PR2100 Permissions Issues

My Cloud OS 3 Personal & Network Attached Storage My Cloud Pro Series
1

We bought 3 PR2100 devices last week.
I’m setting up the first one, and I’m running into a lot of issues already.

I’ve got it on our network with a static IP and I’ve joined it to our domain.
I’ve updated the firmware to version 2.30.193.
I’ve created some test shares.

I created one share prior to joining the device to our domain (as it will be using a local account, not a domain account). I can access this share from the local (non domain) account as well as domain accounts.

I cannot access any shares that are created after joining the domain.

If I create a share named “Test” and leave it public, I can access it.
If I turn off “Public”, then turn on full access for a domain user account (“DOMAIN\TestAccount”), that account cannot access the share, even if I reboot the PR2100 after setting the permissions.

This happens even when I grant full access to ALL of the domain groups that the user account is in (Domain Admins, Domain Users, etc.).

What’s going on? Is there any logging or debug information available to explain why I’m being denied access to the shares?

Edit: The logs show many entries of "SAMBA CIFS: Authentication for user [DOMAIN\User] has FAILED. " (with the actual Domain name and user name in there.).

Why is the PR2100 set up such that DENY entries for every single user and group it can find via AD are added to shares? Why can’t these entries be removed from the config? The result is that even if permissions are working as described, people in multiple groups will cause situations where you have to grant access to a group that should NOT have access in order to grant access to a group that should.

For example, if a user account named “Manager” was in the groups “Financial” and “Reporting”, then both the “Financial” group AND the “Reporting” group need access to ALL SHARES the “Manager” user needs access to. This is completely out of sync with industry standards.

Is there any way to add permissions for a domain account that isn’t a USER account? I need to add permissions for a COMPUTER account, which is of the form of “NAME$”. For example, for a web server named WEB.DOMAIN.COM, the computer account would be named WEB$ (or WEB$.DOMAIN.COM).

I need to be able to grant permission to a specific share for a certain COMPUTER account. Is this possible? If so, how would I do this? I’ve been trying to work around this limitation by adding the computer account to a group, and then granting that group permission to the share, but I can’t even tell if this works or not because of the general permissions problem described above.

Is there any way to add multiple VLANs to the device? I was able to do this in the past with the old WD Sentinel devices, but I can’t seem to do it here. This isn’t strictly necessary, but I would like to do it in order to get our UPS setup working as each of the three devices will be on separate VLANs.

We used to rely on WD Sentinels years ago, and we replaced them in favor of custom built boxes 2.5 years ago because WD didn’t have a replacement for the Sentinels available.

We’re in the process of replacing our custom built boxes, and I was happy to see WD had refreshed the My Cloud line. Unfortunately, from the very beginning with a brand new product, it seems it doesn’t have basic functionality working.

If I can’t get the share permissions working soon and figure out how to add permissions for a computer account (or find a workaround), I’ll have to return these 3 devices for a refund.

Thanks

2

I was able to get the share permissions somewhat working. I ended up having to create a DNS entry on the domain controller manually, and I then ended up having to reboot some SMB clients for them to see that they had access to some of the shares.

I am still getting many instances of "SAMBA CIFS: Authentication for user [DOMAIN\User] has FAILED. " and "SAMBA CIFS: Authentication for user [nobody] has FAILED. " in the logs.

It appears that adding a computer account (NAME$) to a group in Active Directory and then granting that group access does work to grant access to a share for that computer account. I’ll need to do more testing to confirm this is working as expected.

I’ve run into another issue where a local account (“admin” or “test”) cannot actually access anything over SMB after I’ve joined something to the domain. Using a domain account (“DOMAIN\user”) works as expected, but using “admin” or “\admin” or “test” local user accounts (created on the My Cloud) does not work.

Is there some trick to get a local account working after the My Cloud has been joined to a domain? The client I’m accessing from isn’t joined to the domain. I can specify domain credentials and they work, but I’d rather use a local account on the My Cloud itself and keep it completely separate.

As for multiple VLANs, I found that if I disable the network aggregation I can then specify settings for both interfaces separately. I haven’t tried doing this yet, but I’ll look into later if I can get around the other issues.

3

It looks like setting the user name on the SMB client to “device-name\username” works for a local user account on a domain-joined My Cloud.

For example, if your My Cloud is named “mycloud” and your local user account is named “user”, then “mycloud\user” is what you want to enter on the SMB client.

Note that I tried doing “\user”, but it looks like that doesn’t work. I’m not sure if this is an issue with the client or the PR2100.

I haven’t tried multiple VLANs yet, since I can’t seem to get a USB hub working. I’d only need to use multiple VLANs if I wanted to get the UPS configured on all 3 My Clouds, but without a USB hub I don’t think it will be a possibility.

4

Unfortunately support for many USB devices was stripped from the kernel.
With SSH is enabled, check the output for dmesg after plugging the USB hub.