Almost have my TrueNas setup perfectly. I have configured active directory and all the users and groups pulled in, but the group memberships did not. I can not add the AD users either to a group.
Users can access SMB with a AD account I just cant figure out why the groups donât populate members.
I guess this fell on deaf ears, not a single comment!
This was a deliberate design decision early on to limit the amount of information weâre querying from AD when building up basic caches for UI / API. Once you get into details of trusted domains and trust relationship types, presenting an authoritative list of group memberships on the TrueNAS side is basically impossible. If you need this information, you can write a feature request explaining why.
Thanks for the comment, I want to grant access to a SMB share by security group, I guess that is to much to ask?
No. You can set permissions based on groups. Look at the group dropdowns in the permissions editors.
Expect the groups donât populate with any members in it. I canât manually create a group and add AD users to it either.
TrueNAS is not an AD management interface, and is not a domain controller. It would be a gaping security hole in your domain if a random domain member had sufficient privileges to edit AD group membership.
There is a difference between having a convenience feature to show a list of AD users and groups in the UI / API and how AD membership works on a functional level.
When for instance an AD user authenticates to an SMB share, the DC provides us with a list of groups basically as a part of the kerberos ticket. This is used to construct the group membership / unix token for the smbd process associated with the SMB client connection. The unix token is then used for access validation to filesystem paths.
@Chris_Twombley just enter your group name when configuring the ACL for the dataset and it will populate just fine and honour all AD members in that group. Itâs just a case they are not listed in the view but you can use them in the way you want.
1 Like
I have a security group in AD of users that are authorized to access a share. TrueNas is not pulling that group membership over.
How are you determining this? One important thing to note about the above account I gave for how the unix token is constructed â it only happens once. If youâre making changes to group memberships while the client is already authenticated to a share it will have to remount to see change in access rights.
As I said at the beginning of this post. âAll the users and groups pulled in, but the group memberships did notâ. As seen in the image, the groups are there but the memberships did not populate. The groups do not have any members and does not reflect the groups in AD.
In shell type in command id DOMAIN\\username. Do you see your groups?
1 Like
If you donât have âUse Default Domainâ checked in the AD join config then you will need to add them using domain\nameofgroup otherwise itâs just namegroup.
1 Like