QNAP Systems Ts 253 User Guide
Have a look at the manual QNAP Systems Ts 253 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1 QNAP Systems manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
181 Windows ACL Samba 13 (NTFS permissions) Windows File Explorer Both FTP, AFP, File Station, Samba Please see the application note (https://www.qnap. com/i/en/trade_tea ch/con_show.php?o p=showone&cid=6) for more details. Windows File Explorer Advanced Folder Permissions Use Advanced Folder Permissions to directly configure subfolder permissions on the NAS. There is no depth limitation for subfolder permission, but it is highly recommended to only change permissions on the first or second subfolder level. When Advanced Folder Permissions is enabled, click Folder Permissions under the Shared Folders tab to configure subfolder permission settings. See Shared Folders" > "Folder Permission” for more information. Windows ACL Use Windows ACL to configure the subfolder and file level permissions from Windows File Explorer. All Windows Permissions are supported. For detailed Windows ACL behavior, please refer to standard NTFS permissions: http://www.ntfs.com/ntfs-permissions.htm To assign subfolder and file permissions to a user or a user group, full control share-level permissions must be granted to the user or user group. When Windows ACL is enabled when Advanced Folder Permissions is disabled, subfolder and file permissions will only take effect when accessing the NAS from Windows File Explorer. Users connecting to the NAS via FTP, AFP, or File Station will only have share-level permissions. When Windows ACL and Advanced Folder Permissions are both enabled, users cannot configure Advanced Folder Permissions from the NAS. Permissions (Read only, Read/Write, and Deny) of Advanced Folder Permissions for AFP, File Station, and FTP will automatically follow Windows ACL configuration. Note: Only the List Folders / Read Data and Create Files / Write Data permissions will be available when you use other file protocols (such as AFP, NFS, FTP, WebDAV, etc)
182 Quota To efficiently allocate storage space, you can specify a quota value (in megabytes or gigabytes) that applies to all users and disk volumes. QTS prevents users from uploading data to the NAS when the feature is enabled and the quota is reached. After the quota is specified and applied, the screen displays a list of all local and domain users and the corresponding storage details (quota size, used space, and available space). You can perform the following actions: Modify quota settings: Click “Edit” and then specify a new quota value or select “No limit”. Export quota settings to a CSV file: Click “Generate”. Download generated CSV files: Click “Download” and then save the file to a preferred location.
183 Domain Security The NAS supports user authentication by local access right management, Microsoft Active Directory (Windows Server 2008/2012), and Lightweight Directory Access Protocol (LDAP) directory. By joining the NAS to an Active Directory or a LDAP directory, the AD or LDAP users can access the NAS using their own accounts without extra user account setup on the NAS. No domain security: Only the local users can access the NAS. Active Directory authentication (domain members): Join the NAS to an Active Directory. The domain users can be authenticated by the NAS. After joining the NAS to an AD domain, both the local NAS users and AD users can access the NAS via the following protocols/services: o Samba (Microsoft Networking) o AFP o FTP o File Station LDAP authentication: Connect the NAS to an LDAP directory. The LDAP users can be authenticated by the NAS. After connecting the NAS to an LDAP directory, either the local NAS users or the LDAP users can be authenticated to access the NAS via Samba (Microsoft Networking). Both the local NAS users and LDAP users can access the NAS via the following protocols/services: o AFP o FTP o File Station
184 Joining NAS to Active Directory (Windows Server 2003/2008/2012) Active Directory is a directory used in Windows environments to centrally store, share, and manage a networks information and resources. It is a hierarchical data center which centrally holds information for users, user groups, and the computers for secure access management. The NAS supports Active Directory (AD.) By joining the NAS to the Active Directory, all the user accounts of the AD server will be automatically imported to the NAS. AD users can use their same login details to access the NAS. If you are using Active Directory with Windows Server 2008 R2, you must update the NAS firmware to at least 3.2.0 to join the NAS to the AD. Joining the NAS to Active Directory (AD) by Quick Configuration Wizard (Recommended) To join the NAS to an AD domain by the Quick Configuration Wizard, follow these steps: 1. Login to the NAS as an administrator. Go to Privilege Settings > Domain Security. Select Active Directory authentication (domain member) and click Quick Configuration Wizard. 2. Read the wizard introduction. Click Next. 3. Enter the full domain name of the AD domain (DNS.) The NetBIOS name will be automatically generated from the domain name but can be changed manually if the name is different than the generated one. Specify the DNS server IP for domain resolution. The IP must be the same as the DNS server of your Active Directory. Click Next. 4. Select the domain controller from the multiple selection window. For domain controller redundancy, select multiple domain controllers and set the order of priority for the controllers. The domain controller is responsible for time synchronization between the NAS and the domain server and user authentication. Enter the domain administrator name and password. Click Join. 5. Upon successful login to the domain server, the NAS has joined to the domain. Click Finish to exit the wizard. 6. Go to Privilege Settings > Users or User Groups to load the domain users or user groups to the NAS. Joining the NAS to Active Directory (AD) by Quick Configuration Manually Follow the steps below to join the QNAP NAS to the Windows Active Directory. 1. Login to the NAS as an administrator. Go to “Control Panel” > “System” > "General Settings > Time. Set the date and time of the NAS to synchronize with you domain
185 controller time as it must be consistent with the time of the AD server. The maximum time disparity tolerated is 5 minutes. 2. Go to “Control Panel” > “Network & File Services”. Click” Network & Virtual Switch” and go to “Interfaces”. Click “DNS Server” and set the IP of the primary DNS server as the IP of the Active Directory server that contains the DNS service. The primary DNS server field must be the IP of the DNS server that is used for your Active Directory. If you use an external DNS server, you will not be able to join the domain. 3. Go to “Control Panel" > “Privilege" > "Domain Security". Select "Active Directory authentication (domain member)", click “Manual Configuration”. 4. Enter the AD domain information, click “Join”. Note: Enter a fully qualified AD domain name, for example, qnap-test.com The AD user entered here must have administrator access rights to the AD domain. WINS Support: If you are using a WINS server on the network and the workstation is configured to use that WINS server for name resolution, you must set up the WINS server IP on the NAS (use the specified WINS server.) Windows Server 2008 Check the AD server name and domain name in Control Panel > System in Windows. In the system dialog window, the AD server name will appear as the computer name and the domain name can be found in the domain field. Note: After joining the NAS to the Active Directory, the local NAS users who have access rights to the AD server should use NASname\username to login. AD users should use their own usernames to login to the AD server. For TS-x09 series NAS, if the AD domain is based on Windows 2008 Server, the NAS firmware must be at least version 2.1.2. Windows 7 If you are using a Windows 7 PC that is not a member of an Active Directory, while your NAS is an AD domain member and its firmware version is earlier than v3.2.0, change your PC settings as shown below to allow your PC to connect to the NAS: 1. Go to Control Panel > Administrative Tools. 2. Click Local Security Policy. 3. Go to Local Policies > Security Options. Select Network security: LAN Manager authentication level.
186 4. In Local Security Setting select Send LM & NTLMv2 – use NTLMv2 session security if negotiated from the list. Then click OK. Verifying the settings To verify that the NAS has successfully joined the Active Directory, go to Privilege Settings > Users and User Groups. A list of users and user groups will be shown on the Domain Users and Domain Groups lists respectively. If you have created new users or user groups in the domain, you can click the Refresh button to add users and user group lists from the Active Directory to the NAS. The user permission settings will be synchronized in real time with the domain controller.
