New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sharing drives does not work for Azure AD user accounts #132

Closed
jayfresh opened this Issue Oct 6, 2016 · 27 comments

Comments

Projects
None yet
@jayfresh

jayfresh commented Oct 6, 2016

Hi,

I'm attempting to share my C: drive as per the instructions here - https://docs.docker.com/docker-for-windows/#/shared-drives.

However, it doesn't seem possible to use my login details in the Shared Drives username/password dialog - none of the usernames of the form AzureAD\username, or email@domain or AzureAD\email@domain get through the login.

I've tried setting up a local admin user, "admin", and I can successfully share the drive using that account, but according to the troubleshooting, https://docs.docker.com/docker-for-windows/troubleshoot/#verify-domain-user-has-permissions-for-shared-drives-volumes, you have to run the docker commands using the same user as you have used to share the drive.

The same troubleshooting mentions that the solution is to login with a domain user, which in my case I assume is the AzureAD user, but as I mentioned, Docker is not accepting the credentials.

Information

Diagnostic ID: B84C9FF9-58D6-4C1D-8BBA-D94E145DE072/2016-10-06_10-14-53

This is on Windows 10, version 1607, OS Build 14393.222.

Steps to reproduce the behavior

  1. Login using Azure AD user account
  2. Install Docker as normal
  3. Try to share a drive using the Azure AD user account
  4. Credentials popup reappears, not accepting credentials
@simonferquel

This comment has been minimized.

Show comment
Hide comment
@simonferquel

simonferquel Oct 6, 2016

When the popup appears, what is the value prefilled for user name ?
Can you try not to change it and give your Azure AD password ?

simonferquel commented Oct 6, 2016

When the popup appears, what is the value prefilled for user name ?
Can you try not to change it and give your Azure AD password ?

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

Hi Simon, there isn't any value prefilled for user name. And if I fill in a user name and password, the popup reappears without any value prefilled - see screenshot.

I'm using the latest stable build, v1.12.1 I think (from docker --version)
creds

jayfresh commented Oct 6, 2016

Hi Simon, there isn't any value prefilled for user name. And if I fill in a user name and password, the popup reappears without any value prefilled - see screenshot.

I'm using the latest stable build, v1.12.1 I think (from docker --version)
creds

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

I've downloaded the beta version and it's a bit different - there is a prefilled user name, but when I put my password in, the popup disappears and the C drive checkbox goes back to being unchecked. I'm just checking the log...

jayfresh commented Oct 6, 2016

I've downloaded the beta version and it's a bit different - there is a prefilled user name, but when I put my password in, the popup disappears and the C drive checkbox goes back to being unchecked. I'm just checking the log...

@simonferquel

This comment has been minimized.

Show comment
Hide comment
@simonferquel

simonferquel Oct 6, 2016

Ok, we might have to setup a lab to further test AzureAD related scenarios.
I'll track the issue in our internal repo, in the mean time, having a local account with correct NTFS rights is a perfectly suitable workaround

simonferquel commented Oct 6, 2016

Ok, we might have to setup a lab to further test AzureAD related scenarios.
I'll track the issue in our internal repo, in the mean time, having a local account with correct NTFS rights is a perfectly suitable workaround

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

the problem with using a local account to share the drive is that you hit the problem mentioned in the troubleshooting - you can't be logged in as your AzureAD account and run docker commands, as that's not the same user account as you used to share the C drive...

jayfresh commented Oct 6, 2016

the problem with using a local account to share the drive is that you hit the problem mentioned in the troubleshooting - you can't be logged in as your AzureAD account and run docker commands, as that's not the same user account as you used to share the C drive...

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

Here's the diagnostic ID running this on the beta version: B84C9FF9-58D6-4C1D-8BBA-D94E145DE072/2016-10-06_12-23-37

jayfresh commented Oct 6, 2016

Here's the diagnostic ID running this on the beta version: B84C9FF9-58D6-4C1D-8BBA-D94E145DE072/2016-10-06_12-23-37

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

In the log, got the error System error 1332 has occurred. No mapping between account names and security IDs was done.

jayfresh commented Oct 6, 2016

In the log, got the error System error 1332 has occurred. No mapping between account names and security IDs was done.

