limetech Posted October 10, 2013 Share Posted October 10, 2013 Use this thread for discussion of file permissions issues. Quote Link to comment
smdion Posted June 16, 2015 Share Posted June 16, 2015 Hey Tom, I know this is an old thread, but I have unRAID joined to my domain and want to start playing with permissions. I know you guys just are releasing unRAID 6 today.. but anywhere you can point me for how to manage permissions thru AD? Quote Link to comment
Cliffy Posted June 18, 2015 Share Posted June 18, 2015 As expected... no reply. I asked a question back in April on AD and it's status on v6 and got no response. I've spent many hours trying to find support, but didn't find any so I'm guessing it's dead at this time. Quote Link to comment
Schar Posted June 18, 2015 Share Posted June 18, 2015 The way I've done this (no idea if it is the best way or not). Ensure that your default permissions are set up correctly and that you have administrative rights. Couple of things to check from your UNRAID server - these should all work. List all AD users: wbinfo -u List all AD groups: wbinfo -g Fun: net rpc rights list accounts -U'bob.jones' Then I played around for ages with chgrp, chmod using g+x . to make stuff stick, and then got deeper using setfacl and getfacl to look at what was going on. For whatever reason I couldn't get things working the way I wanted, so I cheated. From window, I browsed to the share, and set up the permissions I wanted using explorer. All GUI based and worked a treat. The resulting FACL entries for me were this (which should give you a guide if you want to use setfacl instead) # file: . # owner: bob.jones # group: domain\040users # flags: -s- user::rwx user:bob.jones:rwx group::r-x group:domain\040admins:rwx group:domain\040users:r-x group:media\040users:r-x mask::rwx other::--- default:user::rwx default:user:bob.jones:rwx default:group::--- default:group:domain\040admins:rwx default:group:domain\040users:r-x default:group:media\040users:r-x default:mask::rwx default:other::--- Which equates to the following in the windows explorer dialogue: EVERYONE having nothing CREATOR OWNER having special (cannot seem to ditch this) CREATOR GROUP having nothing Me having full control (again think this is because I created the share, and loathe to remove this Domain Admins having full control Domain Users having read only (don't ask; and I won't tell) Media Users having read only (this is a domain group I use for my media server and extenders) Quote Link to comment
smdion Posted July 14, 2015 Share Posted July 14, 2015 I hate to be that guy again... but any chance we can get official documentation on Permissions? Quote Link to comment
Schar Posted July 22, 2015 Share Posted July 22, 2015 I'd be curious too - especially if there is a better way of doing mine. One thing I have run into is plugins / docker apps tend to run as unix users. This means any files created end up (so far anyhow) being owned by nobody or a user that isn't in the AD groups - so I cannot access the files. Similarly I really struggled to get access to network resources from plugins; although I understand that with docker apps I need to mount the remote SMB shares against the base machine and configure access. Media meta-data (from Emby) is a good example of this. I guess what I'm really saying is: would love to see some official guide, and considerations for dockers and virtualisation when running in AD mode. Quote Link to comment
smdion Posted July 22, 2015 Share Posted July 22, 2015 I'd be curious too - especially if there is a better way of doing mine. One thing I have run into is plugins / docker apps tend to run as unix users. This means any files created end up (so far anyhow) being owned by nobody or a user that isn't in the AD groups - so I cannot access the files. Similarly I really struggled to get access to network resources from plugins; although I understand that with docker apps I need to mount the remote SMB shares against the base machine and configure access. Media meta-data (from Emby) is a good example of this. I guess what I'm really saying is: would love to see some official guide, and considerations for dockers and virtualisation when running in AD mode. The nice thing about LinuxServer.io's dockers is you can set the user/group that it runs as: http://lime-technology.com/forum/index.php?topic=41243.0 I'd like an official one as well still It took me WAY to long to figure out how to get it working, and was happy to make an unofficial one. Quote Link to comment
Schar Posted July 24, 2015 Share Posted July 24, 2015 So you have "run as" working for the standard UNRAID containers or a variation? Sounds interesting... Quote Link to comment
smdion Posted July 24, 2015 Share Posted July 24, 2015 So you have "run as" working for the standard UNRAID containers or a variation? Sounds interesting... You set an environment variable to the User ID and Group ID before you install it in the docker webgui. unRAID is 99/100, but you can change it to whatever you want. Any docker released by linuxserver.io has this and they are in the community apps plugin. I'm slowly converting my fleet over to this method. Edit: I'm also trying to convince tom to add AD credential login for WebGUI and SSH - http://lime-technology.com/forum/index.php?topic=41614.0 Quote Link to comment
Schar Posted July 25, 2015 Share Posted July 25, 2015 Superb, I have added a vote to that thread too, and some comments At the risk of cluttering this thread - are you able to point me in the right direction for setting the environment variables and any considerations? Can this be modified post installation or does it need to be baked in when things are installed? Thanks! Quote Link to comment
smdion Posted July 25, 2015 Share Posted July 25, 2015 Superb, I have added a vote to that thread too, and some comments At the risk of cluttering this thread - are you able to point me in the right direction for setting the environment variables and any considerations? Can this be modified post installation or does it need to be baked in when things are installed? Thanks! It can be modified post install. Head over here for support on that one: http://lime-technology.com/forum/index.php?topic=41243.0 Quote Link to comment
Frostyfruit Posted December 30, 2017 Share Posted December 30, 2017 Hi all, I am new to UnRAID and have finally setup my server. I have successfully joined to my DC and modified the permissions on the share following both the guides below https://www.linuxserver.io/2015/07/20/how-to-active-directory-on-unraid-6/ http://www.techyv.com/questions/how-keep-unraid-server-active-directory/ In Windows AD, i See the nobody user and also root user and root group. When I have tried to delete these from the windows permissions screen I have lost access to the share and I have had to reset the permissions through UNRAID diagnostics. My assumptions is that these permissions need to be there for unraid to manage the share? is that right? Thanks! 1 Quote Link to comment
Frostyfruit Posted December 30, 2017 Share Posted December 30, 2017 On 7/25/2015 at 2:37 AM, smdion said: You set an environment variable to the User ID and Group ID before you install it in the docker webgui. unRAID is 99/100, but you can change it to whatever you want. Any docker released by linuxserver.io has this and they are in the community apps plugin. I'm slowly converting my fleet over to this method. Edit: I'm also trying to convince tom to add AD credential login for WebGUI and SSH - http://lime-technology.com/forum/index.php?topic=41614.0 Smdion how do you find out the user ID or group ID as part of the AD credentials? Is this the actual username / group? or is there a command to obtain and ID from Unraid? Slowly learning... Quote Link to comment
Frostyfruit Posted December 31, 2017 Share Posted December 31, 2017 Worked this out by simply using the Id command in cli Sent from my iPhone using Tapatalk Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.