Combination Nextcloud - File server rights

Ok so here is my issue:
I have a Synology NAS and a Nextcloud installation.
Both are linked to my AD, and when I add the NAS as external storage it doesn’t read the permissions given by my AD to the folders on the NAS.
Nextcloud just over-rules those rights and allows everything based on permissions given in Nextcloud.

Is there a way I can get this to work?
I basicly want the detailed rights that I can give with my NAS to get picked up by Nextcloud and not have them overwritten if that makes any sense?

To clarify:
I want my AD to dictate the rights on the NAS instead of Nextcloud.
But I do want Nextcloud to fully function when it comes to sharing etc.

The first step is probably for you to define just what the hell an “AD” is.

I don’t think this is possible. Not only as part of your requirement Nextcloud and your Storage needs to use AD as user back-end (and completely replicate all the users and groups) which may be hard enough but Windows access rights don’t really fit into Nextclouds access rights design (e.g. deny access doesn’t exist in NC).

this common abbreviation for “Active Directory”

Which means WHAT? A common term for something uncommon doesn’t help anything.

Yeah I know the rights don’t fit, I was hoping when I linked it to my Active Directory that Nextcloud would be able to atleast read them and know what to do from there. Or atleast not completely over rule rights given by the other platform.

An Active Directory isn’t all that uncommen to be fair.
I’d say its standard practice for most/all companies to have one :slight_smile:

Is this what you’re talking about?

If so, it looks like some kind of windoze trash. Good luck integrating that with ANYTHING that makes sense. And at the same time, thanks so much for giving money to an organization known for funding the development of covid-19 in a lab in wuhan.

no… any application accessing your windows share act as a user from the share’s point of view. Access rights assigned to NC apply. NC in turn has no knowledge about user rights applied on the storage box (otherwise it would need to have some admin access to the box, read the rights, interpret and adopt to it’s own rights model). It can not overrule access rights of the storage it just acts within it’s own assigned rights and may further restrict it. but it can’t provide more access then it has on the storage.

If you need rights separation you may choose to connect external storage not on system level but every user connects using own credentials - this way every user is subject to his own storage access rights. You need to advise the users how it works, but it is possible. It may still be not the best solution but if it works for you - why not?

Yeah I have been thinking about this aswell, would have preferred to make it all very easy and set-up beforehand for my users but I don’t think there is any other way to get what I want out of both sides.
I’m going to build a test and see what’s what!
Thx for the advice!

“Active Directory”, “AD” ™ is the marketing term for a closed-source, proprietary Microsoft obfuscation (some call it “version”) of an LDAP-infrastructure that can be used exclusively in a heavily license-encumbered way by a limited subset of some of Microsoft’s products. It was pushed on the market around the year 2000.
With a lot of fiddling you can sometimes get some standard-compliant LDAP-products to interact with it.

1 Like

That’s BS…
Every half-decent Linux-based application designed with collaboration in mind can talk AD.
Nextcloud, ownCloud, privacyIDEA, WordPress, Keycloak, OnlyOffice, etc. to name a few…

1 Like

You need each user to map the external storage as their own account. Then permissions will be handled on the remote system as normal.

1 Like

Thx! Trying this as we speak!
Edit: Seems I’m running into a different issue which I also made a post about.

@Syvas - Could you update how this is going? I would love to accomplish the same thing. I have a NAS with existing network shares connected as external storage on Nextcloud. As you noted, everyone gets access to the shares based on the credentials used to connect the external storage instead of their own.

The comment about mapping the external storage as their own is intriguing. If that works the next step would be to script/automate connecting the storage to each user’s account.