Ok so here is my issue:
I have a Synology NAS and a Nextcloud installation.
Both are linked to my AD, and when I add the NAS as external storage it doesn’t read the permissions given by my AD to the folders on the NAS.
Nextcloud just over-rules those rights and allows everything based on permissions given in Nextcloud.
Is there a way I can get this to work?
I basicly want the detailed rights that I can give with my NAS to get picked up by Nextcloud and not have them overwritten if that makes any sense?
I want my AD to dictate the rights on the NAS instead of Nextcloud.
But I do want Nextcloud to fully function when it comes to sharing etc.
I don’t think this is possible. Not only as part of your requirement Nextcloud and your Storage needs to use AD as user back-end (and completely replicate all the users and groups) which may be hard enough but Windows access rights don’t really fit into Nextclouds access rights design (e.g. deny access doesn’t exist in NC).
Yeah I know the rights don’t fit, I was hoping when I linked it to my Active Directory that Nextcloud would be able to atleast read them and know what to do from there. Or atleast not completely over rule rights given by the other platform.
If so, it looks like some kind of windoze trash. Good luck integrating that with ANYTHING that makes sense. And at the same time, thanks so much for giving money to an organization known for funding the development of covid-19 in a lab in wuhan.
no… any application accessing your windows share act as a user from the share’s point of view. Access rights assigned to NC apply. NC in turn has no knowledge about user rights applied on the storage box (otherwise it would need to have some admin access to the box, read the rights, interpret and adopt to it’s own rights model). It can not overrule access rights of the storage it just acts within it’s own assigned rights and may further restrict it. but it can’t provide more access then it has on the storage.
If you need rights separation you may choose to connect external storage not on system level but every user connects using own credentials - this way every user is subject to his own storage access rights. You need to advise the users how it works, but it is possible. It may still be not the best solution but if it works for you - why not?
Yeah I have been thinking about this aswell, would have preferred to make it all very easy and set-up beforehand for my users but I don’t think there is any other way to get what I want out of both sides.
I’m going to build a test and see what’s what!
Thx for the advice!
“Active Directory”, “AD” ™ is the marketing term for a closed-source, proprietary Microsoft obfuscation (some call it “version”) of an LDAP-infrastructure that can be used exclusively in a heavily license-encumbered way by a limited subset of some of Microsoft’s products. It was pushed on the market around the year 2000.
With a lot of fiddling you can sometimes get some standard-compliant LDAP-products to interact with it.
@Syvas - Could you update how this is going? I would love to accomplish the same thing. I have a NAS with existing network shares connected as external storage on Nextcloud. As you noted, everyone gets access to the shares based on the credentials used to connect the external storage instead of their own.
The comment about mapping the external storage as their own is intriguing. If that works the next step would be to script/automate connecting the storage to each user’s account.