Linux based NAS with a Windows domain controller: Permissions


Recommended Posts

Hello

I seem to have trouble with a Linux based NAS that I have made part of a Windows (SBS 2003) Active Directory domain. When I made it part of the domain, all the domain users have passed to it.

I cant write to the "root" of the NAS so I make a folder. Inside this folder, I copy all of my old data to it. The problem is that the permissions dont seem to pass or pass only sometimes....

To copy I use this: http://ipmsg.org/tools/fastcopy.html.en because it supports ACL.

The domain clients are Windows 7 and Windows XP. The NAS is a QNAP TS469U-RP.

Thank you for all the help

And what are the permissions? Just set them! And don't copy ACLs -- when you copy files they should use the permissions of the folder / drive you copy them too.

Set the permissions you want on the drive/folders of your nas! Sounds like you want to be able to copy to root? if so then correct the permissions..

What are you having trouble with about understanding permissions?

  On 16/07/2013 at 11:14, BudMan said:

And what are the permissions? Just set them! And don't copy ACLs -- when you copy files they should use the permissions of the folder / drive you copy them too.

Set the permissions you want on the drive/folders of your nas! Sounds like you want to be able to copy to root? if so then correct the permissions..

What are you having trouble with about understanding permissions?

The problem is that it is suppose to be automatic: When I copy from the server to the NAS, the permissions go with it. The permissions I am talking about are:

FolderA : User1 can write, User2 is owner, All of group Users can write, etc.....

That is what is not being passed.

And I do not want to do it manually because there are a lot files/folders and one of the features is that it supports passing ACLs....

Lets see the permissions please!

Screen shots works, lets see the effective permissions tab as well with a couple different user names put in.

example - this is from a client just right clicking on the share

post-14624-0-60632500-1373995178.png

If you NAS is linux based, make and model like sc302 suggested would be helpful.

ls -la listing from linux console for your files and directories would be helpful in seeing permissions set via linux.

for linux to use windows permissions you have to map them to a linux user normally.

Also you can copy ACLs with /0 in the builtin xcopy command

 /O           Copies file ownership and ACL information.
Or robocopy as well, another built in tool can copy permissions

/COPY:copyflag[s] :: what to COPY for files (default is /COPY:DAT).
                     (copyflags : D=Data, A=Attributes, T=Timestamps).
                     (S=Security=NTFS ACLs, O=Owner info, U=aUditing info).

      

             /SEC :: copy files with SECurity (equivalent to /COPY:DATS).
Keep in mind where you making a copy from - if any local permissions have been set its unlikely those would work, match up to domain accounts via SID, etc.

As setting permissions on your NAS, I would assume your wanting to remove the old files after you copy them.. So its just easier and cleaner to create the permissions you want to use on the device doing the shares vs trying to copy them.. Only reason to take the permissions along would be if you had complex permissions on each file, etc.

You can run into problems if inherit flags are being used on source or dest and they conflict or don't line up, accounts to map correctly, etc.

  On 16/07/2013 at 23:19, sc302 said:

what I would suggest is to use iscs vs nfs.  it will be much better for you if your ad permissions aren't being applied.  It would be best if you could dedicate a nic for it, but it is not needed.

I actually was intrested in iSCSI the problem with it is that Im not completely sure how it works and we were already using a "shared folder" type structure so the transition would be "transperent", we just decided to go with this.

If you could share some document with iSCSI and AD permissions, Ill consider trying it out :)

Another kicker: On the server there are groups I can add permissions for and on the NAS I cant!

On the left side, you see users/groups I can add for setting their different permission settings. This is the AD server.

But on the right hand side, you see the users/groups I can add for the NAS server. Shouldnt it, since I am accessing from the AD server, be the same?

Scratch all that: Just read it is by design. God, this is going to make my life a bitch :(

Not sure how in-depth you want to get into Linux but I managed to set this up using Software RAID6 on Linux with mdadm, 4TB  and got results of about 300MB/s read and 300MB/s write (That's MegaBytes not bits).  Wired that up through my place over a 1Gig/s network for around 120MB/s R/W to from that.  About 6 steps. 1 step to do the RAID.  So around $800 for 4TB and those speeds.

 

Here's the page about all that and it actually works as posted:  

 

All shared with CIFS and secured by selinux (Having said selinux, maybe that's where the issue is with yours?  Not sure.  Ran into the same thing with my custom one):

HTPC / NAS Backup

 

Sharing with Samba / CIFS

 

But like I said, not sure how in depth you want to get into Linux though having an entire OS behind the setup will give you lot's of tools in case of issues and not a closed down box.

 

HF!

  • 3 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • It has the same switch to allow whitelisting or not as the regular AdBlock extension.
    • These 20 crypto phishing applications are scamming Play Store users by Hamid Ganji Google Play Store is the main venue for Android users to download applications. While Google has strict rules and policies for verifying apps, some malicious apps somehow slip through anyway. Meanwhile, when it comes to crypto wallet apps, both Google app auditors and Play Store users need to be even more cautious. Cyble Research and Intelligence Labs has identified at least 20 crypto phishing applications on the Google Play Store that impersonate legitimate and popular crypto wallet apps and try to steal users' crypto credentials. By impersonation, these malicious apps trick users into downloading them and then start to capture the user's actual login data. "What makes this campaign particularly dangerous is the use of seemingly legitimate applications, hosted under previously benign or compromised developer accounts, combined with a large-scale phishing infrastructure linked to over 50 domains. This extends the campaign's reach and lowers the likelihood of immediate detection by traditional defenses." Cyble writes. Some of these malicious apps have the same name but come with a different package name. After removing duplicate names, here's the list of 9 newly discovered crypto phishing applications on the Play Store: Pancake Swap Suite Wallet Hyperliquid Raydium BullX Crypto OpenOcean Exchange Meteora Exchange SushiSwap Harvest Finance Blog According to Cyble, these apps prompt users to enter their 12-word mnemonic phrase to access the fake crypto wallet. Also, scammers use accounts that were previously used to distribute legitimate apps to minimize the risk of getting caught by Google. These accounts are more likely to be compromised and then taken over by scammers. If you've downloaded any of these fake crypto wallet apps from the Play Store, make sure to delete them as soon as possible. In 2024, revenue from crypto scams was estimated to be around $9.9 billion. This billion-dollar crypto scam business is expected to grow massively in 2025 thanks to AI.
    • Again...just because Microsoft never managed to be as successful as Google in that business that doesn't mean they are not exactly what Google is. An online advertising company. Edge's built in ad block in case you don't know whitelists their own advertising platform. According to Microsoft... Google ads and tracking bad, Microsoft ads and tracking good:)
  • Recent Achievements

    • Reacting Well
      viraltui earned a badge
      Reacting Well
    • Week One Done
      LunaFerret earned a badge
      Week One Done
    • Week One Done
      Ricky Chan earned a badge
      Week One Done
    • Week One Done
      maimutza earned a badge
      Week One Done
    • Week One Done
      abortretryfail earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      483
    2. 2
      +FloatingFatMan
      264
    3. 3
      snowy owl
      239
    4. 4
      ATLien_0
      229
    5. 5
      Edouard
      179
  • Tell a friend

    Love Neowin? Tell a friend!