Dear NAS users,
I have installed a whole new network environment consisting of Windows 2012 R2 STD server, AD, Domain, DNS...
Then I setup QNAP TS-451+ (4.3.3.0299 build 20170901) and joined the AD. SMB 2.1
Enabled Advanced Folder Permissions and Windows ACL Support
I was able to set Windows users Home folders redirected to the NAS. Perfect.
I was able to set GOP to redirect documents, videos, music and photos to the Home folder on NAS. Perfect.
And then I created in AD several global security groups which were expected to follow a structure of shared folders on the NAS.
I have created a new volume, shared folder (documents) and set basic access using the above mentioned AD groups (each folder has 2 groups - one for RW, one for RO).
All seemed perfect until I wanted to test the permissions (didn't expect this to be an issue as I use similar setup for last 20 years in MS AD setups)
And suddenly it did not work as expected. In a nutshell, even if a user is a member of a AD group, which grants the user FULL ACCESS permissions, the user can't create any content (no new folders nor files).
I have tested this for a WHOLE DAY, did use all possible ways, red dozens of forums... NOTHING seems to help.
I went across some articles, where the author explained, that there are actually two "levels" of access - one on SMB share and one through ACL (NTFS permissions).
The truth is that I am able to see the permissions from "both" ends
- once in Qnap GUI - Control Panel - Shared Folders - Edit Shared folder permissions, where I can see all AD groups allowed RW (all green).
- second in Qnap GUI - File Station - Folder Properties - Permissions - where I see exact same permissions
As a check I can go to the File explorer in Windows:
- third check in File explorer, where I see under folder properties - security the same groups as in the first - control panel.
P.S: I was also told, that the SMB and ACL permissions are unrelated, but this does not seem to be true as when I remove / add AD group in the Edit shared permissions window, the same change is visible in Windows security settings and in file station folder properties... so I really doubt it is not related, they repeatedly proved to be one and the same thing.
Conclusion: I am unable to use the QNAP NAS as a central file storage connected to AD using the AD driven group permissions. Even when I do a user audit from windows for a particular user and it says the user has full control over a folder, I am unable to create and file nor folder in such shared folder.
For me it is a biggest disappointment since I started using QNAP NAS and what is worst, I will have to explain it to a customer now...
I really, really hope someone from QNAP can read this and either clarify this and / or fix it in next firmware release. There are so many great functions in QNAP NAS, but this, fundamental functionality simply fails....
Access to shared folder driven by AD ACL DOES NOT WORK!
-
- New here
- Posts: 4
- Joined: Thu Sep 21, 2017 2:03 pm
-
- New here
- Posts: 8
- Joined: Sun Jun 12, 2011 8:04 am
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
... bump! same observation/problem here!
-
- New here
- Posts: 3
- Joined: Mon Dec 21, 2015 4:52 pm
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
Same Probleme here!
TS-EC879U-RP (20171101 - 4.3.3.0361) NTFS and ACLs are correct, but can not access shares with domain users and/or domain groups
TS-EC879U-RP (20171101 - 4.3.3.0361) NTFS and ACLs are correct, but can not access shares with domain users and/or domain groups
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
Anyone of you open a ticket with QNAP to report the issue?
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
-
- New here
- Posts: 4
- Joined: Mon Dec 11, 2017 6:49 am
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
This thread is almost a month old but I stumbled onto it while researching something else.
I could be off here, but it sounds like you guys have used the ACLs on the NAS itself to limit read/write, and then are wondering why AD permissions don't work. If you're going to use A.D. permissions, you need to set the NAS's ACL to FULL ACCESS.
I have made this particular mistake myself. It is frustrating. If that's not the issue, then, hopefully y'all find a resolution soon.
I could be off here, but it sounds like you guys have used the ACLs on the NAS itself to limit read/write, and then are wondering why AD permissions don't work. If you're going to use A.D. permissions, you need to set the NAS's ACL to FULL ACCESS.
I have made this particular mistake myself. It is frustrating. If that's not the issue, then, hopefully y'all find a resolution soon.
-
- New here
- Posts: 9
- Joined: Wed Jul 08, 2015 3:03 am
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
I think I might be experiencing the same issue. I just joined our TVS-871 (fw: 4.3.4.0435) to the domain. I added the necessary groups to the folder permissions and now I cannot access any of the file shares on the QNAP. If I remove the server from the domain, I can access all of the file shares again.
Very frustrating...
/RajW
Very frustrating...
/RajW
-
- New here
- Posts: 9
- Joined: Wed Jul 08, 2015 3:03 am
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
OK... I saw another post with the same issue which clued me into QNAP not passing the domain information from the login so this time I added the domain information in my login. When it prompted me for my credentials, I typed:
Users name: myusername@mydomain.com
Password: mysupers33kretpassword
and it worked! I think that this is a bug in the QNAP.
/RajW
Users name: myusername@mydomain.com
Password: mysupers33kretpassword
and it worked! I think that this is a bug in the QNAP.
/RajW
-
- New here
- Posts: 9
- Joined: Wed Jul 08, 2015 3:03 am
Re: Access to shared folder driven by AD ACL DOES NOT WORK!
I think I fixed it... QNAP should validate. I ssh'd into the QNAP and adjusted a few things:
1) Edit the /etc/config/krb5.conf file
2) Edit the /etc/config/smb.conf file. Added this line under [global]
Now my QNAP is behaving as expected.
/RajW
1) Edit the /etc/config/krb5.conf file
Code: Select all
[libdefaults]
default_realm = MYDOMAIN.COM
[realms]
MYDOMAIN.COM = {
kdc = SERVER01.MYDOMAIN.COM
kdc = SERVER02.MYDOMAIN.COM
default_domain = MYDOMAIN.COM # I Added this
}
[domain_realm] # Took off the 's'... They had "[domain_realms]"
.MYDOMAIN.COM = MYDOMAIN.COM # Adjusted these
MYDOMAIN.COM = MYDOMAIN.COM # two lines
Code: Select all
winbind use default domain = yes
/RajW