FreeNAS 8.2 Permissions Set-Up Example for Dummies

Status
Not open for further replies.

riporto

Dabbler
Joined
Mar 7, 2013
Messages
14
Hi NASA and thanks for your very useful guide.
I'm newbie with Freenas and got it almost to work thanks your guide!
Only one little strangeness occurs:
in "storage" and "accounts" tabs, I set the permissions like you explain, click the "change" button, do all the rest, but when I go back to "storage" or "account" for a check, the permission boxes are no longer as I've set them! Maybe I've checked, like you say, the boxes "read, write, and execute" for "user" and "group" and not the boxes for "other", as soon as I go back I find it checked in another way, usually the "other" boxes for "read" and "execute" are checked and NOT the one for "group" "write".
What I'm doing wrong there?
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
Which browser are you using (some won't display the settings correctly, even though they are set correctly)? Did you try rebooting the server after you set and saved these settings?
 

riporto

Dabbler
Joined
Mar 7, 2013
Messages
14
It looks like this problem occurs with IE and Chrome.
Yes I've reboot.
Can survive anyway, but I would have liked to solve this matter...
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
Yup, I had to install Firefox to access all of the setup settings for FreeNAS.
 

zoey

Cadet
Joined
Jul 4, 2013
Messages
2
good day everyone.
i was able to follow the instructions written in this post but i have a scenario.
for a,b,c,d, and e, i named them departments.
if i need to add one more user to e, i am not able to assign that new user as owner user for the dataset since the first user already owns the group.
is there a way to have 1 group with multiple users under that group?
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
Zoey: Yes there is a way to have one group with multiple users--just create the group first and then add members to it under the "view groups" settings.
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
Revised: More FreeNAS 8.2 Permissions Set-Up Examples for Dummies

(This build is a more-elegant design of a build I that posted earlier in this thread.)

I have set up a second FreeNAS server in my home to store family photographs while providing its access to five family members. With the success of my prior post, “FreeNAS 8.2 Permissions Set-Up Example for Dummies,” I thought it would be helpful to other newbees struggling with how to configure permissions if I shared a second example of a successful configuration. I created a single volume for a 1-TB mirrored disk array with no datasets. The users, for the purpose of this post, I shall call A, B, C, D, and E. What I did was to allow users B, C, D, and E to have only read permission to the volume, while providing user A (administrator) full write, read, and delete permissions to the volume. Users B, C, D, and E can, thus, view and copy photos to their client computers, but only user A can add or delete them to or from the server. Allow me to describe to you how I did it.

I will not cover installation of the FreeNAS software, as this forum addresses that issue, more than adequately, elsewhere; I will only suggest that the reader install the latest, stable version of the software (as of the date of my writing this post), version 8.2. One, also, should be sure to access the FreeNAS GUI with a compatible browser. I wasted three days with my prior configuration repeatedly installing, removing, and reinstalling the software before I realized that I could not configure version 8.2 using IE8 (the user manual even suggests that problems might manifest themselves using IE9). I downloaded Firefox (v. 14) and thereafter was able to configure the GUI without further delay.

I installed two 1-GB Samsung enterprise-grade hard drives in the hardware with which I intended to run FreeNAS. I first edited my server’s BIOS to enable ACPI (ver. 3). I logged into the GUI and configured the basic password and network settings (covered elsewhere in this forum). I also made sure that the Host and Netbios names in this second server were different than those of my first server. I clicked on “Storage”—“View Disks” to verify that FreeNAS saw my drives. (At this point, the reader might want to use the “Wipe” utility on each disk they install if they previously used their disks in other hardware.) I then clicked on “Volume Manager,” selected member disks (using the ctrl key and mouse) and selected a file system type and encryption. I used ZFS (recommended--but only if you have at least 8 GB of RAM in your FreeNAS hardware), however, with no encryption, as I knew I would have more than ample space on the drives to store high-resolution photographs for later Photoshoping. I named the volume and configured my disks into a mirrored (RAID 1) array. I clicked “Add Volume” to finish the process. I set compression to “off” and “Enable atime” to off (the latter, per my preference, for faster performance) in the volume tools. I, thus, created a single volume for our family photographs. I ultimately added a dataset to this build, due to the fact that, upon installing Windows 8 in my computer, for some strange reason, I was seeing my FreeNAS configuration files in my share folder--I just clicked on "add dataset" in the volume display and configured it in a similar manner that I configured my volume, then a made slight changes to where user A's directory points and permissions (see below).

