Active Directory Issues

ocelot11 · March 31, 2023, 1:54pm

After messing with my new Rockstor install and re-installing a few times I have decided to reach out to see if anyone knows how to help; A little bit of background: my old Rockstor install was offline for a while because the machine was in storage while I was re-arranging things. I found that 3.9 was no longer supported and there were SSL certificate issues, so I installed 4.5.8 and imported my pools into that. So after all is said and done I wanted to rejoin it to my home lab domain so that I could access shares without having to worry about user management and this is where I started having problems.

I configured the NTP and Samba service just fine, configured the network connection to point to my DNS servers (the domain controllers) and to have a static ip. Then I used the Active Directory service to join the domain. I get an error that the NAS is already a member of the domain (even though it’s not) and the service immediately disables itself. I’ve checked the domain controllers and they do not have an active directory object for the NAS anywhere in active directory. I tried ‘sudo realm join --membership-software=samba --client-software=winbind SANDOM(dot)COM -U Administrator’ on the command line and experience the same issue, claiming the domain was already joined. If I join the domain with only ‘sudo realm join SANDOM(dot)COM -U Administrator’ the join works and an object is created in Active Directory. I can then turn on the Active Directory service, however no users or groups are ever enumerated into rockstor and other communication issues seem to occur.

Leaving the realm with ‘sudo realm leave SANDOM(dot)COM -remove’ does remove the machine from active directory however samba and winbind seem to still think they are joined to the domain, as joining with with the --membership-software and --client-software arguments does not work, claiming once more that they are already domain joined. Rejoining the domain without the arguments works fine, but again no groups or users are ever enumerated.

I have a ubuntu docker server joined to the domain by hand with SSSD with no issues. I’m not familiar with OpenSUSE or that familiar with Rockstor even, but I checked the configuration files in SSSD and Samba between the two different systems and everything seems correct.

I really want to continue to use Rockstor instead of switching NAS solutions, especially since it’s hardware requirements are more reasonable than anything that uses ZFS. Does anyone know the best way to proceed to resolve this issue?

Edit: I had to replace the dot in dot com on this post because it thinks I was trying to add URLS, and as a new user I can’t add more than two; so ignore that. In the actual config files everything is normal.

Hooverdan · March 31, 2023, 7:10pm

@ocelot11 welcome to the rockstor community.
I don’t have much Active Directory experience (other than a frustrated business user when it doesn’t work on my domain machine).

My understanding is that there are 2 options to run with the Active Directory, either via sssd or via winbind, but not both (based on this):

From the Rockstor documentation, we are relying on sssd for AD:
https://rockstor.com/docs/interface/system/services.html#active-directory-ad

so your “simulation” via the command line is probably more closely related to the second realm join command you posted. Did you then manually also maintain the sssd.conf file to contain the explicit enumeration option?

[domain/<domainname>]
enumerate = true

following the FAQs here:
https://docs.pagure.org/sssd.sssd/users/faq.html#when-should-i-enable-enumeration-in-sssd-or-why-is-enumeration-disabled-by-default

I assume, aside from the messages you’re not seeing anything in the logs that’s related to the service attempting to start, discover, etc.?

Sorry, not of very much help but wanted to see whether there is even more info you can possibly tease out and post for others with AD experience to follow-up on.

ocelot11 · March 31, 2023, 9:20pm

Actually you were a big help. Adding “enumerate = true” to /etc/sssd/sssd.conf fixed the problem! I didn’t even think to check because I had the option ticked in the web gui! Thanks!

ocelot11 · March 31, 2023, 9:24pm

Oh I spoke too soon. Users appear now but whenever I try and assign them to a share I receive this error:
Traceback (most recent call last):
File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception
yield
File “/opt/rockstor/src/rockstor/storageadmin/views/samba.py”, line 239, in put
self._set_admin_users(admin_users, smbo)
File “/opt/rockstor/src/rockstor/storageadmin/views/samba.py”, line 141, in _set_admin_users
auo.smb_shares.add(smb_share)
UnboundLocalError: local variable ‘auo’ referenced before assignment

Hooverdan · March 31, 2023, 9:40pm

Interesting. Seems that something goes wrong in this method here:

github.com

rockstor/rockstor-core/blob/0249f5283203461d71093447611c762901f6f378/src/rockstor/storageadmin/views/samba.py#L117-L143