187 Connecting NAS to an LDAP Directory LDAP (Lightweight Directory Access Protocol) is a directory that can store the information of every user and group in a centralized server. Administrators can use LDAP to manage users in the LDAP directory and allow them to connect to multiple NAS with the same login details. This feature is intended for use by administrators and users who have knowledge of Linux servers, LDAP servers, and Samba. A running LDAP server is required when using this feature. Requirements Required information/settings: The LDAP server connection and authentication information The LDAP structure, where the users and groups are stored The LDAP server security settings Connecting QNAP Turbo NAS to LDAP Directory Follow the steps below to connect the QNAP NAS to an LDAP directory: 1. Login to the NAS as an administrator. 2. Go to Privilege Settings > Domain Security. By default, No domain security is enabled. This means only local NAS users can connect to the NAS. 3. Select LDAP authentication and complete the settings. o LDAP Server Host: The host name or IP address of the LDAP server. o LDAP Security: Specify how the NAS will communicate with the LDAP server: ldap:// = Use a standard LDAP connection (default port: 389.) ldap:// (ldap + SSL) = Use an encrypted connection with SSL (default port: 686.) This is normally used by older version of LDAP servers. Ldap:// (ldap + TLS) = Use an encrypted connection with TLS (default port: 389.) This is normally used by newer version of LDAP servers o BASE DN: The LDAP domain. For example: dc=mydomain,dc=local o Root DN: The LDAP root user. For example cn=admin, dc=mydomain,dc=local o Password: The root user password. o Users Base DN: The organization unit (OU) where users are stored. For example: ou=people,dc=mydomain,dc=local o Groups Base DN: The organization unit (OU) where groups are stored. For example ou=group,dc=mydomain,dc=local
188 4. Click Apply to save the settings. Upon successful configuration, the NAS will be able to connect to the LDAP server. 5. Configure LDAP authentication options. o If Microsoft Networking has been enabled (Network Services > Win/Mac/NFS > Microsoft Networking) when applying the LDAP settings, specify the users who can access the NAS via Microsoft Networking (Samba.) Local users only: Only local NAS users can access the NAS via Microsoft Networking. LDAP users only: Only LDAP users can access the NAS via Microsoft Networking. o If Microsoft Networking is enabled after the NAS has already been connected to the LDAP server, select the authentication type for Microsoft Networking. Standalone Server: Only local NAS users can access the NAS via Microsoft Networking. LDAP Domain Authentication: Only LDAP users can access the NAS via Microsoft Networking. 6. When the NAS is connected to an LDAP server, the administrator can: o Go to Privilege Settings > Users and select Domain Users from the drop-down menu. The LDAP users list will be shown. o Go to Privilege Settings > User Groups and select Domain Groups from the drop-down menu. The LDAP groups will be shown. o Specify the folder permissions of LDAP domain users or groups in Privilege Settings > Shared Folders > click the Access Permissions button next to the folder to be configured. Note: Both LDAP users and local NAS users can access the NAS via File Station, FTP, and AFP. LDAP Authentication Technical Requirements with Microsoft Networking Required items to authenticate the LDAP users on Microsoft Networking (Samba): 1. A third-party software to synchronize the password between LDAP and Samba in the LDAP server. 2. Importing the Samba schema to the LDAP directory. A. Third-party software Some software applications are available and allow management of LDAP users, including Samba password. For example: LDAP Account Manager (LAM), with a web-based interface, available from: http://www.ldap-account-manager.org/ smbldap-tools (command line tool)
189 webmin-ldap-useradmin - LDAP user administration module for Webmin. B. Samba schema To import the a Samba schema to the LDAP server, please refer to the documentation or FAQ of the LDAP server. A samba.schema file is required and can be found in the directory examples/LDAP in the Samba source distribution. Example for open-ldap in the Linux server where the LDAP server is running (it can be different depending on the Linux distribution): Copy the samba schema: zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > /etc/ldap/schema/samba.schema Edit /etc/ldap/slapd.conf (openldap server configuration file) and make sure the following lines are present in the file: include /etc/ldap/schema/samba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema Configuration examples The following are some configuration examples. They are not mandatory and need to be adapted to match the LDAP server configuration: 1. Linux OpenLDAP Server o Base DN: dc=qnap,dc=com o Root DN: cn=admin,dc=qnap,dc=com o Users Base DN: ou=people,dc=qnap,dc=com o Groups Base DN: ou=group,dc=qnap,dc=com 2. Mac Open Directory Server o Base DN: dc=macserver,dc=qnap,dc=com o Root DN: uid=root,cn=users,dc=macserver,dc=qnap,dc=com o Users Base DN: cn=users,dc=macserver,dc=qnap,dc=com o Groups Base DN: cn=groups,dc=macserver,dc=qnap,dc=com
190 Domain Controller The Turbo NAS can now act as a domain controller for Windows. IT administrators can easily configure the Turbo NAS as the centerpiece of domain directory services for their organization to store user account information, manage user authentication and enforce security for a Windows domain. Note: This function is only applicable to some models. Domain Controller Three domain controller modes are available for the Turbo NAS: Domain Controller: Only a domain controller can create a domain and the first NAS that creates the domain must be a domain controller. In this mode, the NAS can create and authenticate users. Additional Domain Controller: In case more than one domain controller is needed, you can choose this mode to add additional domain controllers. The NAS set as an additional domain controller will then act as a domain controller and can create and authenticate users. Read-Only Domain Controller: To accelerate the user authentication process on specific sites, it is possible to enable a Read-Only domain controller. Users can be authenticated by this NAS, but it will not be able to create a domain user.