× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.
Orbi WiFi 7 RBE973
Reply

Re: Unable to add trusted domain user/groups to CIFS share p

giox069
Aspirant

Unable to add trusted domain user/groups to CIFS share perms

I joined my ReadyNAS NV+ (RAIDiator 4.1.7 1.00a043) to an Active Direcotry domain "MYDOMAIN". This domain is in trust relationship with another domain "TRDOMAIN". During the join phase, in the Security->Security Mode page, I chekded the box "Display users from trusted domains....".
Under "User & Group Accounts" I can now see all users and gorups of both domains. Users and groups of MYDOMAIN are not prefixed by the domain name. Users and groups of the trusted domain are correctly prefixed with TRDOMAIN\
Also then samba command "wbinfo -g" correctly displays all gorups of both domains.

When I try to setup share permissions in the web interface (Shares->ShareListing-> CIFS) I enter "TRDOMAIN\mygroup name" in "Read-only gorups". The system accepts it, despite autocompletion is not correctly working, but after I click "apply", the domain name is stripped, and the field just shows "mygorup name".

And in /etc/frontview/samba/Shares.conf I can see the wrong domain name:

read list = "@MYDOMAIN\mygroup name"
write list = "@MYDOMAIN\video","admin","MYDOMAIN\Administrator"
valid users = "@MYDOMAIN\mygroup name","@MYDOMAIN\video","admin","MYDOMAIN\Administrator","nobody"

there is no TRDOMAIN here !!! 😞 😞 And the share access is not working for members of TRDOMAIN\mygroup name.

I can edit Shares.conf, change MYDOMAIN with TRDOMAIN before mygroup name, restart samba and share access works fine.


Is it a bug of the web interface ?
Any workaround ?
Message 1 of 11
Chevelle
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

I am having the same issue. I have joined my ReadyNAS 2100 (RAIDiator 4.2.15) to my Active Directory domain "DOMAIN-A". I also have trust relationships with two other domains in my forest, "DOMAIN-B" ,"DOMAIN-C".

When I try to add "Write-enabled groups:" via "frontview" to my share from the other domains it strips off the domain name. For example, if I add "DOMAIN-A\IT" to the share then add "DOMAIN-B\IT" it will show "IT,IT" when it should show "DOMAIN-A\IT,DOMAIN-B\IT", correct? And to confirm my suspicion, I checked the /etc/frontview/samba/Share.conf file, And it shows:


[IT$]
path = /c/IT$
comment = "IT Dept Share"
oplocks = 1
admin users = "admin","DOMAIN-A\dave"
write list = "@DOMAIN-A\IT","@DOMAIN-A\IT","admin"
valid users = "@DOMAIN-A\IT","@DOMAIN-A\IT","admin","nobody"


So I trying browsing to the share in DOMAIN-B, it will not allow me to access it. But DOMAIN-A has access to it.
Now if I go in and edit the "Shares.conf" files to reflect this:


[IT$]
path = /c/IT$
comment = "IT Dept Share"
oplocks = 1
admin users = "admin","DOMAIN-A\dave"
write list = "@DOMAIN-A\IT","@DOMAIN-B\IT","admin"
valid users = "@DOMAIN-A\IT","@DOMAIN-B\IT","admin","nobody"


Users in "DOMAIN-A\IT" and "DOMAIN-B\IT" are able to access the share just fine.
So there must be some sort of bug in the "frontview" interface when adding users that are from different domain in the same forest.
Message 2 of 11
Grievous
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Chevelle, please update to 4.2.17.

giox069, I apologize for not noticing this post until now. Are you still running into this on 4.1.7? Also, what versions of windows server are those domain controllers using?
Message 3 of 11
giox069
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

I'm still running 4.1.7 and I can't find any newer version of RAIDiator for my ReadyNAS.
MYDOMAIN has a single domain controller with windows 2003R2, TRDOMAIN has two domain controllers: one with 2008R2 and one with 2003R2. TRDOMAIN is also in trust relationship with other 5 domains.
Message 4 of 11
Grievous
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

giox069, I was afraid you were going to say that the trusted domain was running 2008 r2. Unfortunately when Microsoft released 2008 R2 there were a number of undocumented changes made and we've been trying to keep up with them on the sparc platform(NV+, 1100, duo). At this time 4.1.7 is the most recent firmware for you as the 4.1.x firmware is for sparc, and 4.2.x as I mentioned to Chevelle is for the x86 systems(pro, ultra, 2100, 3200, etc.).

I can look into the matter(setup the same type of environment, 2003 DC, trusted 2008 R2 DC, etc.)and try to reproduce it here and see if there is anything on the windows side of things that might be configurable to resolve this, but I cannot make any promises that it's possible to do that.
Message 5 of 11
Chevelle
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Grievous wrote:
Chevelle, please update to 4.2.17.

I will update and report back.
Message 6 of 11
Chevelle
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Ok, updated to 4.2.17
And again, cannot add users or groups from the trusted domains to the shares. Have to go in and manually edit "/etc/frontview/samba/Shares.conf" for the others to have access.

EDIT. Nope, now only the main domain can access the shared even if I get the "Shares.conf" file. Grrr....
Message 7 of 11
Grievous
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Why are you editing shares.conf? You don't need SSH access to do any of this. Just change the permission via Frontview.
Message 8 of 11
Chevelle
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

I tried changing the permissions via "frontview", but it still only allows the "main" domain. Either of the trusted domain are denied access.

EDIT:
Just looking through the logs and found this:

Trailing \\ in regex m/OCR\\/ at /frontview/lib/list_handler.pm line 77.\n, referer: https://nas1/admin/
Undefined subroutine &list_handler::read_file called at /frontview/lib/list_handler.pm line 103.\n, referer: https://nas1/admin/

It looks like it has something to do with the domain names. Because "OCR" above is one of my domain names.
Message 9 of 11
Grievous
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Can you open the domains and trusts page and verify exactly what type of trust it is that's been configured between the domains?
Message 10 of 11
Chevelle
Aspirant

Re: Unable to add trusted domain user/groups to CIFS share p

Grievous wrote:
Can you open the domains and trusts page and verify exactly what type of trust it is that's been configured between the domains?

It is a "tree root" from the trusted domains to the NAS joined domain, "transitive = yes".
Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 8590 views
  • 0 kudos
  • 3 in conversation
Announcements