@staticmethod
def _set_admin_users(admin_users, smb_share):
    for au in admin_users:
        try:
            auo = User.objects.get(username=au)
        except User.DoesNotExist:
            # check if the user is a system user, then create a temp user
            # object.
            try:
                system_user = pwd.getpwnam(au)
                auo = User(
                    username=au,
                    uid=system_user.pw_uid,
                    gid=system_user.pw_gid,
                    admin=False,
                )
                auo.save()
            except KeyError:
                # raise the outer exception as it's more meaningful to the
                # user.

This file has been truncated. show original

in the last line (line 141) when it tries to add the smb share

@phillxnet, @Flox I’m out of my depth here, since I would have expected that a failure to create the auo object earlier in the method would be caught by the except construct … Is it that the finally block is run regardless, so since the save is in there, it will try execute that line and hence run into the above error message?

Of course, the underlying question is why there are issues assigning the auo …

Flox · April 1, 2023, 12:39am

Thanks a lot @Hooverdan for taking the time to get us that far… It seems we do have some issue with fetching an SSSD user there.

@ocelot11, I’ll have to have a better look at that but I’m unfortunately too short on time for tonight. I’ll try to refresh myself on that area of Rockstor tomorrow if I can get some free time; I’m under quite a workload at work for the moment but I’ll do my best to have at least a better look at how we are fetching admin users in samba.

In the meantime, you seem to have encountered a few issues that shouldn’t have appeared so I’ll try to look at those too. Thus, to make sure I understood correctly:

you did check the enumerate checkbox in the UI but when visiting the users page you couldn’t see any domain users? Same with groups?
the domain users do show as options when exporting a Samba share; it just gives you the error you pasted when submitting the form… Is that correct?

Don’t hesitate to ping this thread again if you don’t hear back from me tomorrow (US eastern time). As mentioned, I should be rather swamped at work but I’m hoping to be able to get some time to spend on this.

ocelot11 · April 1, 2023, 12:46pm

Thanks @Flox and @Hooverdan too. I’m afraid I’m a bit out of my depth here too. Yes thats correct. They only appeared after manually changing the sssd config, the enumeration checkbox did not work. They appear in both users/groups and when exporting a samba share, however the export fails with the error above.

Flox · April 2, 2023, 12:26pm

Hi @ocelot11,

I think I have an inkling as to what is happening here. To confirm, you can edit that samba export without problem if you do not add an admin user, or if you choose a “local” (non AD) user as admin user, is that correct?

ocelot11 · April 2, 2023, 4:20pm

Yes, that’s correct.

ocelot11 · April 4, 2023, 10:48am

Hey @Flox, was just wondering if you had any updates on figuring out what the issue was. No problem if your busy! I appricaited the support!

Flox · April 10, 2023, 1:30pm

Hi @ocelot11 ,

My apologies on the delay here, but thank you for your understanding. It has been really busy at work for me lately so I didn’t have time to get my AD test server back in shape until yesterday.
That being said, it means I finally have all I need to try and reproduce your issue here so I’ll get on that as soon as I can.

Sorry again for the delay, and thank you for your patience, I appreciate it.

Flox · April 11, 2023, 9:44pm

Hi @ocelot11 ,

I finally could take the time to try joining an AD and it worked for me without the errors you described.
As a result, my best guess so far is that there must be some conflict that appeared after the different attempts you had to make. We could try to troubleshoot that part for you, but I think the most important thing is that I can reproduce the error you have above when creating a new Samba export:

[11/Apr/2023 17:40:47] ERROR [storageadmin.util:45] Exception: local variable 'auo' referenced before assignment
Traceback (most recent call last):
  File "/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py", line 41, in _handle_exception
    yield
  File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 191, in create_samba_share
    self._set_admin_users(admin_users, smb_share)
  File "/opt/rockstor/src/rockstor/storageadmin/views/samba.py", line 141, in _set_admin_users
    auo.smb_shares.add(smb_share)
UnboundLocalError: local variable 'auo' referenced before assignment
[11/Apr/2023 17:40:47] DEBUG [storageadmin.util:46] Current Rockstor version: 4.5.8-0

Now that I have that, I can try to see what is going on here.

