Create additional Admin users? Password Reset option?

[zstar69]

Hi I have two questions

Is there any way to give other users access to the admin console besides for the root user?

2nd question: Since we cannot use LDAP (since it requires samba schemas which we do not want to install) we have to make a slew of local users.

How would they reset their password? I am sure there has gotta be a better way than logging into the web console as root and telling people to walk over to my computer desk and punch in their password while I look in the other direction. Is there a way for these regular users to login and have basic account privileges?

Thanks a lot.

 

[anodos]

Hi I have two questions

Is there any way to give other users access to the admin console besides for the root user?

No.

2nd question: Since we cannot use LDAP (since it requires samba schemas which we do not want to install) we have to make a slew of local users.

How would they reset their password? I am sure there has gotta be a better way than logging into the web console as root and telling people to walk over to my computer desk and punch in their password while I look in the other direction. Is there a way for these regular users to login and have basic account privileges?

As far as I know changing a samba password requires root privileges. How many users do you have? It sounds like you want an AD domain. You can do this through Samba4. See here: http://doc.freenas.org/index.php/Directory_Services#Domain_Controller

Note that this is complicated. You should probably figure it out in a test environment before rolling it out in production.

 

[cyberjock]

I don't see an easy way around your problem. Unfortunately the answer to these questions is to use some kind of directory service, but you've excluded it, so I don't know what else to say. Literally, the answer if someone asked how to handle this would be to use a directory service of some kind. That's what its designed for.

 

[zstar69]

It's just unfortunate that you have bundled Samba and LDAP together. In order to use LDAP, I need to put those Samba schemas. When you restart the Directory Service it also restarts the Samba service and without those Schemas, it crashes. Samba and LDAP fails to start.

We don't like to install things we don't necessary need. We like to keep things as minimal as possible.

If you had the option for local samba users with LDAP authentication (Like QNAP does), then I could get by without having to install these schemas. LDAP would start fine, and Samba would start fine too. It's just that with FreeNAS, you absolutely need to install those Samba schemas for LDAP to work. Even if you don't want the Samba service at all.

Anyway thanks for the info..

 

[cyberjock]

It's just unfortunate that you have bundled Samba and LDAP together. In order to use LDAP, I need to put those Samba schemas. When you restart the Directory Service it also restarts the Samba service and without those Schemas, it crashes. Samba and LDAP fails to start.

We don't like to install things we don't necessary need. We like to keep things as minimal as possible.

From my "outsiders" point of view it sounds like you "need" it... am I wrong? I can understand and appreciate the minimalist viewpoint (I agree with it), but as soon as you start arguing against stuff that's affecting getting work done then it's more than just a philosophy. And that.. is bad for business. ;)

 

[zstar69]

The only reason we "need" it is because of the way freenas is written.

I'm not arguing anything but I feel like there is an issue here and I am pointing out a problem.

Anyway thanks for the replies.

 

[cyberjock]

I'm not sure why the setup is how it is. If there is a way to do what you are wanting without LDAP requiring samba schemas you can put in a feature request at bugs.freenas.org and if you explain how to accomplish it a developer will probably make it happen.

 

[JR Gonzalez]

Not really sure because I have never done it but couldn't what you're asking for be accomplished with NIS? The local users are just *nix users aren't they? I know FreeNAS allows configuring NIS. You would think this would work remotely with passwd as well. I'd think the bigger problem would be talking to samba about passwd changes because I'm not really sure how well FreeNAS would do it since you have to maintain the smb passwords too. Maybe you can set up a script or something to change them?

 

[cyberjock]

The users are just unix users. But the problem is that any password change *must* be done from either the WebGUI, the API (if it supports this) or through a directory service. Notice that I didn't mention CLI. The reason is that the user passwords are stored in the FreeNAS config file so you could do passwd all day long and everything would be great. Then on next reboot all the passwords would revert.

So the problem the OP has starts with the question "what is going to manage the user accounts and passwords?" and it sounds like the OP is not wanting to do the WebGUI, the API or a directory service. Well, unfortunately the options available are the options excluded.... so you have no options. ;)

 

[JR Gonzalez]

Well if it just for CIFS support there is always the option of mounting the dirs he wishes to share into a jail and making a secondary cifs server. He is correct though. It is a bit unfortunate there is no simple way of changing user passwords as it seems a bit difficult to configure samba in a manner that you can using it manually.

I would probably use a jail, turn off CIFS, and use the jail as a CIFS server after mounting the directories I needed. Maybe even use NIS on both sides to keep id/gid consistent. Samba itself has a few different ways for updating passwords but the user database method FreeNAS uses seems a bit inflexible.

 

[cyberjock]

It is a bit inflexible, but the number of people that want what you are asking is in the singificant minority. For the vast number of users they *want* a directory service to handle the problems. And *poof*, this whole problem instantly goes away.

It's really about applying the right tech for the job. If you happen to have some configuration that is far outside the realm of what would generally be considered "good practices" for the situation then you'll often find FreeNAS isn't all you want it to be. FreeNAS is designed to work around the typical scenario that people will want to use it for, ranging from small home and small office scaled up to enterprise-size. It's not for everyone and because there are so many ways to "skin the cat" its easy to skin it in a way that wasn't efficient (or maybe doesn't really make sense) and then you are left in the cold.

Quite a few times I've seen people have discussions that are somewhat around this topic and the reality is that they've actually made serious errors on their part and opened themselves up to major security risks before even trying to use FreeNAS just because of their unique setup. So you'll often find me not even responding to posts in threads where people start doing very bizarre things because I often get a hunch that they don't even know what they are doing. Quite often later the truth does come out and they didn't know what they were doing. ;)