Project

General

Profile

Bug #15166

Permission User and Group list is not populated correctly when running as member DC (active directory)

Added by Alexander Bauer over 4 years ago. Updated about 3 years ago.

Status:
Closed: Not To Be Fixed
Priority:
Important
Assignee:
Erin Clark
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

The user and group list for the permissions of a volume are not populated correct.

I joined my FreeNAS with an aActive Directory. On the shell wbinfo -u and wbinfo -g show all users and groups correct.

When I try to assign the user and group in the permission dialog of volumes the users are not populated and from the groups is only one group from the active directory populated.

Alexander


Related issues

Related to FreeNAS - Bug #15207: Permissions dialog in webgui truncating user and group list to 50 members - debug files per request in Bug #15166Closed: Behaves correctly2016-05-06
Related to FreeNAS - Bug #15209: Permission User and Group list is not populated correctly when running as member DC (active directory)Closed: Insufficient Info2016-05-06

History

#1 Updated by Vaibhav Chauhan over 4 years ago

  • Category changed from 2 to 36
  • Assignee set to Erin Clark
  • Priority changed from No priority to Important

please attach debug and set correct seen in.

#2 Updated by Erin Clark over 4 years ago

  • Status changed from Unscreened to Screened

#3 Updated by Jordan Hubbard over 4 years ago

BRB: Are there more than 500 users / groups in your AD server? The GUI truncates the list to 500.

Please also see request for save debug output above.

#4 Updated by an odos over 4 years ago

Jordan Hubbard wrote:

BRB: Are there more than 500 users / groups in your AD server? The GUI truncates the list to 500.

Please also see request for save debug output above.

I just checked on my a FreeNAS server (FreeNAS-9.10-STABLE-201604261518) and a TrueNAS server (TrueNAS-9.3-STABLE-201604202233). The Group list is truncated to 50, not 500. Most of my AD users are missing from the GUI as well.

#5 Updated by Erin Clark over 4 years ago

How many users do you have? The GUI is set to hide all of them if the number is greater than 500. You should be able to type in the <domain>\<username> into the field to set permissions when they are not displayed in this case.

#6 Updated by Alexander Bauer over 4 years ago

5953

I have less than 10 Users and around 25 Groups ....

root is the only listed user ....
groups screenshot attached ...

Some output:

wbinfo -u
administrator
alexander
nfsnobody
nasadmin
johanna
susanne
dns-dc
krbtgt
nobody
guest
arne
dhcp
...

wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
grpalexander
grpnfsnobody
grpjohanna
grplibvirt
grpsusanne
dnsadmins
grpnobody
grpusers
grpwheel
grparne
grpqemu

/usr/local/etc/smb4.conf relevant part:
[global]
server max protocol = SMB3_11
encrypt passwords = yes
dns proxy = no
strict locking = no
oplocks = yes
deadtime = 15
max log size = 51200
max open files = 936884
logging = file
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
getwd cache = yes
guest account = nobody
map to guest = Bad User
obey pam restrictions = yes
directory name cache size = 0
kernel change notify = no
panic action = /usr/local/libexec/samba/samba-backtrace
nsupdate command = /usr/local/bin/samba-nsupdate -g
server string = FreeNAS Server
ea support = yes
store dos attributes = yes
lm announce = yes
hostname lookups = yes
time server = yes
acl allow execute always = true
dos filemode = yes
multicast dns register = yes
domain logons = no
idmap config *: backend = tdb
idmap config *: range = 10000-99999
server role = member server
workgroup = BAUERS
realm = BAUERS.DAHEIM
security = ADS
client use spnego = yes
cache directory = /var/tmp/.cache/.samba
local master = no
domain master = no
preferred master = no
ads dns update = yes
winbind cache time = 7200
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info = rfc2307
idmap config BAUERS: backend = ad
idmap config BAUERS: range = 10000-99999
idmap config BAUERS: schema mode = rfc2307
allow trusted domains = no
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /home/%U
netbios name = SATURN
pid directory = /var/run/samba
create mask = 0666
directory mask = 0777
client ntlmv2 auth = yes
dos charset = CP437
unix charset = UTF-8
log level = 3

#7 Updated by Alexander Bauer over 4 years ago

5954
5955

Erin Clark wrote:

How many users do you have? The GUI is set to hide all of them if the number is greater than 500. You should be able to type in the <domain>\<username> into the field to set permissions when they are not displayed in this case.

I checked that ... but it does not work ... (checked with the group) see attached screen shot .... and my wbinfo -g output

#8 Updated by Erin Clark over 4 years ago

Could you attach a debug file, go to System > Advanced and click Save Debug that way I can see your logs and maybe get a better idea of what is going on?

#9 Updated by an odos over 4 years ago

Erin Clark wrote:

Could you attach a debug file, go to System > Advanced and click Save Debug that way I can see your logs and maybe get a better idea of what is going on?

Erin I attached two debug files in a as a separate private bug here: https://bugs.freenas.org/issues/15207
Sorry if that makes things a bit more janky for you.

The debug file contains (ixdiagnose/fndebug/ActiveDirectory, and ixdiagnose/fndebug/DirectoryCache) contain all AD users and groups.

#10 Updated by Alexander Bauer over 4 years ago

I send you the requested debbug output as private bug [[https://bugs.freenas.org/issues/15209]]

Erin Clark wrote:

Could you attach a debug file, go to System > Advanced and click Save Debug that way I can see your logs and maybe get a better idea of what is going on?

#11 Updated by Erin Clark over 4 years ago

  • Related to Bug #15207: Permissions dialog in webgui truncating user and group list to 50 members - debug files per request in Bug #15166 added

#12 Updated by an odos over 4 years ago

Response from William Grzybowski in Bug 15207 is "This is by design. When number of users is higher than 50, you have to use autocomplete for the user to show up."

Honestly after years of using FreeNAS, I never realized that the drop-down menu was also a text field that I could type in. This feature is also not documented. See here: http://doc.freenas.org/9.10/freenas_storage.html#change-permissions

50 users / groups is kinda low if a person is using AD. I assume this is for performance reasons. Perhaps it would be better to exclude users / groups from directory services in the dropdown. Then update documentation / tooltip to reflect the proper method of accessing users / groups from directory services (typing in and letting it autocomplete).

As it now stands, it just appears broken to the end-user.

P.S. - Really looking forward to a UI overhaul in FreeNAS 10.

#13 Updated by an odos over 4 years ago

A side-note regarding auto-complete. The autocomplete behavior partially depends on samba configuration. If we have the user "joebob" in domain "foo", and "Use Default Domain" is checked, then joebob will appear in the dropdown as "joebob". If "Use Default Domain" is unchecked then he will appear as "foo\joebob". In the latter case, users will need to begin searching for AD users and groups by prepending the domain name to the user name (just typing "joebob" won't work).

It would be nice to be able to just select whether we want to search through local accounts or domain accounts, but I can understand if no one really wants to hack at the FreeNAS 9 gui at this point.

#14 Updated by Jordan Hubbard over 4 years ago

  • Related to Bug #15209: Permission User and Group list is not populated correctly when running as member DC (active directory) added

#15 Updated by Erin Clark over 4 years ago

So you are running the FreeNAS box as a Domain Controller on the domain, is that correct?

#16 Updated by an odos over 4 years ago

Erin Clark wrote:

So you are running the FreeNAS box as a Domain Controller on the domain, is that correct?

My servers are configured as AD member servers. Not domain controllers.

#17 Updated by Erin Clark over 4 years ago

Alright well can we do a teamviewer sometime tomorrow or next week so I can see what is going on with your system?

#18 Updated by Alexander Bauer over 4 years ago

Hi Erin,

my Domain Controller (samba) is running in a jail on the FreeNAS Server.
The FreeNAS server itself is member of that domain ...

Erin Clark wrote:

So you are running the FreeNAS box as a Domain Controller on the domain, is that correct?

#19 Updated by Jordan Hubbard over 4 years ago

That must lead to some fascinating race conditions., for obvious reasons.

#20 Updated by Alexander Bauer over 4 years ago

would I recommend this setup => No
will I do it again => No

and yes, there are manual tasks needed regarding a reboot-ing .... (disabling directory services, disabling CIFS sharing, fixed ips (no dhcp) for server and jails ...)

Jordan Hubbard wrote:

That must lead to some fascinating race conditions., for obvious reasons.

#21 Updated by Erin Clark over 4 years ago

Well out of curiosity I could do a teamviewer and take a peek just to see if there really is a bug with this but it is an unusual configuration so I can't guarantee a fix. Let me know when you would like to do that, preferably sometime after 1:00 PST someday next week.

#22 Updated by Alexander Bauer over 4 years ago

  • Private changed from No to Yes

Hi Erin,

today or next week would be fine (I was on vacation last week)

Alexander

Erin Clark wrote:

Well out of curiosity I could do a teamviewer and take a peek just to see if there really is a bug with this but it is an unusual configuration so I can't guarantee a fix. Let me know when you would like to do that, preferably sometime after 1:00 PST someday next week.

#23 Updated by Erin Clark over 4 years ago

Could you email me erin 'at' ixsystems.com about some time next week we could maybe do a teamviewer, perhaps sometime tuesday or wednesday morning?

#24 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Status changed from Screened to Closed: Not To Be Fixed

Timing out

#25 Updated by Dru Lavigne about 3 years ago

  • Target version set to N/A
  • Private changed from Yes to No

Also available in: Atom PDF