Sorry for not yet having a fix, but at least I’m now setup to try to figure it out.

Flox · April 12, 2023, 6:48pm

@ocelot11:

I’ve now narrowed it down to an issue similar to what surfaced shortly after we implemented SSSD for this and was fixed then:

github.com/rockstor/rockstor-core

AD enable in 4.0.5-0 (RC6) requires reboot or rockstor service restart

opened 03:15PM - 03 Jan 21 UTC

closed 08:37AM - 08 Mar 21 UTC

phillxnet

Thanks to @FroggyFlox for helping to diagnose this issue. As of 4.0.5-0 (Release… Candidate 6) enabling the newly added sssd backed AD service for the first time leads to the following error: KeyError: u"Got KeyError when attempting to get a value for field `groupname` on serializer `SUserSerializer`.\nThe serializer field might be named incorrectly and not match any attribute or key on the `User` instance.\nOriginal exception text was: 'getgrgid(): gid not found: ... Where the gid is that of the AD users. Linking to the relevant pull request where this issue was discovered: "Implement SSSD-based enrollment into Active Directory or LDAP domains." #2235 A subsequent reboot or rockstor service restart resolves the apparent caching issue and functionality looks to be as expected there after.

Similar to what is described in that resolved issue, a first workaround is to either restart the rockstor service (systemctl restart rockstor) or reboot the Rockstor machine and then you should be able to create a Samba export using an AD user as admin user. Can you confirm that this workaround work for you?

I’ll get on to getting a proper fix in the meantime.

Flox · April 12, 2023, 10:08pm

I have now created an issue on our Github repository:

github.com/rockstor/rockstor-core

[Active Directory] Failure to set an AD user as Samba admin_user until Rockstor service restart

opened 10:06PM - 12 Apr 23 UTC

FroggyFlox

Thanks to forum user **ocelot11** for reporting this issue: [https://forum.rocks…tor.com/t/active-directory-issues/8728/4](https://forum.rockstor.com/t/active-directory-issues/8728/4?u=flox) # Description As described in that forum post, when clicking on Submit during the creation of a Samba export using an AD user as the *admin_user*, Rockstor throws the following Exception: ``` Traceback (most recent call last): File “/opt/rockstor/src/rockstor/rest_framework_custom/generic_view.py”, line 41, in _handle_exception yield File “/opt/rockstor/src/rockstor/storageadmin/views/samba.py”, line 239, in put self._set_admin_users(admin_users, smbo) File “/opt/rockstor/src/rockstor/storageadmin/views/samba.py”, line 141, in _set_admin_users auo.smb_shares.add(smb_share) UnboundLocalError: local variable ‘auo’ referenced before assignment ``` As detailed by @Hooverdan96 in that forum thread, the section throwing that exception is the following: https://github.com/rockstor/rockstor-core/blob/e490c32c3308d0d18b468b902750aa9663784a5f/src/rockstor/storageadmin/views/samba.py#L118-L141 # Reproducer 1. Setup, configure, and turn ON the Active Directory service. 2. Go to Storage > Samba, and click on "Add Samba export". 3. Use an AD user as admin_user. 4. Click submit, and the error above is returned. **Note** that if the Rockstor service is restarted or the machine rebooted, everything works as intended without error. To reproduce this error again after a Rockstor service restart, one has to turn OFF the AD service, manually remove the AD user from the storageadmin.user table, manually remove the group from the storageadmin.group table, and then restart the Rockstor service. Without this "cleanup/reset" steps, the AD user remains "in cache" and thus no error will be returned upon creation of the Samba export as detailed in the reproducer steps above. # Explanation The `_set_admin_users()` method aims at adding the User <-> smb_share relationship in the database. Its logic can be summarized as follows: 1. Try to get the `storageadmin.user` object corresponding to the user set as admin_user in the Samba export form. 2. If no entry is found in `storageadmin.user`, fetch that info from system users using the `pwd` library. 3. Create corresponding `storageadmin.user` entry, save it, and then add the User <-> smb_share relationship. In our case, the user is an AD user and thus does not have an entry in the `storageadmin.user` table. We thus try step 2 above. This one fails for a similar reason as investigated and solved in #2240. This is also why a Rockstor service restart works (as it did in #2240). # Resolution We may follow the same approach to fix this as we did to fix #2240: use InfoPipe as a failover mechanism if `pwd` cannot retrieve the required information. This will need further investigation to verify it is the best option, though.

