windows login account name contains a space and presumably this threw off the parsing of the command. 

2. So I set up a temporary domain admin account with a complex password, and that didn't work either, because I used a special character (in this case, a closing-parenthesis) .  Once I changed the password to something simple (alphanumeric only), I was able to join the domain.

 

After this, I was able to see \\mediaserver from a Windows workstation and all the shares.  However, trying to browse any shares, I was denied access, even when logged in as the temporary domain admin. 

 

I changed the Shares AD initial owner from "Administrator" (an account which is disabled on my domain) to the temporary domain admin account; still no go (and not sure what would have happened had I set the initial owner to my normal account login, which contains a space). 

 

A quick reboot of the unRAID server and then user shares worked from AD.  Despite the hiccups, I think this is a great feature.

 

[Nyago123]

Upon further testing, I'm finding inconsistencies in AD-based access between XP, Windows Server 2003, Server 2008, Vista, and Windows 7 which I'm trying to narrow down.

 

In general, XP and both Windows Server versions (2003, 2008) have no trouble accessing shares at any level, whether via User Shares or the disk shares.

 

Vista and Windows 7, however, can only read shares where the directory permissions are 755; looking around the directories I find there are a wide variety of permissions. Some are 711.  All are at least 700.  If I take a directory and make it 700, I get permission denied from Vista & Win7 but can still access the directory from XP & Windows Server 2003/2008.  Nothing shows in the syslog when permission is denied.

 

This is logged in as the same user, my normal domain admin account, in all cases.  Basically it seems as if XP & Windows Server clients get to connect with root access, and Vista & Win7 get user access to the unRAID server.

 

I'm no Samba expert.  Is this expected behavior?

 

[limetech]

OK, so I'm not able to get my Unraid servers to join my domain.  Here's what shows in the log:

 

Mar 10 00:44:48 media-four emhttp: shcmd (58): /usr/bin/net ads join -Uphil%MYDOMAINADMINPASSWORDINPLAINTEXT 2>&1 | logger

Mar 10 00:44:48 media-four logger: Failed to join domain: Invalid configuration("realm" set to 'LAFORNARA', should be 'lafornara.com') and configuration modification was not requested

Mar 10 00:44:49 media-four emhttp: shcmd (59): /usr/bin/net ads testjoin -P >/dev/null 2>&1

Mar 10 00:44:49 media-four emhttp: shcmd: shcmd (59): exit status: -1

 

Please take a look a the 'Basic usage' post & make sure everything is set up correctly.

 

Two things here:

1) Logging my domain admin password in plaintext is evil evil evil.  Really totally unacceptable in every way.

 

Yes, sorry about that    This was put in during testing so I didn't have to enter a password thousands of times during testing   Probably will pull it out in next beta.

 

2) I don't know what the invalid configuration is takling about.  This was trying with AD Domain field set to LAFORNARA, setting it to lafornara.com produces the same result.  The domain is fully functional for all the windows machines in my domain and passes all the dcdiag tests.

 

As with above, please verify everything is set up correctly.

[limetech]

Upon further testing, I'm finding inconsistencies in AD-based access between XP, Windows Server 2003, Server 2008, Vista, and Windows 7 which I'm trying to narrow down.

 

In general, XP and both Windows Server versions (2003, 2008) have no trouble accessing shares at any level, whether via User Shares or the disk shares.

 

Vista and Windows 7, however, can only read shares where the directory permissions are 755; looking around the directories I find there are a wide variety of permissions. Some are 711.  All are at least 700.  If I take a directory and make it 700, I get permission denied from Vista & Win7 but can still access the directory from XP & Windows Server 2003/2008.  Nothing shows in the syslog when permission is denied.

 

This is logged in as the same user, my normal domain admin account, in all cases.  Basically it seems as if XP & Windows Server clients get to connect with root access, and Vista & Win7 get user access to the unRAID server.

 

I'm no Samba expert.  Is this expected behavior?

 

 

I will take a look at this soon using Vista.  I don't have access to Windows 2008 or Win7 at the present time.

[Nyago123]

I will take a look at this soon using Vista.  I don't have access to Windows 2008 or Win7 at the present time.

 

Thanks.  In the interim, my workaround was to change the permissions on all directories only recursively from /mnt:

find . -type d -print0 | xargs -0 chmod 755

 

At 755 I can't write to the folders under Vista/Win7, but at least I can see them.  Since I use a cache drive, I could theoretically set everything in /mnt/cache to 777 but really I'd just like to understand the reason for the difference.

