4. Accounts

Accounts is used to manage users and groups. This section contains these entries:

  • Groups: used to manage UNIX-style groups on the TrueNAS® system.
  • Users: used to manage UNIX-style accounts on the TrueNAS® system.

Each entry is described in more detail in this section.

4.1. Groups

The Groups interface provides management of UNIX-style groups on the TrueNAS® system.

Note

It is unnecessary to recreate the network users or groups when a directory service is running on the same network. Instead, import the existing account information into TrueNAS®. Refer to Directory Services for details.

This section describes how to create a group and assign user accounts to it. The Groups page lists all groups, including those built in and used by the operating system.

_images/accounts-groups.png

Fig. 4.1.1 Group Management

The table displays group names, group IDs (GID), built-in groups, and whether sudo is permitted. Clicking the  (Options) icon on a user-created group entry displays Members, Edit, and Delete options. Click Members to view and modify the group membership. Built-in groups are required by the TrueNAS® system and cannot be edited or deleted.

The ADD button opens the screen shown in Figure 4.1.2. Table 4.1.1 summarizes the available options when creating a group.

_images/accounts-groups-add.png

Fig. 4.1.2 Creating a New Group

Table 4.1.1 Group Creation Options
Setting Value Description
GID string The next available group ID is suggested. By convention, UNIX groups containing user accounts have an ID greater than 1000 and groups required by a service have an ID equal to the default port number used by the service. Example: the sshd group has an ID of 22. This setting cannot be edited once the group is created.
Name string Enter an alphanumeric name for the new group. Group names cannot begin with a hyphen (-) or contain a space, tab, or these characters: , : + & # % ^ ( ) ! @ ~ * ? < > = . $ can only be used as the last character of the group name.
Permit Sudo checkbox Set to allow group members to use sudo. When using sudo, a user is prompted for their own password.
Allow Duplicate GIDs checkbox Not recommended. Allow more than one group to have the same group ID.

To change which users are members of a group, expand the group from the list and click Members. To add users to the group, select users in the left frame and click ->. To remove users from the group, select users in the right frame and click <-. Click SAVE when finished changing the group members.

Figure 4.1.3, shows adding a user as a member of a group.

_images/accounts-users-member-example.png

Fig. 4.1.3 Assigning a User to a Group

The Delete button deletes a group. The pop-up message asks if all users with this primary group should also be deleted, and to confirm the action. Note built-in groups do not have a Delete button.

4.2. Users

TrueNAS® supports users, groups, and permissions, allowing flexibility in configuring which users have access to the data stored on TrueNAS®. To assign permissions to shares, select one of these options:

  1. Create a guest account for all users, or create a user account for every user in the network where the name of each account is the same as a login name used on a computer. For example, if a Windows system has a login name of bobsmith, create a user account with the name bobsmith on TrueNAS®. A common strategy is to create groups with different sets of permissions on shares, then assign users to those groups.
  2. If the network uses a directory service, import the existing account information using the instructions in Directory Services.

Accounts ➞ Users lists all system accounts installed with the TrueNAS® operating system, as shown in Figure 4.2.1.

_images/accounts-users.png

Fig. 4.2.1 Managing User Accounts

By default, each user entry displays the username, User ID (UID), whether the user is built into TrueNAS®, and full name. This table is adjustable by clicking COLUMNS and setting the desired columns.

Clicking a column name sorts the list by that value. An arrow indicates which column controls the view sort order. Click the arrow to reverse the sort order.

Click  (Options) on the user created account to display the Edit and Delete buttons. Note built-in users do not have a Delete button.

Note

Setting the email address for the built-in root user account is recommended as important system messages are sent to the root user. For security reasons, password logins are disabled for the root account and changing this setting is highly discouraged.

Except for the root user, the accounts that come with TrueNAS® are system accounts. Each system account is used by a service and should not be used as a login account. For this reason, the default shell on system accounts is nologin(8). For security reasons and to prevent breakage of system services, modifying the system accounts is discouraged.

The ADD button opens the screen shown in Figure 4.2.2. Table 4.2.1 summarizes the options that are available when user accounts are created or modified.

Warning

When using Active Directory, Windows user passwords must be set from within Windows.

_images/accounts-users-add.png

Fig. 4.2.2 Adding or Editing a User Account

Table 4.2.1 User Account Configuration
Setting Value Description
Username string Usernames can be up to 16 characters long. When using NIS or other legacy software with limited username lengths, keep usernames to eight characters or less for compatibility. Usernames cannot begin with a hyphen (-) or contain a space, tab, or these characters: , : + & # % ^ ( ) ! @ ~ * ? < > = . $ can only be used as the last character of the username.
Full Name string This field is mandatory and may contain spaces.
Email string The email address associated with the account.
Password string Mandatory unless Disable Password is Yes. Cannot contain a ?. Click  (Show) to view or obscure the password characters.
Confirm Password string Required to match the value of Password.
User ID integer Grayed out if the user already exists. When creating an account, the next numeric ID is suggested. By convention, user accounts have an ID greater than 1000 and system accounts have an ID equal to the default port number used by the service.
New Primary Group checkbox Set by default to create a new a primary group with the same name as the user. Unset to select a different primary group name.
Primary Group drop-down menu Unset New Primary Group to access this menu. For security reasons, FreeBSD will not give a user su permissions if wheel is not their primary group. To give a user su access, add them to the wheel group in Auxiliary groups.
Auxiliary groups drop-down menu Select which groups the user will be added to.
Home Directory browse button Choose a path to the user’s home directory. If the directory exists and matches the username, it is set as the user’s home directory. When the path does not end with a subdirectory matching the username, a new subdirectory is created. The full path to the user’s home directory is shown here when editing a user.
Home Directory Permissions checkboxes Sets default Unix permissions of user’s home directory. This is read-only for built-in users.
SSH Public Key string Paste the user’s public SSH key to be used for key-based authentication. Do not paste the private key!
Disable Password drop-down

Yes : Disables the Password fields and removes the password from the account. The account cannot use password-based logins for services. For example, disabling the password prevents using account credentials to log in to an SMB share or open an SSH session on the system. The Lock User and Permit Sudo options are also removed.

No : Requires adding a Password to the account. The account can use the saved Password to authenticate with password-based services.

Shell drop-down menu Select the shell to use for local and SSH logins. The root user shell is used for web interface Shell sessions. See Table 4.2.2 for an overview of available shells.
Lock User checkbox Prevent the user from logging in or using password-based services until this option is unset. Locking an account is only possible when Disable Password is No and a Password has been created for the account.
Permit Sudo checkbox Give this user permission to use sudo. When using sudo, a user is prompted for their account Password.
Microsoft Account checkbox Set if the user is connecting from a Windows 8 or newer system or when using a Microsoft cloud service.

Note

Some fields cannot be changed for built-in users and are grayed out.

Table 4.2.2 Available Shells
Shell Description
csh C shell
sh Bourne shell
tcsh Enhanced C shell
bash Bourne Again shell
ksh93 Korn shell
mksh mirBSD Korn shell
rbash Restricted bash
rzsh Restricted zsh
scponly Select scponly to restrict the user’s SSH usage to only the scp and sftp commands.
zsh Z shell
git-shell restricted git shell
nologin Use when creating a system account or to create a user account that can authenticate with shares but which cannot login to the FreeNAS system using ssh.

Built-in user accounts needed by the system cannot be removed. A Delete button appears for custom users that were added by the system administrator. Clicking Delete opens a popup window to confirm the action and offer an option to keep the user primary group when the user is deleted.