Unraid Access Problems With New Windows Domain

[Geoff Bland]

We've had a bit of a disaster here (long story) and for various reasons lost our Windows Domain and Active Directory. We have restored from backup into a new Windows Domain and all of that has gone OK. 

 

We have UNRAID set up with SMB on Active Directory and permission set by Windows AD - on the old domain.

 

Our UNRAID server was removed from our old domain and added to the new domain and that seemed to work OK. 

 

But now most of the shares are not accessible from Windows, I assume they have security settings left from the old domain. I get the following error:

 

   Windows cannot access \\UNRAIDSERVER\ShareName

   You do not have permissions to access \\UNRAIDSERVER\ShareName. Contact your network administrator to request access.

 

How do I reset the access rights on these shares so I can access them? Then I can reset the access rights to the users on the new domain.

[Geoff Bland]

I have run Fix Common Problems plugin and it is finding issues for nearly every file on the UNRAID server

The following files / folders may not be accessible to the users allowed via each Share's SMB settings.  This is often caused by wrong permissions being used on new downloads / copies by CouchPotato, Sonarr, and the like:

/mnt/user/Backups   / (776996452/776995329)  0770
/mnt/user/Backups/Jira/backup.sh   / (776995919/776995329)  0670
/mnt/user/Backups/Jira/data   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO/10000   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO/10000/TODO-10   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO/10000/TODO-10/10400   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO/10000/TODO-101   / (776996446/776995329)  0770
/mnt/user/Backups/Jira/data/attachments/TODO/10000/TODO-101/10702   / (776996446/776995329)  0770

etc for 100,000 of files.

 

Edited February 29, 2020 by Geoff Bland

[Geoff Bland]

Posting the solution to my own issue here.

 

To reset the permissions on Shares so they can be reapplied by Windows Domain with SMB do the following.

 

For this example we assume a share named Music needs the permissions resetting. 

 

All this will be done from the UNRAID web console, the UNRAID Terminal (accessed from the >_ icon on the UNRAID web console) and the File Explorer on the Windows Domain Server.

 

1. Backup the old Music share by renaming it Music_OLD
2. Create a new share called Music
3. For now set the SMB security settings on the new Music share to "Public".
4. From the UNRAID terminal, copy the files from the Music_OLD to the new Music with the following cp command, this make take some time depending on the number of files. Also ensure you have enough disk space for the copied share.

cp -R /mnt/user/Music_OLD/* /mnt/user/Music

5. Once all the files are copied over check the ownership of the new Music folder as follows, the directory is shown as the ./ entry and here the user is bob and the group is domain users. We know this new share is accessible to the domain so we can now just copy this.

root@UNRAID01:~# ls -la /mnt/user/Music
total 24
drwxrwx---+ 1 bob     domain users  69 Mar  1 13:12 ./

6. Reset the ownership of all the files in the Music share as follows (note the \ to escape code a space):

chown -R bob:domain\ users /mnt/user/Music

7. {Optional step} Now with the UNRAID web console set the SMB security settings on Music to "Private" or whatever is required. 

8. {Optional step} Select the Music share in File Explorer on the Windows Domain Server right click & select Properties. On the Security tab set the required access rights.

 

There is probably a shorter, better way of doing this but I didn't find one (chown on the original directory did not seem to work). 
 

Edited March 1, 2020 by Geoff Bland