Administrator Access to Windows Shares in FreeNAS


In order to support Windows shares created in FreeNAS, whether these are personal shares, group shares or shares owned by plugins, system administrators require full access to all shares. However, it isn’t immediately obvious how to grant administrators full access. In this post, I present the method I use to grant administrators access to shares in a non-active directory environment. Some knowledge of FreeNAS is assumed.

In FreeNAS, when creating a user account, by default, a primary group with the same name as the user account is created.  When assigning permissions to a dataset, you can only specify one user and one group (plus world). If the user and group have the same name, where does the administrator fit in? Let’s explore this in a little bit more detail. In the example that follows, a new user connor is added to the system. Note that instead of a user, we could very well be dealing with a plugin owned by an account. The steps are identical for both.

Step 1: Add the account

User connor is created with a temporary password. Note that the primary group connor is also created as Create a new primary group for the user is checked by default.

add user connor

Step 2: Create a dataset to be associated with the account.

Make sure the Share type is Windows.

Sketch create connor dataset

Step 3:  Change permissions on the dataset so that the account has full access. 

Change permissions on the dataset so that connor has full access.

Sketch - connor change permissioins

Step 4: Create a share associated with the dataset.

Sketch add share connor

Step 5: From Windows, map to the share using the credentials of the account.

Windows 7 dialogue boxes follow. Make sure you check Connect using different credentials. Use the temporary password that was established for connor.

screenshot.96

screenshot.97

It is important that there are no pre-existing share mappings prior to attempting the mapping in this step. If there are, disconnect those mappings first, otherwise, you will see a very misleading dialog box like the following. 

screenshot.98

The only thing correctly stated in the dialogue text is ‘To connect using a different user name and password, first disconnect any existing mappings‘.

Step 6: Grant administrator full access and remove world access.

These steps are done through Windows and not through FreeNAS. FreeNAS permissions are limited to owner, group and world. Anything more complex is done through Window ACLs.

When permissions are first viewed on the share, they appear as follows. Windows has inherited the basic FreeNAS permissions.

screenshot.100

Click Edit to change permissions. Non-FreeNAS users should not have access to any shares on the system so remove Everyone access. Grant administrators (in this case any user included in the auxiliary group admins) full access. Note when you first include administrators, they will have read access only. Remember to check full control.

screenshot.101

Click Apply or OK and the following dialogue box is presented.

screenshot.102

Click Yes to proceed and then OK to exit the previous dialog box.

Other Considerations

User Accounts

In a non-AD environment, the password for the Windows user connor must match the password for the FreeNAS account connor. An additional step will be to have user Connor update his FreeNAS password to match that of his Windows password.

I would also include user connor in the auxiliary group freenas, which groups all standard users. This makes it easy to assign permissions on shares that affect all FreeNAS users. This could be done at Step 1.

Sketch include user in freenas

Plugin Accounts

Not essential, but if you’re a belts and braces person, after setting up administrator access, consider editing the account and check Disable password login. For example:

Sketch switch off password login for plugin account

Common User Shares

For shares that affect all FreeNAS users and that are not owned by a plugin account, at step 3, make nobody the Owner (user) and a group that has full access to the Owner (group). Refer to the posts Creating a Common Read-Write Share in FreeNAS and Create a Common Read-Only Share in FreeNAS for examples of this.

Note that you won’t be able to map the drive as suggested earlier in this post. The reason for this is that nobody is the share owner. To get around this, temporarily add your administrator account to the group specified in Owner (group); log off and back on to the Windows account (that maps to the administrator account), and then modify permissions on the share directly from Windows Explorer or by first mapping the account using the administrator credentials.

References

  1. FreeNAS User Guide 9.10.2-U2
  2. CIFS shares become read-only to Windows clients
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s