 

[jdog09]

I have also been researching the permission issues.  More to come but I have access to Win2003 Server, Vista, XP and Win7 beta and hope to report also on my findings soon.  I am trying to get up to speed on Samba/WinBindd configuration embedded within unRaid. 

 

But I am finding some setup issues that unRaid will need to work on with Share Creation.

    It appears that if you move from a Simple Security/User Level Security to AD integration the parent directory permission prevents the Share from being mounted from any windows machine.  The directory share mount point has the correct permission and initial AD Owner/Group but the parenet (/mnt/user is not set properly) Haven't figured out the permissions required.  Will report back my findings.

 

Doesn't look like many contributors are running or care about AD?  Is that a true statement?

 

 

[Nyago123]

 

Doesn't look like many contributors are running or care about AD?   Is that a true statement?

 

 

It does seem that way.

 

As for me, I can say this... I am running beta4 and for whatever reason things do seem a little better now than in beta3.

 

What I've done is to create an AD group called "unRAID Users" and added whom I'd like to be able to access the files into that group.

 

For my disk shares (/mnt/disk1, /mnt/disk2, etc), I recursively changed the owner to my admin "domain\login", and changed the group to "domain\unRAID Users".  I set permissions on everything to 775.  (Considered 770, actually.)  This same login and group are also what I use for the initial owner and initial group on the Shares page.

 

Access wise, this seems to work as I'd expect.  I need to do some more testing with regards to file creation and the effect of the cache drive, but haven't had the spare time.

 

[Elof]

For my disk shares (/mnt/disk1, /mnt/disk2, etc), I recursively changed the owner to my admin "domain\login", and changed the group to "domain\unRAID Users".  I set permissions on everything to 775.  (Considered 770, actually.)  This same login and group are also what I use for the initial owner and initial group on the Shares page.

I'm also running beta4 and have done basicly the same thing. I'm only using User-shares so standing in the /mnt-directory I've executed

chown -R "domain\user":"domain\group" user

chmod -R 750 user

with my preferred NAS-admin as user and my NAS-user group as group. Since I don't want my kids or any application on my HTPC to be able to fiddle with the files on the NAS I used 750 as the mask. This also propagates to all my diskX-folders.

 

Everything works as expected with one exception, the users in the NAS-group still can create folders and files. They cannot rename, change or delete them but can create them... I don't call myself a UNIX guru, far from, but that's not the behaviour I expected even though I can live with it.

 

[smeehrrr]

OK, so I'm not able to get my Unraid servers to join my domain.  Here's what shows in the log:

 

Mar 10 00:44:48 media-four emhttp: shcmd (58): /usr/bin/net ads join -Uphil%MYDOMAINADMINPASSWORDINPLAINTEXT 2>&1 | logger

Mar 10 00:44:48 media-four logger: Failed to join domain: Invalid configuration("realm" set to 'LAFORNARA', should be 'lafornara.com') and configuration modification was not requested

Mar 10 00:44:49 media-four emhttp: shcmd (59): /usr/bin/net ads testjoin -P >/dev/null 2>&1

Mar 10 00:44:49 media-four emhttp: shcmd: shcmd (59): exit status: -1

 

Two things here:

1) Logging my domain admin password in plaintext is evil evil evil.  Really totally unacceptable in every way.

2) I don't know what the invalid configuration is takling about.  This was trying with AD Domain field set to LAFORNARA, setting it to lafornara.com produces the same result.  The domain is fully functional for all the windows machines in my domain and passes all the dcdiag tests.

 

I finally got around to fiddling with this again - I was able to get past the Invalid Configuration error by adding a file called /boot/config/smb-extra.conf that contains the single line:

realm=lafornara.com

 

Now I'm getting access denied errors, so I need to read the rest of this thread.

[smeehrrr]

Very strange.  I have five servers, joined them all to the domain, and only _some_ of them display the access denied problem.  Disconcerting.  The chown and chmod tricks appear to fix the problem in all cases, but I'm wondering why I didn't need to do those tricks on some of the boxes.

[tevert]

Just wanted to log that I have this issue too.

 

I tried the CHOWN stuff. I have a high level of networking/domain and even programming experience. But not any linux/unix, experience. So I'm just running this blind, hoping that it'll work without learning how/why.  I thought I'd fixed it, but doesn't work everywhere yet. It did take forever to run.

 

I'm not sure if I need to be using DOMAIN.local\user or just DOMAIN\user.

 

I tried it with Beta 4. I see Beta 6 is out. Maybe it's better with that, when I have time I'll try again. I sooo much want this to work!