is used to manage users and groups. This section contains these entries:
- Groups: used to manage UNIX-style groups on the TrueNAS® system.
- Users: used to manage UNIX-style accounts on the TrueNAS® system.
Each entry is described in more detail in this section.
The Groups interface provides management of UNIX-style groups on the TrueNAS® system.
It is unnecessary to recreate the network users or groups when a directory service is running on the same network. Instead, import the existing account information into TrueNAS®. Refer to Directory Services for details.
This section describes how to create a group and assign user accounts to it. The Groups page lists all groups, including those built in and used by the operating system.
The table displays group names, group IDs (GID), built-in groups, and whether sudo is permitted. Clicking the (Options) icon on a user-created group entry displays Members, Edit, and Delete options. Click Members to view and modify the group membership. Built-in groups are required by the TrueNAS® system and cannot be edited or deleted.
|GID||string||The next available group ID is suggested. By convention, UNIX groups containing user accounts have an ID greater than
1000 and groups required by a service have an ID equal to the default port number used by the service. Example:
|Name||string||Enter an alphanumeric name for the new group. Group names cannot begin with a hyphen (
|Permit Sudo||checkbox||Set to allow group members to use sudo. When using sudo, a user is prompted for their own password.|
|Allow Duplicate GIDs||checkbox||Not recommended. Allow more than one group to have the same group ID.|
To change which users are members of a group, expand the group from the list and click Members. To add users to the group, select users in the left frame and click ->. To remove users from the group, select users in the right frame and click <-. Click SAVE when finished changing the group members.
Figure 4.1.3, shows adding a user as a member of a group.
The Delete button deletes a group. The pop-up message asks if all users with this primary group should also be deleted, and to confirm the action. Note built-in groups do not have a Delete button.
TrueNAS® supports users, groups, and permissions, allowing flexibility in configuring which users have access to the data stored on TrueNAS®. To assign permissions to shares, select one of these options:
- Create a guest account for all users, or create a user account for every user in the network where the name of each account is the same as a login name used on a computer. For example, if a Windows system has a login name of bobsmith, create a user account with the name bobsmith on TrueNAS®. A common strategy is to create groups with different sets of permissions on shares, then assign users to those groups.
- If the network uses a directory service, import the existing account information using the instructions in Directory Services.
By default, each user entry displays the username, User ID (UID), whether the user is built into TrueNAS®, and full name. This table is adjustable by clicking COLUMNS and setting the desired columns.
Clicking a column name sorts the list by that value. An arrow indicates which column controls the view sort order. Click the arrow to reverse the sort order.
Click (Options) on the user created account to display the Edit and Delete buttons. Note built-in users do not have a Delete button.
Setting the email address for the built-in root user account is recommended as important system messages are sent to the root user. For security reasons, password logins are disabled for the root account and changing this setting is highly discouraged.
Except for the root user, the accounts that come with TrueNAS® are system accounts. Each system account is used by a service and should not be used as a login account. For this reason, the default shell on system accounts is nologin(8). For security reasons and to prevent breakage of system services, modifying the system accounts is discouraged.
When using Active Directory, Windows user passwords must be set from within Windows.
|Username||string||Usernames can be up to 16 characters long. When using NIS or other legacy software with limited username lengths, keep
usernames to eight characters or less for compatibility. Usernames cannot begin with a hyphen (
|Full Name||string||This field is mandatory and may contain spaces.|
|string||The email address associated with the account.|
|Password||string||Mandatory unless Disable Password is Yes. Cannot contain a
|Confirm Password||string||Required to match the value of Password.|
|User ID||integer||Grayed out if the user already exists. When creating an account, the next numeric ID is suggested. By convention, user accounts have an ID greater than 1000 and system accounts have an ID equal to the default port number used by the service.|
|New Primary Group||checkbox||Set by default to create a new a primary group with the same name as the user. Unset to select a different primary group name.|
|Primary Group||drop-down menu||Unset New Primary Group to access this menu. For security reasons, FreeBSD will not give a user su permissions if wheel is not their primary group. To give a user su access, add them to the wheel group in Auxiliary groups.|
|Auxiliary groups||drop-down menu||Select which groups the user will be added to.|
|Home Directory||browse button||Choose a path to the user’s home directory. If the directory exists and matches the username, it is set as the user’s home directory. When the path does not end with a subdirectory matching the username, a new subdirectory is created. The full path to the user’s home directory is shown here when editing a user.|
|Home Directory Permissions||checkboxes||Sets default Unix permissions of user’s home directory. This is read-only for built-in users.|
|SSH Public Key||string||Paste the user’s public SSH key to be used for key-based authentication. Do not paste the private key!|
Yes : Disables the Password fields and removes the password from the account. The account cannot use password-based logins for services. For example, disabling the password prevents using account credentials to log in to an SMB share or open an SSH session on the system. The Lock User and Permit Sudo options are also removed.
No : Requires adding a Password to the account. The account can use the saved Password to authenticate with password-based services.
|Shell||drop-down menu||Select the shell to use for local and SSH logins. The root user shell is used for web interface Shell sessions. See Table 4.2.2 for an overview of available shells.|
|Lock User||checkbox||Prevent the user from logging in or using password-based services until this option is unset. Locking an account is only possible when Disable Password is No and a Password has been created for the account.|
|Permit Sudo||checkbox||Give this user permission to use sudo. When using sudo, a user is prompted for their account Password.|
|Microsoft Account||checkbox||Set if the user is connecting from a Windows 8 or newer system or when using a Microsoft cloud service.|
Some fields cannot be changed for built-in users and are grayed out.
|tcsh||Enhanced C shell|
|bash||Bourne Again shell|
|mksh||mirBSD Korn shell|
|scponly||Select scponly to restrict the user’s SSH usage to only the scp and sftp commands.|
|git-shell||restricted git shell|
|nologin||Use when creating a system account or to create a user account that can authenticate with shares but which cannot login to the FreeNAS system using ssh.|
Built-in user accounts needed by the system cannot be removed. A Delete button appears for custom users that were added by the system administrator. Clicking Delete opens a popup window to confirm the action and offer an option to keep the user primary group when the user is deleted.