I then clicked on “Account” (in the left-hand window pane)—“Users”—“Add User” and created five users, A, B, C, D, and E (again, using family member’s first names as usernames). For all users I set the home directory to “/nonexistent” and I checked the boxes “read, write, and execute” for “owner,” “read and execute” for “group,” and “read and execute” for “other” and I left the two remaining configuration boxes unchecked. I did not change the shell settings or add e-mail addresses, but I inputted passwords for each user. (Note that the FreeNAS manual warns the reader to use the Windows logon name and its associated password for each [Windows] user as their user name and password when setting up these "Users" configurations, but see my comment about this matter below.) I clicked the “O.K.” button after I configured each user and double-checked my configuration work after I created my users. I then created a group which I named "View-Only" and clicked on the "Members" button of the group under "View Groups" to populate the groups with users B, C, D, and E.

I next went back to the “Storage” tab to configure my permissions. I clicked the “Change Permissions” tab for my dataset and selected the A’s (administrator’s) user name for Owner (user) and “View-Only” for Owner (group). For the volume I clicked the "Change Permissions" tab and selected "noowner" and "nogroup." I then checked the boxes in the volume and the dataset “read, write, and execute” for “owner,” “read and execute” for “group,” and “read and execute” for “other.” I left the remaining configuration boxes unchecked and selected “Windows” for the ACL setting (as all users would be accessing the FreeNAS server via Windows computers). I left the “Set Permissions Recursively” box unchecked (I implemented this feature in another way in my Windows Sharing setting--see next paragraph) and clicked the “Change” button. I double-checked my configuration work after I set permissions.

Lastly, I clicked the “Sharing” button in order to create a single share. I clicked the “Windows (CIFS) option (since all users would be accessing the FreeNAS server with Windows computers) and added my share by clicking the “Add Windows (CIFS) Share” button. I named my share “Pictures.” I browsed to the path of the volume, clicked the “Browsable to Network Clients” box and left all the other boxes unchecked except the "Inherit Owner" and "Inherit Permissions" boxes, which I checked to allow recursive permissions (evidently a fancy way of saying that permissions set in your dataset settings will apply to your share folder and all of its subfolders). I clicked the “O.K.” button for the share I created and I then double-checked my work. Note that, after you create your share, a popup screen will ask you to turn on the CIFS service—do so. After I, thus, created my share, I clicked on the “Services” button and, in the list on the page, clicked on the wrench icon associated with the CIFS “Core” button. I renamed the “Workgroup” using my Windows workgroup name, verified that “nobody” was listed under “Guest Account” and left the other settings unchanged. I clicked “O.K.” and exited the configuration screen.

I rebooted FreeNAS (via the GUI—reboot and/or shutdown here in order to avoid data corruption on your disks by a hard shutdown via the power button on your server hardware) and used the Windows Network Explorer to find access to the storage volume I had created. It appears as a folder with the title Pictures on FreeNAS (FreeNAS).” If all is well, you should be able to (left) click on the folder and a popup window requesting user name and password should appear (if not using a logon and password on your Windows account—If you do use a logon and password, then you will not have to enter it again when accessing the FreeNAS server). Enter this information. The administrator (A) should have read, write, and delete access to the folder. Note that once you enter a user name and password you do not need to enter this information again as long as you do not break the network connection (e.g., reboot your Windows computer or “Disconnect Network Drive” by right-clicking on the network icon and selecting the same).

(Note: When I migrated my computer to Windows 8, I had to make sure my FreeNAS share setting's host name and/or network settings NetBIOS name conformed exactly to their respective name rules for allowed characters--i.e., no spaces in the name are allowed--otherwise the NAS's icon won't appear under your computer's network display. This issue, for some reason, did not manifest itself in Windows XP or Windows 7.)

Again, I may have missed something in this write up—I hope not, but I apologize if I did. Perhaps a more-experienced user of the FreeNAS software can suggest a more elegant way of configuring the software than my example provides, but I was able to make the software do what I wanted it to do via its GUI configuration exclusively—no scripts or shell command line inputs necessary. I apologize for the length of this post, but I desired, once again, to make it as (again, excuse the term) “idiot-proof” as possible in consideration of those individuals who believe as I that computers should serve to accomplish tasks extrinsic to their own value as objects of fascination in their own right. I still have much to learn about FreeNAS, nevertheless, and I am grateful to the more-experienced users in this forum who have ever so patiently nursed me along in my own learning process.

I wish other FreeNAS users would take the time to post instructions on how they implemented a variety of successful builds.

--Soli Deo gloria
 

hervon

Patron
Joined
Apr 23, 2012
Messages
353
NASA, I just want to say thanks of for your tutorial. It is perfectly written and very practical. Helped me a lot. I was stucked until I read to part about the nobody and nogroup for the main volume (dataset in my case). Now parents, children and visitors have coherent permissions.
 

