FreeNAS® supports users, groups, and permissions, allowing great flexibility in configuring which users have access to the data stored on FreeNAS®. In order to assign permissions which will be used by shares, you will need to do one of the following:
1. Create a guest account that all users will use.
2. Create a user account for every user in the network where the name of each account is the same as a logon name used on a computer. For example, if a Windows system has a login name of bobsmith, you should create a user account with the name bobsmith on FreeNAS®. If your intent is to assign groups of users different permissions to shares, you will need to also create groups and assign users to the groups.
3. If your network uses Active Directory to manage user accounts and permissions, enable the Active Directory service.
4. If your network uses an OpenLDAP server to manage user accounts and permissions, enable the LDAP service.
User accounts can be given permissions to volumes or datasets. If you wish to use groups to manage permissions, you should create the user accounts first, then assign the accounts as members of the groups. This section demonstrates how to create a user account.
NOTE: if Active Directory or OpenLDAP is running on your network, you do not need to recreate the network's users or groups. Instead, import the existing account information into FreeNAS® using Services → Active Directory or Services → LDAP.
Account → Users → View Users provides a listing of all of the system accounts that were installed with the FreeNAS® operating system, as shown in Figure 3.2d.
Figure 3.2d: Managing User Accounts
Each account entry indicates the user ID, username, primary group ID, home directory, default shell, full name, whether or not it is a built-in user that came with the FreeNAS® installation, the email address, whether or not logins are disabled, whether or not the user account is locked, and whether or not the user is allowed to use sudo. To reorder the list, click the desired column.
If you click a user account, the following buttons will appear for that account:
- Change Password: provides fields to enter and confirm the new password.
- Modify User: used to modify the account's settings, as listed in Table 3.2b.
- Auxiliary Groups: used to add the account as a member of additional groups.
- Change E-mail: used to change the email address associated with the account.
NOTE: it is important to set the email address for the built-in root user account as important system messages are sent to the root user. For security reasons, password logins are disabled for the root account and changing this setting is highly discouraged.
Every account that came with the FreeNAS® operating system, except for the root user, is a system account. Each system account is used by a service and should not be available for use as a login account. For this reason, the default shell is nologin(8). For security reasons, and to prevent breakage of system services, you should not modify the system accounts.
To create a user account, click the Add New User button to open the screen shown in Figure 3.2e. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by checking the box “Show advanced fields by default” in System → Settings → Advanced. Table 3.2b summarizes the options which are available when you create or modify a user account.
Figure 3.2e: Adding or Editing a User Account
Table 3.2b: User Account Configuration
|User ID||integer||greyed out if user already created; when creating an account, the next numeric ID will be suggested; by convention, user accounts have an ID greater than 1000 and system accounts have an ID equal to the default port number used by the service|
|Username||string||greyed out if user already created; maximum 32 characters to allow for longer AD names though a maximum of 8 is recommended for interoperability; can include numerals but can not include a space|
|Create a new primary group||checkbox||by default, a primary group with the same name as the user will be created; uncheck this box to select a different primary group name (NOTE: in Unix, a primary group is not the same as a secondary/auxiliary group)|
|Primary Group||drop-down menu||must uncheck "Create a new primary group" in order to access this menu; for security reasons, FreeBSD will not give a user su permissions if wheel is their primary group--if your intent is to give a user su access, add them to the wheel group in the Auxiliary groups section|
|Home Directory||browse button||leave as /nonexistent for system accounts, otherwise browse to the name of an existing volume or dataset that the user will be assigned permission to access|
|Home Directory Mode||checkboxes||only available in Advanced Mode and will be read-only for built-in users; sets default permissions of user's home directory|
|Shell||drop-down menu||if creating a system account, choose nologin; if creating a user account, select shell of choice|
|Full Name||string||mandatory, may contain spaces|
|string||email address associated with the account|
|Password||string||mandatory, unless check box to disable logins|
|Password confirmation||string||must match Password|
|Disable password login||checkbox||when checked, the user can not log into the FreeNAS® system or authenticate to a CIFS share; to undo this setting, set a password for the user using the "Change Password" button for the user in "View Users"; checking this box will grey out Lock user which is mutually exclusive|
|Lock user||checkbox||a checked box prevents user from logging in until the account is unlocked (box is unchecked); checking this box will grey out Disable password login which is mutually exclusive|
|SSH Public Key||string||paste the user's public key to be used for SSH key authentication ( do not paste the private key! )|
|Permit Sudo||checkbox||if checked, members of the group have permission to use sudo|
|Auxiliary groups||mouse selection||highlight the group(s) you wish to add the user to and use the >> button to add the user to the highlighted groups|