4. Account

The Account Configuration section of the web interface describes how to manually create and manage users and groups. This section contains these entries:

  • Groups: used to manage UNIX-style groups on the FreeNAS® system.
  • Users: used to manage UNIX-style accounts on the FreeNAS® system.

Each entry is described in more detail in this section.

4.1. Groups

The Groups interface provides management of UNIX-style groups on the FreeNAS® system.

Note

It is unnecessary to recreate the network users or groups when a directory service is running on the same network. Instead, import the existing account information into FreeNAS®. Refer to Directory Services for details.

This section describes how to create a group and assign user accounts to it. The next section, Users, describes creating user accounts.

Click Groups ‣ View Groups to see a screen like Figure 4.1.1.

_images/group1.png

Fig. 4.1.1 Group Management

The Groups page lists all groups, including those built-in and used by the operating system. The table displays group names, group IDs (GID), built-in groups, and if sudo is permitted. Clicking a group entry causes a Members button to appear. Click the button to view and modify the group membership

The Add Group button opens the screen shown in Figure 4.1.2. Table 4.1.1 summarizes the available options when creating a group.

_images/group2.png

Fig. 4.1.2 Creating a New Group

Table 4.1.1 Group Creation Options
Setting Value Description
Group ID string The next available group ID is suggested. UNIX groups containing user accounts typically have an ID greater than 1000 and groups required by a service have an ID equal to the default port number used by the service. Example: the sshd group has an ID of 22.
Group Name string Enter an alphanumeric name for the new group. The period (.), hyphen (-), and underscore (_) characters are allowed as long as the group name does not begin with a period (.) or hyphen (-).
Permit Sudo checkbox Set to allow group members to use sudo. When using sudo, a user is prompted for their own password.
Allow repeated GIDs checkbox Set to allow multiple groups to share the same group id (GID). This is useful when a GID is already associated with the UNIX permissions for existing data, but is generally not recommended.

After a group and users are created, users can be added to a group. Highlight the group where users will be assigned, then click the Members button. Highlight the user in the Member users list. This shows all user accounts on the system. Click >> to move that user to the right frame. The user accounts which appear in the right frame are added as members of the group.

Figure 4.1.3, shows user1 added as a member of group data1.

_images/group3.png

Fig. 4.1.3 Assigning a User to a Group

The Delete Group button deletes a group. The pop-up message asks whether all members of that group should also be deleted. Note that the built-in groups do not provide a Delete Group button.

4.2. Users

FreeNAS® supports users, groups, and permissions, allowing flexibility in configuring which users have access to the data stored on FreeNAS®. To assign permissions to shares, one of these options must be done:

  1. Create a guest account for all users, or create a user account for every user in the network where the name of each account is the same as a login name used on a computer. For example, if a Windows system has a login name of bobsmith, create a user account with the name bobsmith on FreeNAS®. A common strategy is to create groups with different sets of permissions on shares, then assign users to those groups.
  2. If the network uses a directory service, import the existing account information using the instructions in Directory Services.

Account ‣ Users ‣ View Users lists all system accounts installed with the FreeNAS® operating system, as shown in Figure 4.2.1.

_images/account-users.png

Fig. 4.2.1 Managing User Accounts

Each account entry indicates the user ID, username, primary group ID, home directory, default shell, full name, whether it is a built-in user that came with the FreeNAS® installation, the email address, if logins are disabled, if the user account is locked, whether the user is allowed to use sudo, and if the user connects from a Windows 8 or newer system. To reorder the list, click the desired column name. An arrow indicates which column controls the view sort order. Click the arrow to reverse the sort order.

Click a user account to cause these buttons to appear:

  • Modify User: used to modify the account’s settings, as listed in Table 4.2.1.
  • Change E-mail: used to change the email address associated with the account.

Note

Setting the the email address for the built-in root user account is recommended as important system messages are sent to the root user. For security reasons, password logins are disabled for the root account and changing this setting is discouraged.