We already fixed a very similar issue so we can follow the same approach to fix this one but it’ll need a bit more verification before committing. I’ll update that Github issue accordingly.

Flox · April 17, 2023, 7:21pm

@ocelot11,
A corresponding PR to fix that issue has now been submitted:

github.com/rockstor/rockstor-core

Use InfoPipe as fallback mechanism to fetch user/group information #2526

rockstor:testing ← FroggyFlox:2526_Failure_to_set_an_AD_user_as_Samba_admin_user_until_Rockstor_service_restart

opened 07:08PM - 17 Apr 23 UTC

FroggyFlox

+157 -51

Fixes #2526 @phillxnet, ready for review We currently use the built-ins `pw…d` or `grp` to fetch user/group information throughout the project. Unfortunately, this can sometimes fail in systems that have freshly been joined to an Active Directory domain. See #2526 for details on the conditions required for such failures. # Proposed fix To fix this issue, this pull request (PR) proposes to increase the robustness of users/groups fetching by adding InfoPipe as a fallback mechanism during the creation of a Samba export; we already use such fallback to retrieve the groupname information for a domain user (see #2279). Briefly, we add this InfoPipe-based fallback mechanism in two places and to retrieve: - user information when setting Samba admin users - group name for a given user when listing system users To simplify and harmonize our user retrieval mechanisms, switch to using the already established `combined_users()` method during `_set_admin_users()` to retrieve all users seen by `getent passwd`, complemented by InfoPipe as fallback. See https://github.com/rockstor/rockstor-core/issues/2526#issuecomment-1510424000 for details. This PR also fixes a related bug in retrieving groupname from an AD user: see https://github.com/rockstor/rockstor-core/issues/2526#issuecomment-1510492500 for details. It also includes the following minor improvements: - a refactoring of the now-replaced `ifp_get_groupname()` function to make it more flexible: able to retrieve any given property or several properties of either a user or a group - simplify our current check for the active status of SSSD with a simple boolean wrapper using init_service_op to return True when the given systemd service is active. - small docstring formatting according to PEP257 and Sphinx's Python signatures (https://www.sphinx-doc.org/en/master/usage/restructuredtext/domains.html#python-signatures) - return ifp-fetched groupname in User model property only if SSSD is active - Black formatting and update copyright # Demonstration 1. Configure and turn ON the AD service 2. Go to Storage > Samba and create a new Samba export using an AD user as Samba admin user 3. The Samba share is successfully created # Testing No new unit test was added. ``` rockdev:/opt/rockstor # cd src/rockstor/ && poetry run django-admin test (...) System check identified no issues (0 silenced). ............................................................................................................................................................................................................................................................. ---------------------------------------------------------------------- Ran 253 tests in 13.295s OK ``` # Final note I noticed the following behavior. When we create a Samba export, the user selected as Samba admin user (if any) is added to the Django User table along with its link to the SambaShare table. We thus now have an AD user in the User table. When this Samba export is deleted, however, we do NOT clean this up. This means that if the machine leaves the AD domain, we will still have that AD user listed as user. This is beyond the scope of this PR, but we may need to think about that as cleaning this up may prove tricky.

We’ll update this post accordingly.

I also wanted to thank again that report as it has not only highlighted a couple bits such as these that could be made more robust, but it also led us to uncover two others small upstream issues. One of them has already been fixed by upstream SSSD in their more recent releases. The other relates to the specific packaging of realmd in openSUSE, and we have now submitted a bug and a fix upstream. A good example of how a bug report has the potential to benefit not only other Rockstor users, but also our upstream packages . So thanks again, @ocelot11!

ocelot11 · April 19, 2023, 7:35pm

Not at all, I should be thanking you, the community, and especially the folks who are patching this! Sorry for the late reply, life got hectic for a bit, but I will be keeping my eye out for the fix! If I experience any other issues I’ll be sure to report it. Thank you!

ocelot11 · April 19, 2023, 11:47pm

I’ve updated the system and since I can add users to shares, however now whenever I try and access the shares on the boxes I get the error “There are currently no logon servers available to service the logon request”. In the samba log file I can see that it fails to contact the domain controller due to some kind password issue with the machine account, if I’m understanding this correctly.