Kevin20554

Cadet
Joined
Oct 9, 2013
Messages
5
For those who need to disconnect their Windows PCs from FreeNAS.
There is no need to reboot or Log off the PC. Just follow these steps:

- Close all connected folders.
- Invoke the Command prompt (dos prompt) from windows start menu.
After C:\Users\your_name> (command prompt)

- To Display All Active Connections From Local Computer
Type "net use" press <return> (without the quote marks)

- To Delete All Active Connections From Local Computer (with confirmation)
Type "net use * /delete" press <return> (without the quote marks)

- To Delete All Active Connections From Local Computer (with NO confirmation)
Type "net use * /delete /y" press <return> (without the quote marks)

To Delete a specific connection from Active Connections From Local Computer
Type "net use /delete \\server\sharename" press <return> (without the quote marks)

Do not try to open the shared folder immediately, as it will open it back up. this process of disconnecting takes about 15 to 40 seconds to kick in!

If you go back to open the shared folders after 15 to 40 seconds, it will ask you for user name and password.

I hope it helps.
 

Freesnofla

Patron
Joined
Oct 27, 2013
Messages
216
Well I run also FreeNas 9.1.1 so far I get all steps managed, as I only have Ubuntu running on all devices I'd like to run NFS. And that's the point where I struggle; I can't not mount my devices. When I try to mount my media drive from the FreeNas I don't get access. I do have a dataset called Media where I do have additional dataset underneath. Then I created shares and activated NFS, also that worked fine, but when I try to mount the dataset I'm f..... and it seems nobody likes to help. When I run mount -a then I get the response access denied, really strange. Do I have to create some accounts for the users I thought that would work without.

When it comes to the owners I used root and wheel, what kind of permissions should i use?

Maybe anybody can help a dummies?

regards
freenassnofla
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Oh, I'm about to make you hate NFS(this is one reason I use CIFS).

NFS see's datasets as volume boundaries and it cannot cross those boundaries.

You are 100% correct that nobody likes to help with permissions. It is damn near impossible for a noobie to sit down and pick it up in 5 minutes unless you just plan to do 777 for everything. I used to try to help people with permissions, but after it always turning into an 8 hour(or 3 day) skype lecture I gave up. I just can't be volunteering large chunks of my life to teaching permissions. Most of the other knowledgable people have figured this out, so they stay away too. :(

I've started trying to do a presentation on permissions, but I've somewhat given up that pipe dream.
 

Freesnofla

Patron
Joined
Oct 27, 2013
Messages
216
Ya; I see the problem but what makes me really angry is the fact that it worked for me after a while but when I was installing owncloud and changed somehow to user www. I can't any longer enter the Media dataset. I created a dataset called Data and underneath I created owncloud and that's the one I assigned to the www. role. Owncloud works like a charme. Anyway I can't get NFS running yet. Finally I decided to use owncloud overall, but that does not work as I only can handle fiels up to 512 MB, I do have files which are bigger and then that will not solve my issue.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
There's other threads around that show you how to increase that limit. Mine has no limit. :)
 

Freesnofla

Patron
Joined
Oct 27, 2013
Messages
216
Just found thread #8, but how do I come to that area? I should be able to go by ssh root@owncloudIP or FreeNasIP? Just tried both and again I can't enter the FreeNas box :-(. Terrible.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Please ask in that thread. Try to keep this thread on-topic. :)
 
Joined
Mar 6, 2014
Messages
2
Thank you very much for the guide, though I've just done something quite stupid with your information.

I've been happily using Freenas without datasets, using the following structure; nas0\Users\A, B, C etc.
Each user had access to all other users, so I thought I'd use your tutorial in order to restrict user's access to other folders apart from their own.

I created a Dataset named "Users" and within there I created more datasets for each user.
I realise now that I should have used a different structure than what was already in place as now when I browse to the shares all files and folders have gone!
The volume is still showing that the same amount of data is being used, so I assume that the data is going to be retrievable, if so could someone please assist me in finding it again?

If all else fails I do have a full backup of the missing data, it's a couple of days old but not much has changed.
 
D

dlavigne

Guest
Delete the dataset with the duplicate name and you should be able to see the original folders again.
 
Joined
Mar 6, 2014
Messages
2
That's what I thought, though the files did not come back straight away.
Rebooted the NAS and they still weren't there. It was only after I SSH'd into the NAS & could see the files were still there when running "ls /mnt/nas0/users" that upon browsing to the share again the files were back again.

Thanks for the assistance, much appreciated.
 

indivision

Guru
Joined
Jan 4, 2013
Messages
806
Can someone speak to the security implications of giving the parent dataset 777 permissions assigned to 'nobody' and 'nogroup'?

I have been trying to improve the security of my server by limiting permissions to only users/groups that need them. While doing that, I discovered that if I limited parent dataset permissions, it would make child datasets shared with CIF unavailable to machines on the network. I got a 'permission denied' message. As soon as I made the parent dataset permissions 777 again, the same credentials worked.

It seems to me that having write and execute permissions allowed in the parent dataset is a vulnerability. I don't understand why those permissions need to be loose in order to access datasets within them...?

Thank you for any insight anyone has to offer.
 
Status
Not open for further replies.
Top