Except for the root user, the accounts that come with FreeNAS® are system accounts. Each system account is used by a service and should not be used as a login account. For this reason, the default shell on system accounts is nologin(8). For security reasons and to prevent breakage of system services, do not modify the system accounts.

The Add User button opens the screen shown in Figure 4.2.2. Some settings are only available in Advanced Mode. To see these settings, either click Advanced Mode or configure the system to always display these settings by setting Show advanced fields by default in System ‣ Advanced. Table 4.2.1 summarizes the options which are available when user accounts are created or modified.

Warning

When using Active Directory, Windows user passwords must be set from within Windows.

_images/user2.png

Fig. 4.2.2 Adding or Editing a User Account

Table 4.2.1 User Account Configuration
Setting Value Advanced Mode Description
User ID integer   Grayed out if the user already exists. When creating an account, the next numeric ID is suggested. User accounts typically have an ID greater than 1000 and system accounts have an ID equal to the default port number used by the service.
Username string   Enter an alphanumeric username of eight to sixteen characters. Keeping usernames to eight characters or less is recommended for compatibility with legacy clients. Note that $ can only be used as the last character. Usernames cannot begin with a hyphen - or contain a space, tab, or these characters: , : + & # % ^ & ( ) ! @ ~ * ? < > =
Create a new primary group checkbox   A primary group with the same name as the user is created automatically. Unset to select a different primary group name.
Primary Group drop-down menu   Unset Create a new primary group to access this menu. For security reasons, FreeBSD does not give a user su permissions if wheel is their primary group. To give a user su access, add them to the wheel group in Auxiliary groups.
Create Home Directory In browse button   Browse to the name of an existing volume or dataset that the user will be assigned permission to access.
Home Directory Mode checkboxes Sets default Unix permissions of the user’s home directory. This is read-only for built-in users.
Shell drop-down menu   Select the shell to use for local and SSH logins. See Table 4.2.2 for an overview of available shells.
Full Name string   Required. This field may contain spaces.
E-mail string   The email address associated with the account.
Password string   Required unless Disable password login is set. Cannot contain a ?.
Password confirmation string   This must match the value of Password.
Disable password login checkbox   Set to disable password logins and authentication to SMB shares. To undo this setting, create a password for the user by clicking Modify User for the user in the View Users screen. Setting this grays out Lock user and Permit Sudo.
Lock user checkbox   Set to prevent the user from logging in until this box is unset. Setting this grays out Disable password login.
Permit Sudo checkbox   Set to give group members permission to use sudo. When using sudo, a user is prompted for their own password.
Microsoft Account checkbox   Set this when the user is connecting from a Windows 8 or newer system.
SSH Public Key string   Enter or paste the user’s public SSH key to be used for key-based authentication. Do not paste the private key!
Auxiliary groups mouse selection   Highlight groups to add the user. Click the >> to add the user to the highlighted groups.

Note

Some fields cannot be changed for built-in users and will be grayed out.

Table 4.2.2 Available Shells
Shell Description
netcli.sh User is shown the Console Setup menu (Figure 3.1) on connection, even if it is disabled in System ‣ Advanced ‣ Enable Console Menu. The user must be root or have root permissions (effective user ID 0, like toor).
csh C shell
sh Bourne shell
tcsh Enhanced C shell
nologin Use when creating a system account or to create a user account that can authenticate with shares but which cannot login to the FreeNAS system using ssh.
bash Bourne Again shell
ksh93 Korn shell
mksh mirBSD Korn shell
rbash Restricted bash
rzsh Restricted zsh
scponly Select scponly to restrict the user’s SSH usage to only the scp and sftp commands.
zsh Z shell
git-shell restricted git shell

Built-in user accounts needed by the system cannot be removed. A Remove User button appears for custom users that were added by the system administrator. If the user to be removed is the last user in a custom group, an option is offered to keep the user primary group after deleting the user.