@simonferquel

This comment has been minimized.

Show comment
Hide comment
@simonferquel

simonferquel Oct 6, 2016

With the beta you should be able to:

  • Log on with the AzureAD account
  • Create a local account (without login in)
  • Put correct ntfs rights for the local account
  • Launch Docker For Windows from the Azure AD account session, and when sharing the drive, specifiy the local account and password

What you can't do is switch from different user account sessions and run docker commands (all docker commands must be done from the same session, but the account used for drive sharing can be different)

simonferquel commented Oct 6, 2016

With the beta you should be able to:

  • Log on with the AzureAD account
  • Create a local account (without login in)
  • Put correct ntfs rights for the local account
  • Launch Docker For Windows from the Azure AD account session, and when sharing the drive, specifiy the local account and password

What you can't do is switch from different user account sessions and run docker commands (all docker commands must be done from the same session, but the account used for drive sharing can be different)

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 6, 2016

Thanks! Two queries though - the popup credentials won't let me change the username to use the local admin account, it just says it's an invalid login/password when I submit it. Secondly, I don't know what you mean about the correct ntfs rights for the local account, could you explain? Thanks again.

jayfresh commented Oct 6, 2016

Thanks! Two queries though - the popup credentials won't let me change the username to use the local admin account, it just says it's an invalid login/password when I submit it. Secondly, I don't know what you mean about the correct ntfs rights for the local account, could you explain? Thanks again.

@simonferquel

This comment has been minimized.

Show comment
Hide comment
@simonferquel

simonferquel Oct 6, 2016

as a username just put your username without the AzureAD prefix (and make sure the account password is not expired)

The thing about NTFS rights is that you have to make sure the local user has the rights to read and/or write in the folder you want to mount as a volume in a container

simonferquel commented Oct 6, 2016

as a username just put your username without the AzureAD prefix (and make sure the account password is not expired)

The thing about NTFS rights is that you have to make sure the local user has the rights to read and/or write in the folder you want to mount as a volume in a container

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 11, 2016

OK, that works! Great, thanks for the support. I'll look out for updates where it stops being necessary to use a local admin account

jayfresh commented Oct 11, 2016

OK, that works! Great, thanks for the support. I'll look out for updates where it stops being necessary to use a local admin account

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 11, 2016

Sadly, I spoke too soon. Whilst I can run a command like docker run --rm -v c:/Users:/data <image> ls /data, I can't run a command like docker run --rm -v c:/Users/<Azure account>:/data <image> ls /data - I get a Permission denied error. However, I can run docker run --rm -v c:/Users/<admin account>:/data <image> ls /data.

I verified I can't access other account folders in c:/Users. I've checked the folder permissions for the Azure account folder and it says that the Administrators group has full control, so I don't understand why docker can't access the folder.

jayfresh commented Oct 11, 2016

Sadly, I spoke too soon. Whilst I can run a command like docker run --rm -v c:/Users:/data <image> ls /data, I can't run a command like docker run --rm -v c:/Users/<Azure account>:/data <image> ls /data - I get a Permission denied error. However, I can run docker run --rm -v c:/Users/<admin account>:/data <image> ls /data.

I verified I can't access other account folders in c:/Users. I've checked the folder permissions for the Azure account folder and it says that the Administrators group has full control, so I don't understand why docker can't access the folder.

@simonferquel

This comment has been minimized.

Show comment
Hide comment
@simonferquel

simonferquel Oct 17, 2016

Try to add read access directly to your local user on the folder you want to mount. I think that for security reasons, rights on the administrators group are ignored if you are not in an elevated context (which is not possible remotely)

simonferquel commented Oct 17, 2016

Try to add read access directly to your local user on the folder you want to mount. I think that for security reasons, rights on the administrators group are ignored if you are not in an elevated context (which is not possible remotely)

@rn

This comment has been minimized.

