The DL is joined to the domain. The issue is with the shares
Maybe I am still too damaged from a week at CeBIT. Did I missed something here?
I just got my DL2100 today. Joined it to the domain, worked perfectly. Upgraded the firmware to the latest version and crash and burn, AD connectivity stopped.
I went in and I changed the SMB version to SMB3 and this let me join to the AD domain.
However, I am not having any luck getting share permissions working, but I hope this helps you all out.
do you mean the share permission within the folder and/or user management? Can you see the AD-users appearing in the user management?
Both, and yes, I can see the users. I went in and made my user to have full permission to the share. The only way I can access it is if I \wdmyclouddl2100 and then enter the type wdmyclouddl2100\admin and the admin password to get in. My domain credentials will not work.
I believe I figured out this issue. The underlying Samba configuration file, smb.conf, file is using the “invalid users” statement for each share created. From a security perspective, including this statement is a good idea. However, from an operational perspective, using both “invalid users” and “valid users” statements in the same share doesn’t work as we would like. If a user is a member of any group specified in the “invalid users” statement, they are denied access even if they are listed in the “valid users” statement.
This excerpt from Chapter 9 of the Samba docs confirms this: “The important rule to remember with these options is that any name or group in the invalid users list will always be denied access, even if it is included (in any form) in the valid users list.”
The workaround for this is to either allow all groups that the user is a member of to access the share or SSH into the NAS and comment out (#) the invalid users statement. Unfortunately, if you decide to comment out the invalid users statement, it doesn’t persist after a reboot.
Hopefully, WD will figure out a more permanent solution than either one of these workarounds.
This is just ridiculous. I added every group I am a part of and my user and I still can’t get in unless I use the admin user/pass from the NAS itself. If they can’t make this work correctly with my domain credentials, we may have to send it back.
Did you try commenting out the invalid users line to see if that works? It is located in the /etc/samba/smb.conf file. After you change it, you’ll need to reload samba with the smbd reload command.
If that works, there is still a group causing the problem…perhaps a group as a member of another group listed in the invalid users?
Thanks, that worked for me.
This is great Tim_L – I’ve got to ask the question from WD though, why if so many people are complaining about this, is there not yet a fix? Or now that you’ve shown them how to fix it, when will WD issue a fix for it? Thanks for your efforts Tim.
This is driving me nuts. I have given access to all groups and users I needed and none of the shares work. Only way to work is to login with the Admin credentials, and I can’t do that on users machines in the Company…
I can’t seem to work out how to do that work around, any help please?
After installing the latest firmware I had to downgrade to firmware version 1.06.118 in order to join the domain. On Monday July 11 2016 I will setup some shares and grant access to AD users and report whether I was successful. I got the firmware from softpedia.com.
I was able to access the shares I created after removing the “invalid users” setting in smb.conf
Just in case anyone in the future reads this and isn’t 100% sure where to go, here is a how to (turn on SSH and set user/pass in settings, network on the My Cloud first)
How to fix WD MyCloud NAS share access issues
SSH into MyCloud NAS using Putty (using the username and password you set in the config settings)
navigate to /etc/samba
Type: vi smb.conf
Scroll down until you see the line starting with “invalid users”
type :1 to begin editing
Type # !! at the beginning of the line (so it should look like # !!invalid user…)
Type :wq to save and quit the VI editor
You should now be able to access the share.
Changes in smb.conf overwritten after reboot !?
any startup script to stop overwritten after reboot?
It’s now confirmed that the design of the AD Join and the way permissions are added by WD is fundamentally flawed and therefore broken.
In typical Windows environment, you would create a share and give permissions to that share based on either a user or group membership. Only those users or groups specifically defined would have access to that share. You could also select to add a user or group and DENY access if you wanted to. The DENY would always override the allow permissions.
WD have chosen by design that when you join a DL unit to a Windows AD environment, it immediately adds ALL users and groups with DENY permissions to each share. This is the fundamental flaw in their design. Other NAS devices such as QNAP etc DO NOT DO THIS.
The “fix” as per WD support is to look at the memberships a user is in and give ALL groups that the user is in RW permissions to the share and THEN give the specific user RW permissions to the share. This is an administrative nightmare to be honest.
I’ve asked the support tech when they might resolve this clear design flaw and was told “we’ll take the feedback on board”. When I asked if that really meant that nothing was likely to happen - I was told “we’d need more feedback to make a change like this.”
I’m attempting to reach out to some of my old contacts, but no idea if they are still with WD. Time will tell.
I’m having trouble logging in to the windows server 2016 network folders after I put the WD DL 4100 in the domain.
I continue to give access denied.
They told me he was not compatible with the assistance, but I do not want to ask, then help me.
lol I was hoping this would have been resolved and too have had the same discuss with support, to which they seemed to believe that their permission structure was legit. It is an nightmare administratively as it gives anyone rights to shares. I digress in saying that in complying with this mess. Then you would think they would try to stay current with the AD 2016. But to no avail the persist in keeping its customers in the dark ages. If I’d known this I would have selected a different brand. Then I have nothing but problems with Plex. That’s all I have to say about that. Support tries.
Well it seems as this is still an issue. I have set up 6 different shares as I can’t apply security to folders within a share. I then want group A to have read only access to share 1 but not to any of the other shares. Group B to have read only access to Share 2 etc. I have approximately 80 users all up who could be part of 6 different groups. Having to give all the groups access to the shares then add the individuals as well is an administrative nightmare. I will ditch this product and buy one that is actually designed for windows. It might work fine in a home environment but to call it a Pro Series and saying it connects with AD is stretching it. All that needs to be done is that members of group A (regardless of what other groups they are a member of) have read access to Share 1 and no rights to any of the other shares. Kinda like how AD security works