Hi all,
i am running Trunas Scale Dragonfish-24.04.2.3 which is connected to my Active Directory to sync the users. As a private Direcotry per user I am using “Private SMB Datasets and Shares”, wihich automatically creates a new folder if a user from the AD accesses the SMB share and doesnˋt already have one.
I thought this worked fine, however when signing in from an Windwos Device which is not registerd in the domain or from MacOS, it creates a different user with the domain suffix (for example: gphoto (user from a device registerd in the domain) and gphoto_domainname.local for different devices).
The folder stucture:
- private (Dataset / SMB Share)
- gphoto (automatically created Dataset)
- gphoto_domainname.local (automatically created Dataset)
What i tried:
To fix this Iˋve tried to set up a username mapping “smb-username.map” with the content ˋgphoto = gphoto_domainname.localˋ. Adding this file to the smb config wasnˋt possible through the UI since the Additional Parameter String in the Advanced Settings of the SMB share isnˋt possible (i canˋt edit the string). So I added it to the config in ˋ/etc/smb4.confˋ. The additional parameter is now also shown when i run ˋtestparm -sˋ. This hasnˋt changed anything as far as i can tell.
From the logs i can see, that the SID is the same for both usernames:
{
"logonId": "0",
"logonType": 3,
"localAddress": "ipv4:192.168.1.73:445",
"remoteAddress": "ipv4:192.168.1.25:39364",
"serviceDescription": "SMB2",
"authDescription": null,
"clientDomain": "",
"clientAccount": "GPhoto@DOMAINNAME.local",
"workstation": "GPhotos-Sync",
"becameAccount": "gphoto",
"becameDomain": "DOMAINNAME",
"becameSid": "S-1-5-21-3665826183-2270032137-1159354907-1113",
"mappedAccount": "GPhoto@DOMAINNAME.local",
"mappedDomain": "",
"netlogonComputer": null,
"netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
"passwordType": "NTLMv2",
"clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null,
"vers": {
"major": 0,
"minor": 1
},
"result": {
"type": "NTSTATUS",
"value_raw": 0,
"value_parsed": "SUCCESS"
}
}
{
"logonId": "0",
"logonType": 3,
"localAddress": "ipv4:192.168.1.73:445",
"remoteAddress": "ipv4:192.168.1.36:58352",
"serviceDescription": "SMB2",
"authDescription": null,
"clientDomain": "DOMAINNAME",
"clientAccount": "GPhoto",
"workstation": "WIN-SERVER",
"becameAccount": "gphoto",
"becameDomain": "DOMAINNAME",
"becameSid": "S-1-5-21-3665826183-2270032137-1159354907-1113",
"mappedAccount": "GPhoto",
"mappedDomain": "DOMAINNAME",
"netlogonComputer": null,
"netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null,
"passwordType": "NTLMv2",
"clientPolicyAccessCheck": null,
"serverPolicyAccessCheck": null,
"vers": {
"major": 0,
"minor": 1
},
"result": {
"type": "NTSTATUS",
"value_raw": 0,
"value_parsed": "SUCCESS"
}
}
Any help is appreciated. Thanks
Testparm:
admin@truenas[~]$ sudo testparm -s
[sudo] password for admin:
Load smb config files from /etc/smb4.conf
lpcfg_do_global_parameter: WARNING: The "syslog only" option is deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
# Global parameters
[global]
allow trusted domains = No
bind interfaces only = Yes
disable spoolss = Yes
dns proxy = No
domain master = No
kerberos method = secrets and keytab
load printers = No
logging = file
max log size = 5120
passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb
preferred master = No
printcap name = /dev/null
realm = DOMAINNAME.local
registry shares = Yes
restrict anonymous = 2
security = ADS
server multi channel support = No
server role = member server
server string = TrueNAS Server
template homedir = /mnt/General/users/%D/%U
template shell = /bin/sh
username map = /etc/smb-username.map
winbind cache time = 7200
winbind enum groups = Yes
winbind enum users = Yes
winbind max domain connections = 10
workgroup = DOMAINNAME
idmap config marchtrenk : sssd_compat = false
idmap config marchtrenk : backend = rid
idmap config marchtrenk : range = 100000001 - 200000000
idmap config * : range = 90000001 - 100000000
fruit:zero_file_id = false
fruit:nfs_aces = false
rpc_server:mdssvc = disabled
rpc_daemon:mdssd = disabled
idmap config * : backend = tdb
create mask = 0775
directory mask = 0775
[private]
ea support = No
path = /mnt/General/private/%U
posix locking = No
read only = No
smbd max xattr size = 2097152
vfs objects = fruit streams_xattr shadow_copy_zfs ixnas zfs_core io_uring
fruit:metadata = stream
fruit:resource = stream
tn:purpose = PRIVATE_DATASETS
tn:path_suffix = %U
zfs_core:zfs_auto_create = true
tn:vuid = fc02267d-d041-4d76-b5dd-3cf52517969f
nfs4:chown = True
fruit:time machine max size = 0
fruit:time machine = False
tn:home = False
Mapping file:
admin@truenas[~]$ cat /etc/smb-username.map
gphotos = gphotos_marchtrenk.local