Show comment
Hide comment
@rn

rn Oct 30, 2016

Contributor

Closing this issue due to inactivity. Please re-open if the suggested solution does not work or if there is another update.

Contributor

rn commented Oct 30, 2016

Closing this issue due to inactivity. Please re-open if the suggested solution does not work or if there is another update.

@rn rn closed this Oct 30, 2016

@jayfresh

This comment has been minimized.

Show comment
Hide comment
@jayfresh

jayfresh Oct 31, 2016

Sorry, yes I can confirm adding admin rights to the folder you want to mount, and authenticating as the admin user account in Docker works. Thanks!

jayfresh commented Oct 31, 2016

Sorry, yes I can confirm adding admin rights to the folder you want to mount, and authenticating as the admin user account in Docker works. Thanks!

@uday31in

This comment has been minimized.

Show comment
Hide comment
@uday31in

uday31in Jul 5, 2017

This issue is back again - docker for windows version up to date.

Diagnostic ID: 06C36E21-8FEF-43AA-86E2-79C81B2558BE/2017-07-05_14-42-09

After clicking on C drive it asks for credential but nothing happens. Check box gets unchecked automatically.

uday31in commented Jul 5, 2017

This issue is back again - docker for windows version up to date.

Diagnostic ID: 06C36E21-8FEF-43AA-86E2-79C81B2558BE/2017-07-05_14-42-09

After clicking on C drive it asks for credential but nothing happens. Check box gets unchecked automatically.

@dsschnau

This comment has been minimized.

Show comment
Hide comment
@dsschnau

dsschnau Jul 24, 2017

I'm experiencing the same issue as @uday31in . My log id is E87073EA-E0FA-422F-8846-291E2006D435/2017-07-24_15-59-00

I can share the drive with a non-AzureAD admin account on my pc, but then I am unable to do work with Docker running as my AzureAD account.

dsschnau commented Jul 24, 2017

I'm experiencing the same issue as @uday31in . My log id is E87073EA-E0FA-422F-8846-291E2006D435/2017-07-24_15-59-00

I can share the drive with a non-AzureAD admin account on my pc, but then I am unable to do work with Docker running as my AzureAD account.

@dopry

This comment has been minimized.

Show comment
Hide comment
@dopry

dopry Aug 3, 2017

I can confirm I am seeing the same behavior with my AzureAD account.
When I share a drive I provide my credentials, but the box goes back to being unchecked after providing correct credentials.

dopry commented Aug 3, 2017

I can confirm I am seeing the same behavior with my AzureAD account.
When I share a drive I provide my credentials, but the box goes back to being unchecked after providing correct credentials.

@murdockcrc

This comment has been minimized.

Show comment
Hide comment
@murdockcrc

murdockcrc Oct 22, 2017

I can confirm the issue on Docker for Windows 17.09.0-ce, build afdb6d4

murdockcrc commented Oct 22, 2017

I can confirm the issue on Docker for Windows 17.09.0-ce, build afdb6d4

@michaelsrichter

This comment has been minimized.

Show comment
Hide comment
@michaelsrichter

michaelsrichter Nov 10, 2017

any update on this?

michaelsrichter commented Nov 10, 2017

any update on this?

@techbunny

This comment has been minimized.

Show comment
Hide comment
@techbunny

techbunny Nov 28, 2017

I had a similar experience with Docker for Windows 17.09.0-ce-win33 (13620) Stable - 8c56a3b. My local admin account is using the format of DOMAIN\username, but the machine is not traditionally domain joined, that account is reflected in Azure AD. The Shared Drive checkbox just clears after entering the credentials. I switched to using a non-admin account that is also on my computer, which happens to be a MSA account (in email format) and that worked fine.

techbunny commented Nov 28, 2017

I had a similar experience with Docker for Windows 17.09.0-ce-win33 (13620) Stable - 8c56a3b. My local admin account is using the format of DOMAIN\username, but the machine is not traditionally domain joined, that account is reflected in Azure AD. The Shared Drive checkbox just clears after entering the credentials. I switched to using a non-admin account that is also on my computer, which happens to be a MSA account (in email format) and that worked fine.

