Access to shared folder driven by AD ACL DOES NOT WORK!

[keson]

Dear NAS users,
I have installed a whole new network environment consisting of Windows 2012 R2 STD server, AD, Domain, DNS...
Then I setup QNAP TS-451+ (4.3.3.0299 build 20170901) and joined the AD. SMB 2.1
Enabled Advanced Folder Permissions and Windows ACL Support
I was able to set Windows users Home folders redirected to the NAS. Perfect.
I was able to set GOP to redirect documents, videos, music and photos to the Home folder on NAS. Perfect.

And then I created in AD several global security groups which were expected to follow a structure of shared folders on the NAS.
I have created a new volume, shared folder (documents) and set basic access using the above mentioned AD groups (each folder has 2 groups - one for RW, one for RO).
All seemed perfect until I wanted to test the permissions (didn't expect this to be an issue as I use similar setup for last 20 years in MS AD setups)

And suddenly it did not work as expected. In a nutshell, even if a user is a member of a AD group, which grants the user FULL ACCESS permissions, the user can't create any content (no new folders nor files).

I have tested this for a WHOLE DAY, did use all possible ways, red dozens of forums... NOTHING seems to help.

I went across some articles, where the author explained, that there are actually two "levels" of access - one on SMB share and one through ACL (NTFS permissions).
The truth is that I am able to see the permissions from "both" ends
- once in Qnap GUI - Control Panel - Shared Folders - Edit Shared folder permissions, where I can see all AD groups allowed RW (all green).
- second in Qnap GUI - File Station - Folder Properties - Permissions - where I see exact same permissions

As a check I can go to the File explorer in Windows:
- third check in File explorer, where I see under folder properties - security the same groups as in the first - control panel.

P.S: I was also told, that the SMB and ACL permissions are unrelated, but this does not seem to be true as when I remove / add AD group in the Edit shared permissions window, the same change is visible in Windows security settings and in file station folder properties... so I really doubt it is not related, they repeatedly proved to be one and the same thing.


Conclusion: I am unable to use the QNAP NAS as a central file storage connected to AD using the AD driven group permissions. Even when I do a user audit from windows for a particular user and it says the user has full control over a folder, I am unable to create and file nor folder in such shared folder.

For me it is a biggest disappointment since I started using QNAP NAS and what is worst, I will have to explain it to a customer now...

I really, really hope someone from QNAP can read this and either clarify this and / or fix it in next firmware release. There are so many great functions in QNAP NAS, but this, fundamental functionality simply fails....

[tom_22]

... bump! same observation/problem here!

[LTMV-Z8]

Same Probleme here!

TS-EC879U-RP (20171101 - 4.3.3.0361) NTFS and ACLs are correct, but can not access shares with domain users and/or domain groups

[Don]

Anyone of you open a ticket with QNAP to report the issue?

[bluecollarbiker]

This thread is almost a month old but I stumbled onto it while researching something else.
I could be off here, but it sounds like you guys have used the ACLs on the NAS itself to limit read/write, and then are wondering why AD permissions don't work. If you're going to use A.D. permissions, you need to set the NAS's ACL to FULL ACCESS.

I have made this particular mistake myself. It is frustrating. If that's not the issue, then, hopefully y'all find a resolution soon.

[rwurttem]

I think I might be experiencing the same issue. I just joined our TVS-871 (fw: 4.3.4.0435) to the domain. I added the necessary groups to the folder permissions and now I cannot access any of the file shares on the QNAP. If I remove the server from the domain, I can access all of the file shares again.

Very frustrating...

/RajW

[rwurttem]

OK... I saw another post with the same issue which clued me into QNAP not passing the domain information from the login so this time I added the domain information in my login. When it prompted me for my credentials, I typed:

Users name: myusername@mydomain.com
Password: mysupers33kretpassword

and it worked! I think that this is a bug in the QNAP.

/RajW

[rwurttem]

I think I fixed it... QNAP should validate. I ssh'd into the QNAP and adjusted a few things:

1) Edit the /etc/config/krb5.conf file

Code: Select all

[libdefaults]
 default_realm = MYDOMAIN.COM

[realms]
 MYDOMAIN.COM = {
  kdc = SERVER01.MYDOMAIN.COM
  kdc = SERVER02.MYDOMAIN.COM
  default_domain = MYDOMAIN.COM # I Added this
 }

[domain_realm]     # Took off the 's'... They had "[domain_realms]"
 .MYDOMAIN.COM = MYDOMAIN.COM    # Adjusted these 
 MYDOMAIN.COM = MYDOMAIN.COM     # two lines

2) Edit the /etc/config/smb.conf file. Added this line under [global]

Code: Select all

winbind use default domain = yes

Now my QNAP is behaving as expected.

/RajW