FreeNAS 8.2 Permissions Set-Up Example for Dummies

Status
Not open for further replies.

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
At the outset of this narrative, please allow me, as its author, to state that I intend no offense to the intelligence of its reader in my choice of its title, nor malice toward the creators of the FreeNAS software. I have sought in it only a catchy phrase that might attract the attention of poor souls, like-minded as me, who find themselves lost amidst the myriad of options and settings that the software presents to them. I, however, claim no expertise in the task of configuring the software: I learned by trial and error, and my knowledge is of necessity limited. My aim here in presenting a verbosely-detailed, single configuration example is to attempt to alleviate the dearth of real-world examples that exist in this forum and assist the reader who might otherwise wholly abandon the FreeNAS software in utter frustration after hours of tearing out their hair and/or enduring unnecessary blood, sweat, and tears. In all actuality, I really hate to see grown men (or women) cry. Engineers, after all, often are not the best of teachers (i.e., of information that often seems so apparent to themselves), and software engineers, in particular, are seldom well-versed in the art of human engineering.

I successfully set up a FreeNAS server in my home while providing its access to five family members. I created a single volume for a 1-TB mirrored disk array containing five datasets (so I might manage hard disk usage). The respective datasets, for the purpose of this post, I shall call A, B, C, D, and E. What I did was to allow users B, C, D, and E to have write, read, and delete permissions to their respective individual datasets only, while providing user A (administrator) write, read, and delete permissions to his/her own dataset as well as write, read, and delete permissions to the datasets of users B, C, D, and E. Let me describe to you how I did it.

I will not cover installation of the FreeNAS software, as this forum addresses that issue, more than adequately, elsewhere; I will only suggest that the reader install the latest, stable version of the software (as of the date of my writing this post), version 8.2 (works in 8.3 also). One, also, should be sure to access the FreeNAS GUI with a compatible browser. I wasted three days repeatedly installing, removing, and reinstalling the software before I realized that I could not configure version 8.2 using IE8 (the user manual even suggests that problems might manifest themselves using IE9). I downloaded Firefox (v. 14) and thereafter was able to configure the GUI without further delay.

I installed two 1-GB Samsung enterprise-grade hard drives in the hardware with which I intended to run FreeNAS. I FIRST EDITED MY SERVER'S BIOS TO ENABLE ACPI (VER. 3). I logged into the GUI and configured the basic password and network settings (covered elsewhere in this forum). I clicked on “Storage”—“View Disks” to verify that FreeNAS saw my drives. (At this point, the reader might want to use the “Wipe” utility on each disk they install if they previously used their disks in other hardware.) I then clicked on “Volume Manager,” selected member disks (using the ctrl key and mouse) and selected a file system type and encryption. I used ZFS (recommended), however, with no encryption, as I knew I would have more than ample space on the drives to store only documents. I named the volume and configured my disks into a mirrored (RAID 1) array. I clicked “Add Volume” to finish the process. When the volume appeared on the GUI page, I then clicked the “Create ZFS Dataset” button associated with the volume to create five datasets (one has to, thus, click the same button for each dataset one creates). I named my five datasets A, B, C, D, and E (I, in fact, used family members’ first names). I set compression to “off” and “Enable atime” to off (the latter, per my preference, for faster performance). (I did not set the quota and space parameters, but the reader may feel free to do so.) I then clicked the “Add Dataset” button for each dataset I created. I created an additional data set, which I titled “Common”; one to which all my family members might have write, read, and delete access (for sharing files amongst us). I, thus, created a single volume and six datasets within that volume.

I then clicked on “Account” (in the left-hand window pane)—“Users”—“Add User” and created five users, A, B, C, D, and E (again, using family member’s first names as usernames). In doing so I browsed to each of the five datasets associated with each user and allowed the configuration tool to create primary group IDs for each username (thus, I ended up with five users and five primary groups). I checked the boxes “read, write, and execute” for “user” and “group” only (I did not check the boxes for “other”) for each user, and I left the other configuration boxes either unchecked or empty. I did not change the shell settings or add e-mail addresses, but I inputted passwords for each user. (Note that the FreeNAS manual warns the reader to use the Windows logon name and its associated password for each (Windows) user as their user name and password when setting up these "Users" configurations, but see my comment about this matter below.) I clicked the “O.K.” button after I configured each user and double-checked my configuration work after I created my users.

I next went back to the “Storage” tab to configure my permissions. I clicked the “Change Permissions” tab for my volume and selected “nobody” for Owner (user) and “nogroup” for Owner (group). I checked all nine Mode (permission) boxes (“read,” “write,” and “execute” for “User,” “Group” and “Other”) and selected “Windows” for the ACL setting (as all users would be accessing the FreeNAS server via Windows computers). I left the “Set Permissions Recursively” box unchecked and clicked the “Change” button. I next configured the permissions for the six datasets. For user A, I clicked the “Change Permissions” tab for its dataset and selected “A” (actually the first name of that family member) for Owner (user) and “nogroup” for Owner (group). I checked the six Mode (permission) boxes for “user” and “group” only and left the “other” boxes unchecked, and selected “Windows” for the ACL setting. I left the “Set Permissions Recursively” box unchecked and clicked the “Change” button. For the datasets associated with users B, C, D, and E, I clicked the “Change Permissions” tab for individual datasets and selected “B, C, D, or E” (actually the first name of that family member) for Owner (user) and “A” (the administrator’s name) for Owner (group). I checked the six Mode (permission) boxes for “user” and “group” only and left the “other” boxes unchecked, and selected “Windows” for the ACL setting. I left the “Set Permissions Recursively” box unchecked and clicked the “Change” button. For the “Common” dataset, I clicked the “Change Permissions” tab for its dataset and selected “nobody” for Owner (user) and “nogroup” for Owner (group). I checked all nine Mode (permission) boxes and selected “Windows” for the ACL setting. I left the “Set Permissions Recursively” box unchecked and clicked the “Change” button. I double-checked my configuration work after I set permissions.

Lastly, I clicked the “Sharing” button in order to create shares. I clicked the “Windows (CIFS) option (since all users would be accessing the FreeNAS server with Windows computers) and added six Windows shares, one at a time, by clicking the “Add Windows (CIFS) Share” button with each share addition. I named each of the six shares (A, B, C, D, E, and Common) with family members’ names followed by the word “Files” (e.g., “Sam’s Files”). It is most important here to resist the temptation to give each share the same name (e.g. “Files” without family members’ name before it), otherwise you will confuse the software and end up with only one folder when you finish the configuration and look for the six folders you created. (Yes--I wasted another two hours trying to figure out why this situation happened to me.) I browsed to the dataset path of each user, clicked the “Browsable to Network Clients” box and left the other boxes blank or unchecked. I clicked the “O.K.” button for each share I created. I double-checked my work after I created all six shares. Note that, after you create your first share, a popup screen will ask you to turn on the CIFS service—do so. After I, thus, created my shares, I clicked on the “Services” button and, in the list on the page, clicked on the wrench icon associated with the CIFS “Core” button. I renamed the “Workgroup” using my Windows workgroup name, verified that “nobody” was listed under “Guest Account” and left the other settings unchanged. I clicked “O.K.” and exited the configuration screen. Note that I did not create a share for the volume itself—only for the datasets within the volume—doing so would have just resulted in having to click through an additional parent folder in the Windows Network Explorer window to access the six user folders once the configuration is completed.

I rebooted FreeNAS (via the GUI—reboot and/or shutdown here in order to avoid data corruption on your disks by a hard shutdown via the power button on your server hardware) and used the Windows Network Explorer to find access to the six storage dataset groups I had created. They appear as folders with titles such as “[family members’ name]’s Files on FreeNAS (FreeNAS).” If all is well, you should be able to (left) click on a respective folder and a popup window requesting user name and password should appear. Enter this information and you should have read, write, and delete access to the folder you own as well as the “Common” folder. The administrator (A) should have read, write, and delete access to all six folders. Note that once you enter a user name and password you do not need to enter this information again as long as you do not break the network connection (e.g., reboot your Windows computer). Although the FreeNAS user manual suggests that only the user whose name and password matches the logon name and password of the computer used to access a file folder can so access it, I did not find this situation to be the case—in other words, I found that I could access any user account on any Windows computer connected to my network so long as I inputted the correct user name and password in the popup window at the Windows Network Explorer. Beware, however, that if you input the wrong user name and password you must break the network connection (e.g., reboot) before you can reenter the correct one (i.e., there is no graceful way to logoff and back on to the server).

(Note: When I migrated my computer to Windows 8, I had to make sure my FreeNAS share setting's host name and/or network settings NetBIOS name conformed exactly to their respective name rules for allowed characters--i.e., no spaces in the name are allowed, otherwise the NAS's icon won't appear under your computer's network display. This issue, for some reason, did not manifest itself in Windows XP or Windows 7.)

I may have missed something in this write up—I hope not, but I apologize if I did. Perhaps a more-experienced user of the FreeNAS software can suggest a more elegant way of configuring the software than my example provides, but I was able to make the software do what I wanted it to do via its GUI configuration exclusively—no scripts or shell command line inputs necessary. I apologize for the length of this post, but I desired to make it as (once again, excuse the term) “idiot-proof” as possible in consideration of those individuals who believe as I that computers should serve to accomplish tasks extrinsic to their own value as objects of fascination in their own right. I still have much to learn about FreeNAS, nevertheless, and I am grateful to the more-experienced users in this forum who have ever so patiently nursed me along in my own learning process.

--Soli Deo gloria
 

kjertil

Dabbler
Joined
Mar 16, 2012
Messages
19
Thanks NASA for writing this, i've been searching all day for a in-depth example of setting up a CIFS share with permissions.
I've checked videos on youtube and they all make it seem so easy!
specially this vid gives you the impression that it would be easy: http://www.youtube.com/watch?v=m2WBPou_SJc
(I followed the instructions obviously, also knowing it aplies to ver 8.0.1)
Yet, i've spent 9 hours today trying to make it work with no luck with ver 8.2.0 r1
The weird thing is that i've managed to make it work before (with ver 8.0.1 maybe?) but this time it just won't work.
When i check the "Allow Guest Access" on the CIFS share i've created it's all fine but as soon as i uncheck it, none of my machines can log on to it (winXP, win7 and ubuntu).
I'm new to BSD, kind of used to linux but real comfy in windows and it feels i should only be a click away from success, but still, it feels like i have tried everything,
even reinstalled freeNAS and done everything in different order over and over again.
Tip for the freeNAS team:
1. some kind of logger or console showing NOOBS all login attempts (in a readable way) and possibly why they fail...
2. a wizard for creating a simple share with permissions would be nice...
Right now i feel like reinstalling ubuntu server and dance the good old samba and cary on with my life instead.
I know freeNAS works for a lot of people so right now i'm really confused!
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
I feel your pain. Unfortunately, in one sense, FreeNAS is not a commercial product that requires its authors to provide configuration examples for all imaginable setups. I am trying to set up a second server to do something slightly different, in terms of permissions, than the first, and it isn't working with my first crack at it. One just has to keep experimenting with settings to try to reverse-engineer the software.
 

kjertil

Dabbler
Joined
Mar 16, 2012
Messages
19
@NASA freeNAS is of course a great project that has come far and is really powerful.
As i mentioned, i've played around with it before, not really using it seriously, but still made it work perfectly with what i beleive was version 8.0.1.
This time (with ver 8.2.0 r1) , i just can't get it to work with permissions anymore and the most frustrating thing is that there is really no way to tell what is wrong. freeNAS would be such a (even) better project if there was just some way of telling the admin when and why certain log in attempts failed.
I guess maybe there already are, but i still haven't discovered it and the GUI doesn't really give any hints.
Maybe if i post this as a direct question in another thread i'll get some answers :)
Cheers
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
I don't know if this suggestion might help, but I discovered that I have to reboot the connecting computer (not the FreeNAS server) after a successful (or failed) password-protected (i.e., permission) connection to the file folder on the FreeNAS server--that is the only way I can tell if a configuration change to the FreeNAS GUI really works. Actually, all you need to do is to right-click on your network icon on the connected computer and click "disconnect network drive" (I knew there must have been an easier way to do this), that way you don't have to reboot each time.
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
I just finished figuring out how to do my second server permission configuration. See my new post below, "More FreeNAS 8.2 Permission Set-Up Examples for Dummies" as well as my "Revised: More FreeNAS 8.2 Permission Set-Up Examples for Dummies" post that follows it.

:cool:
 

kjertil

Dabbler
Joined
Mar 16, 2012
Messages
19
@NASA after much teeth grinding, i managed to actually log in now with my win XP box! i'm beginning to suspect that there is something less user friendly going on like you describe. I know sometimes i'm even unable to log on to a stupid XP box and that a reboot is the only way to make it work. Perhaps this is some thing of a old protocol not really up to date with modern world technology!? :)
I did not test the "disconnect network drive" either! Would be nice to really be able to reproduce the problem and make a ONCE-AND-FOR-ALL-DEFINITE-SOLUTION for this stupid old problem.
PS. i did not mention i'm not using a domain controller or such, just a couple of windows XP and 7 boxes + a few ubuntu boxes in my network.
PS2. the ubuntu boxes are also showing up on the network. Don't know if this is a problem.
PS3. The choice of freeNAS user name and passwords vs the windows and linux users are also an interesting topic, how much is this affecting the whole NAS-eco system?
Thanks again for your reports from the NAS djungle!
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
The problem, kjertil, is not so much with XP as it is with IE8--with it you won't see all the info displayed on the FreeNAS 8.2 GUI. The problem is solved if you use Firefox 14 on XP. The "disconnect network drive" function will allow you to implement the changes you make to FreeNAS without having to reboot Windows. I am using all Windows boxes in my network, so I cannot advise you about mixing ubuntu with Windows, but I see no reason why it would not work if you enable the right shares. Upon further experimenting, I discovered that logging onto a Windows 7 box with the same name and password you use to log onto FreeNAS precludes one having to do a second logon to the FreeNAS network drive after you open your Windows account--If you use different names and passwords you will evidently have to make that second logon. I only have one account on my XP box, and it is not password protected, so I don't logon to it and, thus, I must logon to FreeNAS when I open its network drive. I will get around to posting my second configuration example eventually, if not sooner.
 

kjertil

Dabbler
Joined
Mar 16, 2012
Messages
19
@NASA i'm only using firefox (latest) on all my boxes (xp,win7 & ubuntu) and i believe i load the GUI perfectly on all machines :)
I'm also experimenting with a serverbox running virtualmin, which made my windows networking go nuts. only when i closed it down was i able to restore the windows shares.
I know it's like begging for troubles to do all this in the same time but it also gives me small pieces to the puzzle!
I wonder if implementing something like a domain controller/LDAP would solve issues surrounding authentication?
Looking forward to your next article!
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
More FreeNAS 8.2 Permissions Set-Up Examples for Dummies

(NOTE: I no longer recommend this build due to its "Rube Goldbergish" implementation of groups and the fact that it does not process permissions recursively--see my new "Revised: More FreeNAS 8.2 Permissions Set-Up Examples for Dummies" post in this tread below.)

I have set up a second FreeNAS server in my home to store family photographs while providing its access to five family members. With the success of my prior post, “FreeNAS 8.2 Permissions Set-Up Example for Dummies,” I thought it would be helpful to other newbees struggling with how to configure permissions if I shared a second example of a successful configuration. I created a single volume for a 1-TB mirrored disk array with no datasets. The users, for the purpose of this post, I shall call A, B, C, D, and E. What I did was to allow users B, C, D, and E to have read permission only to the volume, while providing user A (administrator) full write, read, and delete permissions to the volume. Users B, C, D, and E can, thus, view and copy photos, but only user A can add or delete them. Let me describe to you how I did it. (Upon installing Windows 8 in my computer, for some strange reason, I was seeing my FreeNAS configuration files in my share folder, so I have modified this post--see below--to add a dataset layer below my volume to solve this problem).

I will not cover installation of the FreeNAS software, as this forum addresses that issue, more than adequately, elsewhere; I will only suggest that the reader install the latest, stable version of the software (as of the date of my writing this post), version 8.2. One, also, should be sure to access the FreeNAS GUI with a compatible browser. I wasted three days with my prior configuration repeatedly installing, removing, and reinstalling the software before I realized that I could not configure version 8.2 using IE8 (the user manual even suggests that problems might manifest themselves using IE9). I downloaded Firefox (v. 14) and thereafter was able to configure the GUI without further delay.

I installed two 1-GB Samsung enterprise-grade hard drives in the hardware with which I intended to run FreeNAS. I first edited my server’s BIOS to enable ACPI (ver. 3). I logged into the GUI and configured the basic password and network settings (covered elsewhere in this forum). I also made sure that the Host and Netbios names in this second server were different than those of my first server. I clicked on “Storage”—“View Disks” to verify that FreeNAS saw my drives. (At this point, the reader might want to use the “Wipe” utility on each disk they install if they previously used their disks in other hardware.) I then clicked on “Volume Manager,” selected member disks (using the ctrl key and mouse) and selected a file system type and encryption. I used ZFS (recommended), however, with no encryption, as I knew I would have more than ample space on the drives to store high-resolution photographs for later Photoshoping. I named the volume and configured my disks into a mirrored (RAID 1) array. I clicked “Add Volume” to finish the process. I set compression to “off” and “Enable atime” to off (the latter, per my preference, for faster performance) in the volume tools. I, thus, created a single volume for our family photographs.

(I ultimately added a dataset to this build, for the reason I have cited above--I just clicked on "add dataset" in the volume display and configured it in a similar manner that I configured my volume, then a made slight changes to where user A's directory points and permissions, below.)

I then clicked on “Account” (in the left-hand window pane)—“Users”—“Add User” and created five users, A, B, C, D, and E (again, using family member’s first names as usernames). In doing so, I allowed the configuration tool to create primary group IDs for each username (thus, I ended up with five users and five primary groups). For users B, C, D, and E, I set the home directory to “/nonexistent” and I checked the boxes “read, write, and execute” for “owner,” “read and execute” for “group,” and “read and execute” for “other” for each user, and I left the two remaining configuration boxes unchecked. For user A, on the other hand, I set the home directory to the volume's dataset I created (above) and I checked the boxes “read, write, and execute” for “owner,” “read, write, and execute” for “group,” and “read and execute” for “other.” I left the one remaining configuration box unchecked. I did not change the shell settings or add e-mail addresses, but I inputted passwords for each user. (Note that the FreeNAS manual warns the reader to use the Windows logon name and its associated password for each [Windows] user as their user name and password when setting up these "Users" configurations, but see my comment about this matter below.) I clicked the “O.K.” button after I configured each user and double-checked my configuration work after I created my users.

I next went back to the “Storage” tab to configure my permissions. I clicked the “Change Permissions” tab for my dataset and selected the A’s (administrator’s) user name for Owner (user) and “nogroup” for Owner (group). For the volume I selected "noowner" and "nogroup." I then checked the boxes in the volume and the dataset “read, write, and execute” for “owner,” “read and execute” for “group,” and “read and execute” for “other.” I left the remaining configuration boxes unchecked and selected “Windows” for the ACL setting (as all users would be accessing the FreeNAS server via Windows computers). I left the “Set Permissions Recursively” box unchecked and clicked the “Change” button. I double-checked my configuration work after I set permissions.

Lastly, I clicked the “Sharing” button in order to create a single share. I clicked the “Windows (CIFS) option (since all users would be accessing the FreeNAS server with Windows computers) and added my share by clicking the “Add Windows (CIFS) Share” button. I named my share “Pictures.” I browsed to the path of the volume, clicked the “Browsable to Network Clients” box and left all the other boxes unchecked. I clicked the “O.K.” button for the share I created and I then double-checked my work. Note that, after you create your share, a popup screen will ask you to turn on the CIFS service—do so. After I, thus, created my share, I clicked on the “Services” button and, in the list on the page, clicked on the wrench icon associated with the CIFS “Core” button. I renamed the “Workgroup” using my Windows workgroup name, verified that “nobody” was listed under “Guest Account” and left the other settings unchanged. I clicked “O.K.” and exited the configuration screen.

I rebooted FreeNAS (via the GUI—reboot and/or shutdown here in order to avoid data corruption on your disks by a hard shutdown via the power button on your server hardware) and used the Windows Network Explorer to find access to the storage volume I had created. It appears as a folder with the title Pictures on FreeNAS (FreeNAS).” If all is well, you should be able to (left) click on the folder and a popup window requesting user name and password should appear (if not using a logon and password on your Windows account—If you do use a logon and password, then you will not have to enter it again when accessing the FreeNAS server). Enter this information. The administrator (A) should have read, write, and delete access to the folder. Note that once you enter a user name and password you do not need to enter this information again as long as you do not break the network connection (e.g., reboot your Windows computer or “Disconnect Network Drive” by right-clicking on the network icon and selecting the same).

(Note: When I migrated my computer to Windows 8, I had to make sure my FreeNAS share setting's host name and/or network settings NetBIOS name conformed exactly to their respective name rules for allowed characters--i.e., no spaces in the name are allowed--otherwise the NAS's icon won't appear under your computer's network display. This issue, for some reason, did not manifest itself in Windows XP or Windows 7.)

I may have missed something in this write up—I hope not, but I apologize if I did. Perhaps a more-experienced user of the FreeNAS software can suggest a more elegant way of configuring the software than my example provides, but I was able to make the software do what I wanted it to do via its GUI configuration exclusively—no scripts or shell command line inputs necessary. I apologize for the length of this post, but I desired, once again, to make it as (again, excuse the term) “idiot-proof” as possible in consideration of those individuals who believe as I that computers should serve to accomplish tasks extrinsic to their own value as objects of fascination in their own right. I still have much to learn about FreeNAS, nevertheless, and I am grateful to the more-experienced users in this forum who have ever so patiently nursed me along in my own learning process.

--Soli Deo gloria
 
Joined
Oct 2, 2012
Messages
3
I was getting to the point of giving up on FreeNAS after a few hours of going round in circles. After reading your post it occurred to me that I maybe just needed to reboot FreeNAS after setting everything up. Sure enough that's all it seems I was missing.

Thanks :)
 

boyett

Dabbler
Joined
Jun 27, 2012
Messages
17
@NASA
Big thanks. :)
 

Valcore

Cadet
Joined
Sep 13, 2012
Messages
4
I have users A and B, they are apart of a group called trustedUsers. That group is the admin of my userStorage dataset. However when I acess it, I find I can not create any folders or files.. If I access the folder already there called backup, I can create, delete and everything else with in that folder. Help?
 

denellum

Cadet
Joined
Dec 20, 2012
Messages
2
i just registered to thank you. I've been beating my head against the wall the past few days and i ran into two issues that you had resolved for me. One being changing it from unix to windows in the volume properties, and two the reboot. You are a savior! THANK YOU!
 

pete_c20

Dabbler
Joined
Nov 23, 2012
Messages
23
NASA,
Thankyou for this. When you're learning its great to read something that's been set out and explained in detail. There's a lot on this forum that's hard to get into, but to be fair, I guess, it's a FreeNAS forum and not a learn_freeBSD_forum. But many will be getting into this via FreeNAS, and that can only be good.

NB A couple of things I've found ESSENTIAL to troubleshooting permissions /shares etc etc.

1) Use Firefox. I used Opera to start with, but some of the screens in the GUI don't render quite right and the alert light (top right) doesn't work.
2) AND THIS IS A BIGGY!! After making changes to settings for CIFS shares, if things aren't making sense, or changes don't seem to have an effect, then restart the CIFS service by simply clicking the service off and back on again in SERVICE >CONTROL SERVICES>CIFS. After I did that I got my sanity back. It's very hard to learn new stuff on a system that's not behaving itself.

That took me a few days of tearing my hair out to realise what was going on there! May be a bug in Samba.
 

NASA

Explorer
Joined
Sep 2, 2012
Messages
66
Valcore: Sorry, I did not see your post and I suspect you resolved your issue long ago, but, if not, all you need to do is to adjust your "write" permission(s) to allow you to create folders and files.
 
Status
Not open for further replies.
Top