@Franklin89

This comment has been minimized.

Show comment
Hide comment
@Franklin89

Franklin89 Dec 6, 2017

Have the same issue. Using a company laptop that is being authenticated by AzureAD.
What is the best solution to get Docker up and running shared folders?

Franklin89 commented Dec 6, 2017

Have the same issue. Using a company laptop that is being authenticated by AzureAD.
What is the best solution to get Docker up and running shared folders?

@youfoundkris

This comment has been minimized.

Show comment
Hide comment
@youfoundkris

youfoundkris Dec 14, 2017

17.09.1-ce-win42 (14687) same issue

youfoundkris commented Dec 14, 2017

17.09.1-ce-win42 (14687) same issue

@xeranic

This comment has been minimized.

Show comment
Hide comment
@xeranic

xeranic Dec 20, 2017

Problem still exist in Version 17.12.0-ce-rc3-win43 (14802).

However, following is how to workaround it (maybe it's not workaround but a solution):

  1. Create a new Local User. It's a little bit tricky to do this in Windows 10, basically: Tap "Add someone else to this PC." Select "I don't have this person's sign-in information." Select "Add a user without a Microsoft account."
  2. Change the User Account Type to Administrator
  3. In Docker Settings, Select the Share Drive, Check the box, Click Apply.
  4. Input your Local User's Username (without "AzureAD/" prefix) and Password.
  5. When you build / run docker container you may have permission issue, if that happend just grant the permission of the folder for Local User.

This works for me.

xeranic commented Dec 20, 2017

Problem still exist in Version 17.12.0-ce-rc3-win43 (14802).

However, following is how to workaround it (maybe it's not workaround but a solution):

  1. Create a new Local User. It's a little bit tricky to do this in Windows 10, basically: Tap "Add someone else to this PC." Select "I don't have this person's sign-in information." Select "Add a user without a Microsoft account."
  2. Change the User Account Type to Administrator
  3. In Docker Settings, Select the Share Drive, Check the box, Click Apply.
  4. Input your Local User's Username (without "AzureAD/" prefix) and Password.
  5. When you build / run docker container you may have permission issue, if that happend just grant the permission of the folder for Local User.

This works for me.

@Sumanta1985

This comment has been minimized.

Show comment
Hide comment
@Sumanta1985

Sumanta1985 Dec 21, 2017

Thank you xeranic. It worked.

Sumanta1985 commented Dec 21, 2017

Thank you xeranic. It worked.

@guitarrapc

This comment has been minimized.

Show comment
Hide comment
@guitarrapc

guitarrapc Dec 26, 2017

Thank you xeranic. It worked. This solution makes sense when you find "no mapping between security id" message from docker log. Create same user without AzureAD\ prefix will map Security Id for the net share and user name for AzureAD. I hope Microsoft is checking this thread and will fix Windows 10 x AzureAD security id issues.

guitarrapc commented Dec 26, 2017

Thank you xeranic. It worked. This solution makes sense when you find "no mapping between security id" message from docker log. Create same user without AzureAD\ prefix will map Security Id for the net share and user name for AzureAD. I hope Microsoft is checking this thread and will fix Windows 10 x AzureAD security id issues.

@zheming1026

This comment has been minimized.

Show comment
Hide comment
@zheming1026

zheming1026 Jan 11, 2018

Actually, create a new local account without admin access works for me as well. Just need to grant permission of your work space to your local account.

zheming1026 commented Jan 11, 2018

Actually, create a new local account without admin access works for me as well. Just need to grant permission of your work space to your local account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment