We are working to merge our NFS and SMB NetAPP file shares into singular SMB shares on TrueNAS. The existing domain users that are primarily linux all have had explicit UID/GIDs assigned to them over the years and so using AD for idmap works fine for them, however we do have quite a few users and groups that do not have UID/GIDs configured in AD and this is posing a problem for giving them access to the new shares.
Is there a configuration possible where AD mapping could be used as the first lookup and in the event the user or group does not have one in AD that TrueNAS could fall back to autoRID? Or better yet, could it not rely on UID/GID at all and just kerberos tickets with their groups? Then we could purely use AD without any uid/gid references?
I acknowledge that we could go through and assign UID/GID to all the currently unconfigured users/groups, but this would also be a long term problem since any new users and groups will also need them assigned.
No. It’s impossible to do that because you have to resolve kerberos principles to accounts for evaluating filesystem access.
We currently have no plans for having fallback mechanism for resolving IDs. This would present a huge security challenge because it introduces unexpected variability to how accounts get mapped and most likely lead to security incidents.
Thank you for the reply! I guess my final question is: Is this even the best way to do it? I’m just trying to migrate a ton of data (600+ TB, 400+ million files) while preserving as much file and folder permission attributes as possible.
An alternative I considered was just to use “TrueNAS Server IDMAP Defaults” and just manually recreate top level ACLs for primary shares (with inheritance) and then create a permissions fix script for stuff like user profiles folders and home directories. This isn’t ideal, but it was either this or create a script to generate UID/GIDs for all AD user and group objects that are missing them (that could be scheduled to run nightly to pick up newly created users and groups).
That’s rather more help than I give out in the forums since this is more of an enterprise support question than a homelab question. You’ll need to look carefully at your environment and make a decision about what is the least risky path forward.
If you have TrueNAS enterprise support contact our support team to discuss migrations and strategies, otherwise contact your other vendors with support contracts to get feedback on your best path forward.
We were interested in purchasing an enterprise support contract, but since we didn’t purchase ixSystems hardware we were told that was not an option, which is unfortunate since this would have been a perfect scenario we would have happily paid for.
If things have changed i’d be happy to discuss any new options via my work email below:
