Hi,
I set up the emby plugin and samba shares but now I have a problem with the rights management because both need to read and write to the same folder.
Can someone help me and tell me what would be a good way to setup groups, users and folders inside Freenas itself and the jail so emby and samba dont create interferences?
Say for example I have these three shares:
"\\FreeNAS\Movies"
"\\FreeNAS\Music"
"\\FreeNAS\Backups"
And they point to 3 datasets on a pool:
"/mnt/HDDpool/LowSec/Movies"
"/mnt/HDDpool/LowSec/Music"
"/mnt/HDDpool/HighSec/Backups"
I want some Windows users to be able to access all shares (in this case "Backups", "Music" and "Movies" datasets/shares with read/write/delete rights).
But I also want some Windows users to be only allowed to Access specific shares (with read/write/delete rights).
For Example:
"Admin" should be able to access alle three shares.
"Alice" & "EmbyFreeNAS" should be able to access only "Music" and "Movies"
"Bob" should be only allowed to access "Movies"
I did this right now by creating a new unix user for each Windows user with the options "Microsoft account: yes", "Shell: "nologin", "allow password login: yes" so each Windows user has its own unix account with name and password for use with samba. I also created a new user "EmbyFreeNAS" as a counterpart of the user "emby" inside the jail.
These users are members of multiple groups that define what shares are accessible to the users:
"GroupA": Admin
"GroupB": Admin, Alice, EmbyFreeNAS
"GroupC": Admin, Alice, EmbyFreeNAS, Bob
So I set the owners of the 3 datasets to this:
"Backups" -> nobody:GroupA
"Music" -> EmbyFreeNAS:GroupB
"Movies" -> EmbyFreeNAS:GroupC
But then there is the emby jail which runs as "emby:emby" and I mounted 2 of the 3 datasets to the jail via gui (Jails -> emby -> Mountpoints -> Add):
FreeNAS "/mnt/HDDpool/LowSec/Movies" -> Jail "/media/Movies"
FreeNAS "/mnt/HDDpool/LowSec/Music" -> Jail "/media/Music"
But the emby jail needs rights to write to the mounted folders to store metadata next to the media files in that folders. That wasn't possible without changing the userid of the user "emby" inside the jail to the userid of the user "EmbyFreeNAS" outside the jail. But what to do with the groups? I can't set the groupid of the group "emby" inside the jail to a groupid used outside the jail, because the mounted folders are owned by different groups.
How to do that the best way?
I didn't encounted problems right now what confuses me and I have some question how that works.
What are the standard sambashare ACLs behave like? It looks like all created files are owned by the group which is the owner of the dataset, like the dataset would inherit its group like a "setgroupid bit" was set with chmod. So it isn't important what primary group any user is assigned to, because that group is ignored while creating files/folders?
Do I need "EmbyFreeNAS" (which shares the same uid with jails user "emby") to be the owner of the datasets? Is the jails user "emby" allowed to do all that what "GroupB" and "GroupC" is allowed to, because the hosts user "EmbyFreeNAS" is member of that two groups, so it isn't important which user owns a file or folder, as long as all users share the same group?
Greetings
Dunuin
I set up the emby plugin and samba shares but now I have a problem with the rights management because both need to read and write to the same folder.
Can someone help me and tell me what would be a good way to setup groups, users and folders inside Freenas itself and the jail so emby and samba dont create interferences?
Say for example I have these three shares:
"\\FreeNAS\Movies"
"\\FreeNAS\Music"
"\\FreeNAS\Backups"
And they point to 3 datasets on a pool:
"/mnt/HDDpool/LowSec/Movies"
"/mnt/HDDpool/LowSec/Music"
"/mnt/HDDpool/HighSec/Backups"
I want some Windows users to be able to access all shares (in this case "Backups", "Music" and "Movies" datasets/shares with read/write/delete rights).
But I also want some Windows users to be only allowed to Access specific shares (with read/write/delete rights).
For Example:
"Admin" should be able to access alle three shares.
"Alice" & "EmbyFreeNAS" should be able to access only "Music" and "Movies"
"Bob" should be only allowed to access "Movies"
I did this right now by creating a new unix user for each Windows user with the options "Microsoft account: yes", "Shell: "nologin", "allow password login: yes" so each Windows user has its own unix account with name and password for use with samba. I also created a new user "EmbyFreeNAS" as a counterpart of the user "emby" inside the jail.
These users are members of multiple groups that define what shares are accessible to the users:
"GroupA": Admin
"GroupB": Admin, Alice, EmbyFreeNAS
"GroupC": Admin, Alice, EmbyFreeNAS, Bob
So I set the owners of the 3 datasets to this:
"Backups" -> nobody:GroupA
"Music" -> EmbyFreeNAS:GroupB
"Movies" -> EmbyFreeNAS:GroupC
But then there is the emby jail which runs as "emby:emby" and I mounted 2 of the 3 datasets to the jail via gui (Jails -> emby -> Mountpoints -> Add):
FreeNAS "/mnt/HDDpool/LowSec/Movies" -> Jail "/media/Movies"
FreeNAS "/mnt/HDDpool/LowSec/Music" -> Jail "/media/Music"
But the emby jail needs rights to write to the mounted folders to store metadata next to the media files in that folders. That wasn't possible without changing the userid of the user "emby" inside the jail to the userid of the user "EmbyFreeNAS" outside the jail. But what to do with the groups? I can't set the groupid of the group "emby" inside the jail to a groupid used outside the jail, because the mounted folders are owned by different groups.
How to do that the best way?
I didn't encounted problems right now what confuses me and I have some question how that works.
What are the standard sambashare ACLs behave like? It looks like all created files are owned by the group which is the owner of the dataset, like the dataset would inherit its group like a "setgroupid bit" was set with chmod. So it isn't important what primary group any user is assigned to, because that group is ignored while creating files/folders?
Do I need "EmbyFreeNAS" (which shares the same uid with jails user "emby") to be the owner of the datasets? Is the jails user "emby" allowed to do all that what "GroupB" and "GroupC" is allowed to, because the hosts user "EmbyFreeNAS" is member of that two groups, so it isn't important which user owns a file or folder, as long as all users share the same group?
Greetings
Dunuin
Last edited: