The Account Configuration section of the web interface describes how to manually create and manage users and groups. This section contains these entries:
- Groups: used to manage UNIX-style groups on the FreeNAS® system.
- Users: used to manage UNIX-style accounts on the FreeNAS® system.
Each entry is described in more detail in this section.
The Groups interface provides management of UNIX-style groups on the FreeNAS® system.
It is unnecessary to recreate the network users or groups when a directory service is running on the same network. Instead, import the existing account information into FreeNAS®. Refer to Directory Services for details.
This section describes how to create a group and assign user accounts to it. The next section, Users, describes creating user accounts.
Click Figure 4.1.1.to see a screen like
The Groups page lists all groups, including those built-in and used by the operating system. The table displays group names, group IDs (GID), built-in groups, and if sudo is permitted. Clicking a group entry causes a Members button to appear. Click the button to view and modify the group membership
|Group ID||string||The next available group ID is suggested. UNIX groups containing user accounts typically have an ID greater than 1000 and groups required by a service have an ID equal to the default port number used by the service. Example: the sshd group has an ID of 22.|
|Group Name||string||Enter an alphanumeric name for the new group. The period (
|Permit Sudo||checkbox||Set to allow group members to use sudo. When using sudo, a user is prompted for their own password.|
|Allow repeated GIDs||checkbox||Set to allow multiple groups to share the same group id (GID). This is useful when a GID is already associated with the UNIX permissions for existing data, but is generally not recommended.|
After a group and users are created, users can be added to a group. Highlight the group where users will be assigned, then click the Members button. Highlight the user in the Member users list. This shows all user accounts on the system. Click >> to move that user to the right frame. The user accounts which appear in the right frame are added as members of the group.
Figure 4.1.3, shows user1 added as a member of group data1.
The Delete Group button deletes a group. The pop-up message asks whether all members of that group should also be deleted. Note that the built-in groups do not provide a Delete Group button.
FreeNAS® supports users, groups, and permissions, allowing flexibility in configuring which users have access to the data stored on FreeNAS®. To assign permissions to shares, one of these options must be done:
- Create a guest account for all users, or create a user account for every user in the network where the name of each account is the same as a login name used on a computer. For example, if a Windows system has a login name of bobsmith, create a user account with the name bobsmith on FreeNAS®. A common strategy is to create groups with different sets of permissions on shares, then assign users to those groups.
- If the network uses a directory service, import the existing account information using the instructions in Directory Services.
Each account entry indicates the user ID, username, primary group ID, home directory, default shell, full name, whether it is a built-in user that came with the FreeNAS® installation, the email address, if logins are disabled, if the user account is locked, whether the user is allowed to use sudo, and if the user connects from a Windows 8 or newer system. To reorder the list, click the desired column name. An arrow indicates which column controls the view sort order. Click the arrow to reverse the sort order.
Click a user account to cause these buttons to appear:
- Modify User: used to modify the account’s settings, as listed in Table 4.2.1.
- Change E-mail: used to change the email address associated with the account.
Setting the the email address for the built-in root user account is recommended as important system messages are sent to the root user. For security reasons, password logins are disabled for the root account and changing this setting is discouraged.
Except for the root user, the accounts that come with FreeNAS® are system accounts. Each system account is used by a service and should not be used as a login account. For this reason, the default shell on system accounts is nologin(8). For security reasons and to prevent breakage of system services, do not modify the system accounts.
The Add User button opens the screen shown in Figure 4.2.2. Some settings are only available in Advanced Mode. To see these settings, either click Advanced Mode or configure the system to always display these settings by setting Show advanced fields by default in . Table 4.2.1 summarizes the options which are available when user accounts are created or modified.
When using Active Directory, Windows user passwords must be set from within Windows.
|User ID||integer||Grayed out if the user already exists. When creating an account, the next numeric ID is suggested. User accounts typically have an ID greater than 1000 and system accounts have an ID equal to the default port number used by the service.|
|Username||string||Enter an alphanumeric username of eight to sixteen characters. Keeping usernames to eight characters or less is recommended
for compatibility with legacy clients. Note that
|Create a new primary group||checkbox||A primary group with the same name as the user is created automatically. Unset to select a different primary group name.|
|Primary Group||drop-down menu||Unset Create a new primary group to access this menu. For security reasons, FreeBSD does not give a user su permissions if wheel is their primary group. To give a user su access, add them to the wheel group in Auxiliary groups.|
|Create Home Directory In||browse button||Browse to the name of an existing volume or dataset that the user will be assigned permission to access.|
|Home Directory Mode||checkboxes||✓||Sets default Unix permissions of the user’s home directory. This is read-only for built-in users.|
|Shell||drop-down menu||Select the shell to use for local and SSH logins. See Table 4.2.2 for an overview of available shells.|
|Full Name||string||Required. This field may contain spaces.|
|string||The email address associated with the account.|
|Password||string||Required unless Disable password login is set. Cannot contain a
|Password confirmation||string||This must match the value of Password.|
|Disable password login||checkbox||Set to disable password logins and authentication to SMB shares. To undo this setting, create a password for the user by clicking Modify User for the user in the View Users screen. Setting this grays out Lock user and Permit Sudo.|
|Lock user||checkbox||Set to prevent the user from logging in until this box is unset. Setting this grays out Disable password login.|
|Permit Sudo||checkbox||Set to give group members permission to use sudo. When using sudo, a user is prompted for their own password.|
|Microsoft Account||checkbox||Set this when the user is connecting from a Windows 8 or newer system.|
|SSH Public Key||string||Enter or paste the user’s public SSH key to be used for key-based authentication. Do not paste the private key!|
|Auxiliary groups||mouse selection||Highlight groups to add the user. Click the >> to add the user to the highlighted groups.|
Some fields cannot be changed for built-in users and will be grayed out.
|netcli.sh||User is shown the Console Setup menu (Figure 3.1) on connection, even if it is disabled in . The user must be root or have root permissions (effective user ID 0, like toor).|
|tcsh||Enhanced C shell|
|nologin||Use when creating a system account or to create a user account that can authenticate with shares but which cannot login to the FreeNAS system using ssh.|
|bash||Bourne Again shell|
|mksh||mirBSD Korn shell|
|scponly||Select scponly to restrict the user’s SSH usage to only the scp and sftp commands.|
|git-shell||restricted git shell|
Built-in user accounts needed by the system cannot be removed. A Remove User button appears for custom users that were added by the system administrator. If the user to be removed is the last user in a custom group, an option is offered to keep the user primary group after deleting the user.