  Connecting to 172.16.0.20 at port 389
[2023/04/19 19:42:42.724167,  3] ../../source3/libads/ldap.c:762(ads_connect)
  Connected to LDAP server Ocelot11-Ark.O11LAN.NET
[2023/04/19 19:42:42.726008,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2023/04/19 19:42:42.726063,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2023/04/19 19:42:42.726076,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2023/04/19 19:42:42.726088,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2023/04/19 19:42:42.726100,  3] ../../source3/libads/sasl.c:543(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2023/04/19 19:42:42.727950,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2023/04/19 19:42:42.728062,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2023/04/19 19:42:42.728077,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2023/04/19 19:42:42.728090,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'spnego' registered
[2023/04/19 19:42:42.728104,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'schannel' registered
[2023/04/19 19:42:42.728117,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2023/04/19 19:42:42.728131,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2023/04/19 19:42:42.728144,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2023/04/19 19:42:42.728157,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2023/04/19 19:42:42.728170,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_basic' registered
[2023/04/19 19:42:42.728183,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2023/04/19 19:42:42.728200,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2023/04/19 19:42:42.728213,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'krb5' registered
[2023/04/19 19:42:42.728226,  3] ../../auth/gensec/gensec_start.c:1083(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2023/04/19 19:42:42.729236,  1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2023/04/19 19:42:42.729311,  1] ../../source3/libads/sasl.c:644(ads_sasl_spnego_bind)
  ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/ocelot11-ark.o11lan.net with user[OCELOT11-NAS$] realm=[O11LAN.NET]: Cannot read password
[2023/04/19 19:42:42.729335,  3] ../../source3/printing/nt_printing_ads.c:756(check_published_printers)
  ads_connect failed: Cannot read password
[2023/04/19 19:42:42.729644,  0] ../../source3/printing/nt_printing.c:233(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED
[2023/04/19 19:42:42.729733,  3] ../../source3/printing/queue_process.c:359(start_background_queue)
  start_background_queue: Starting background LPQ thread
[2023/04/19 19:42:42.859684,  1] ../../source3/printing/printer_list.c:255(printer_list_get_last_refresh)
  Failed to fetch record!
[2023/04/19 19:42:42.859773,  2] ../../source3/smbd/server.c:1364(smbd_parent_loop)
  waiting for connections
[2023/04/19 19:42:48.250431,  2] ../../source3/lib/tallocmsg.c:84(register_msg_pool_usage)

ocelot11 · April 19, 2023, 11:53pm

Using sssctl i can see the domain info is set correctly and it shows the connection as online. I’m not savvy in the lower-level workings of these packages or the OS, but I did read the github issues you raised and shared and I’m wondering if this is related to those issues. Either way, if you need any logs or config files or anything I can send them over. Just let me know. Thanks!

Flox · April 20, 2023, 1:27am

Mmm… There is one thing about which I was wondering but I have not yet seen its consequences. I this wonder if that is it.
Would you mind sharing your /etc/sssd/sssd.conf file? As I know you initially had issues with turning the AD service on and had to do some things manually, I would like to verify a few things.
A paste of your smb.conf file as well could prove useful. You can of course anonymize anything you’d like.

ocelot11 · April 21, 2023, 4:37am

Hi @Flox, sorry for the wait.

This is my SSSD (interestingly, I was able to use smbclient to dump these onto the AD server with little issue. I don’t know if that info helps.):

[sssd]
config_file_version = 2
services = nss, pam
domains = O11LAN.NET
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP

[nss]

[pam]

# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For UNIX and map LDAP attributes onto
# msSFU30* attribute names.
; [domain/AD]
; id_provider = ldap
; auth_provider = krb5
; chpass_provider = krb5
;
; ldap_uri = ldap://your.ad.example.com
; ldap_search_base = dc=example,dc=com
; ldap_schema = rfc2307bis
; ldap_sasl_mech = GSSAPI
; ldap_user_object_class = user
; ldap_group_object_class = group
; ldap_user_home_directory = unixHomeDirectory
; ldap_user_principal = userPrincipalName
; ldap_account_expire_policy = ad
; ldap_force_upper_case_realm = true
;
; krb5_server = your.ad.example.com
; krb5_realm = EXAMPLE.COM

[domain/O11LAN.NET]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = O11LAN.NET
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = O11LAN.NET
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = simple
enumerate = True
simple_allow_groups = %domain admins@O11LAN.NET %domain users@O11LAN.NET

And here is my smb.conf (Note I blocked out users and names for privacy, but I left my domain name so there is no confusion when trying to debunk the problem.)

[global]
    log level = 3
    map to guest = Bad User
    cups options = raw
    log file = /var/log/samba/log.%m
    printcap name = /dev/null
    load printers = no

####BEGIN: Rockstor SAMBA GLOBAL CUSTOM####
    workgroup = O11LAN
####END: Rockstor SAMBA GLOBAL CUSTOM####

####BEGIN: Rockstor ACTIVE DIRECTORY CONFIG####
    security = ads
    realm = O11LAN.NET
    kerberos method = secrets and keytab
    client signing = yes
    client use spnego = yes
####END: Rockstor ACTIVE DIRECTORY CONFIG####

####BEGIN: Rockstor SAMBA CONFIG####
[------.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share ------.Share"
    root preexec close = yes
    comment = Person's NAS Share
    path = /mnt2/------.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = --------------@O11LAN.NET -------- --------------@O11LAN.NET 
    shadow:format = .BAG__%Y%m%d%H%M
    shadow:basedir = /mnt2/------.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.BAG_*/
[Video.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Video.Share"
    root preexec close = yes
    comment = Movies and Shows
    path = /mnt2/Video.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ----------------@O11LAN.NET ------------@O11LAN.NET -----------------@O11LAN.NET -----------------@O11LAN.NET ------------------@O11LAN.NET -------------@O11LAN.NET -------------------@O11LAN.NET -----------------@O11LAN.NET 
    shadow:format = .VID__%Y%m%d%H%M
    shadow:basedir = /mnt2/Video.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.VID_*/
[Recording.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Recording.Share"
    root preexec close = yes
    comment = OBS and Recordings
    path = /mnt2/Recording.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = ----------------@O11LAN.NET -----------------@O11LAN.NET --------- --------------@O11LAN.NET 
    shadow:format = .REC__%Y%m%d%H%M
    shadow:basedir = /mnt2/Recording.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.REC_*/
[Public.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Public.Share"
    root preexec close = yes
    comment = Public Files and Documents
    path = /mnt2/Public.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .PUB__%Y%m%d%H%M
    shadow:basedir = /mnt2/Public.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.PUB_*/
[Music.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Music.Share"
    root preexec close = yes
    comment = Songs and Music Videos
    path = /mnt2/Music.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .MUS__%Y%m%d%H%M
    shadow:basedir = /mnt2/Music.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.MUS_*/
[Game.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share Game.Share"
    root preexec close = yes
    comment = Game Files and Saves
    path = /mnt2/Game.Share
    browseable = yes
    read only = no
    guest ok = yes
    admin users = ------ ---------------@O11LAN.NET -----------------@O11LAN.NET -------------------@O11LAN.NET ---------------------@O11LAN.NET -----------------@O11LAN.NET -------------@O11LAN.NET ------------------@O11LAN.NET ------------------@O11LAN.NET 
    shadow:format = .GME__%Y%m%d%H%M
    shadow:basedir = /mnt2/Game.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.GME_*/
[------.Share]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share -------.Share"
    root preexec close = yes
    comment = Person's NAS Share
    path = /mnt2/------.Share
    browseable = no
    read only = no
    guest ok = no
    admin users = -----------------@O11LAN.NET -----------------@O11LAN.NET ------ ------------@O11LAN.NET 
    shadow:format = .AMS__%Y%m%d%H%M
    shadow:basedir = /mnt2/------.Share
    shadow:snapdir = ./
    shadow:sort = desc
    shadow:localtime = yes
    vfs objects = shadow_copy2
    veto files = /.AMS_*/
####END: Rockstor SAMBA CONFIG####