In order to support Windows shares created in FreeNAS, whether these are personal shares, group shares or shares owned by plugins, system administrators require full access to all shares. However, it isn’t immediately obvious how to grant administrators full access. In this post, I present the method I use to grant administrators access to shares in a non-active directory environment. Some knowledge of FreeNAS is assumed.
In FreeNAS, when creating a user account, by default, a primary group with the same name as the user account is created. When assigning permissions to a dataset, you can only specify one user and one group (plus world). If the user and group have the same name, where does the administrator fit in? Let’s explore this in a little bit more detail. In the example that follows, a new user connor is added to the system. Note that instead of a user, we could very well be dealing with a plugin owned by an account. The steps are identical for both.
Step 1: Add the account
User connor is created with a temporary password. Note that the primary group connor is also created as Create a new primary group for the user is checked by default.
Step 2: Create a dataset to be associated with the account.
Make sure the Share type is Windows.
Step 3: Change permissions on the dataset so that the account has full access.
Change permissions on the dataset so that connor has full access.
Step 4: Create a share associated with the dataset.
Step 5: From Windows, map to the share using the credentials of the account.
Windows 7 dialogue boxes follow. Make sure you check Connect using different credentials. Use the temporary password that was established for connor.
It is important that there are no pre-existing share mappings prior to attempting the mapping in this step. If there are, disconnect those mappings first, otherwise, you will see a very misleading dialog box like the following.
The only thing correctly stated in the dialogue text is ‘To connect using a different user name and password, first disconnect any existing mappings‘.
Step 6: Grant administrator full access and remove world access.
These steps are done through Windows and not through FreeNAS. FreeNAS permissions are limited to owner, group and world. Anything more complex is done through Window ACLs.
When permissions are first viewed on the share, they appear as follows. Windows has inherited the basic FreeNAS permissions.
Click Edit to change permissions. Non-FreeNAS users should not have access to any shares on the system so remove Everyone access. Grant administrators (in this case any user included in the auxiliary group admins) full access. Note when you first include administrators, they will have read access only. Remember to check full control.
Click Apply or OK and the following dialogue box is presented.
Click Yes to proceed and then OK to exit the previous dialog box.
In a non-AD environment, the password for the Windows user connor must match the password for the FreeNAS account connor. An additional step will be to have user Connor update his FreeNAS password to match that of his Windows password.
I would also include user connor in the auxiliary group freenas, which groups all standard users. This makes it easy to assign permissions on shares that affect all FreeNAS users. This could be done at Step 1.
Not essential, but if you’re a belts and braces person, after setting up administrator access, consider editing the account and check Disable password login. For example:
Common User Shares
For shares that affect all FreeNAS users and that are not owned by a plugin account, at step 3, make nobody the Owner (user) and a group that has full access to the Owner (group). Refer to the posts Creating a Common Read-Write Share in FreeNAS and Create a Common Read-Only Share in FreeNAS for examples of this.
Note that you won’t be able to map the drive as suggested earlier in this post. The reason for this is that nobody is the share owner. To get around this, temporarily add your administrator account to the group specified in Owner (group); log off and back on to the Windows account (that maps to the administrator account), and then modify permissions on the share directly from Windows Explorer or by first mapping the account using the administrator credentials.