ACL editor won't access AD users/groups

I have just installed TrueNAS Core 13.0-U6.2, and I am trying to get Active Directory and SMB working.

I have connected to AD fine, and when I run ‘wbinfo -g’ and ‘wbinfo -u’ from a shell I correctly get a list of all my AD groups and users.

I have created a pool, and have created a dataset under that pool (setting the Share Type to ‘SMB’). I then created an SMB share, choosing ‘No presets’ for the Purpose, ticking ‘Enable ACL’, ‘Browsable to Network Clients’, and ‘Enable Alternate Data Streams’ as my options.

Tested the share by browsing to \\nas\asdfg on a Windows 10 machine (where ‘nas’ is the hostname of the TrueNAS box, and ‘asdfg’ is the SMB share) and this resolved fine (i.e. when I typed '\\nas' Windows automatically presented ‘\\nas\asdfg’ so it was clearly advertising the share correctly), but when I tried to browse it I got the usual ‘Windows cannot access…’ error. This was to be expected as I hadn’t set any ACLs yet.

From the TrueNAS ‘Windows Shares (SMB)’ screen I then selected ‘Edit Filesystem ACL’ on the share I created, and saw that it had created 4 default ACLs, for ‘everyone@’, ‘owner@’, ‘group@’, and ‘Group’ builtin_users.

For the purposes of testing, I wanted to set this share to be accessible for all users on my domain. I went to the ‘Group’ ACL and deleted ‘builtin_users’, and clicked the little down-arrow expecting to see a list of my AD groups. Unfortunately this was not the case, it showed a list of what I assume are built-in groups (wheel, daemon, kmem, sys, tty, etc. down to nslcd, ntpd, and 3 builtin_ groups).

So I entered ‘wbinfo -g’ to a shell, and from the results I copied ‘BOBBY\domain users’ (where BOBBY is my domain name), then pasted this into the the Group field in the ACL GUI. I then clicked ‘Save’, but got the following error:

Error: [dacl] Item#3 is not valid per list types: [id] Not an integer.

From googling this error and reading the old forums, it seems that this may be a GUI error whereby the web form is passing the text value entered rather than parsing it as an ID value - but none of those threads offer a solution!

I have tried clearing my browser cache, and have tried in a private window, but the error persists.

I have attached screenshots showing the error, and the output of the command ‘midclt call core.get_jobs | jq’ in case this is helpful.

Thank you.


In this example have you tried adding the group domain users?

yes, i used ‘wbinfo -g’ in a shell which listed my AD groups, and from that list I copied:

BOBBY\domain users

…and pasted this into Group. When I got the error, I tried again by just typing the above in (in case copy paste had picked up any hidden characters) but the error was the same. I also tried:

BOBBY\administrators
BOBBY\domain admins

…but the error persists.

Forget the BOBBY bit just try typing domain users

I have just tried that, and get the same error.

The error message suggests that it is not a match error, but that the data type being submitted is wrong (i.e. it is expecting an integer).

there are a few threads about this on the old forums (this one for example) which suggest it is a UI bug, whereby a text value is being submitted to the backend when it should parse it as an ID - but none of the threads seem to offer a solution!

Can you share a screenshot of your AD join details in TN?

I’m on the same version with AD join and all good so trying to see the difference.

Sorry, I’m not ignoring this thread, I’m just busy trying various things! My NAS is on an offline LAN (i.e. it has no internet connection) so taking screenshots means moving them over via bitlockered USB sticks - so i’ll take some screenshots of everything I can think applies and upload them!

It looks like UI was passing user / group name instead of UID/GID. Clear browser cache and try again. If it recurs, please file a bug report.

Clear the browser cache? Or a cache within TrueNAS? If the latter, can you let me know where, so i’m definitely looking in the right place?

Many thanks.

Browser cache.

No change, I’m afraid. I just installed a different browser (Chrome) to try that as well, in case it was some weird cache issue, but that gives exactly the same error.

I’ll raise a bug report, thanks for your help.

Well, this is disappointing:

Bug clerk on NAS-130614:
“Thank you for reporting this issue! This bug has been resolved in TrueNAS SCALE and is not planned to be back-ported to CORE. If this is a critical workflow issue for you, we would strongly advise promptly upgrading to TrueNAS SCALE.”

I don’t think this issue is as simple as AD does not work with CORE on 13.0-U6.2. I have about 10 systems running this version perfectly fine with AD integration. Happy to sanity check and compare configs if you share some screenshots.

Yeah I realise it’s not a widely experienced bug, otherwise no-one in Enterprise would be able to use it!

AD works fine, it’s to do with the GUI - it’s not parsing the text entered (e.g. group names) to UID/GID values. I’ve worked round it by just setting the root folder of my dataset as an open share, then using Windows Security to set permissions, so all permissioning is done via Windows and I don’t need that functionality in TrueNAS.

Just a shame that it’s not going to be addressed, feels like more evidence that Core is unofficially deprecated and only Scale is being developed.

Ah well, thanks for everyone’s help here :slight_smile: