[How-To] Create service account as system built-in

[qwertymodo]

I recently added a bunch of jail service accounts to the FreeNAS host in order to more easily track which services were doing what (and also to aid in the ease of managing permissions on mount points), but it got really annoying to see all of those users/groups listed in the drop-down tree menu as if they were real users, so I dug around and figured out how FreeNAS differentiates between built-in user accounts, which only show up in the list when you click "View Users/View Groups" but don't get their own entry in the main navigation tree menu.

First, create the user normally using the GUI. If you're trying to mirror an existing account in a jail, be sure to specify the correct UID (e.g. UID 817 for the btsync plugin's service account). Select Create a New Primary Group for the user, set the home directory to /nonexistent and the shell to nologin and select disable password login.

Now, to flag the account as a built-in, open the settings db in SQLite (to be safe, you might want to make a backup of /data/freenas-v1.db first)

Code:

sqlite3 /data/freenas-v1.db

and execute the following commands (be sure to substitute the correct UID/GID)

Code:

sqlite> UPDATE account_bsdusers SET bsdusr_builtin='1' WHERE bsdusr_uid='youruidhere';
sqlite> UPDATE account_bsdgroups SET bsdgrp_builtin='1' WHERE bsdgrp_gid='yourgidhere';

and one last one that's probably optional, but it is consistent with the actual system built-in accounts

Code:

sqlite> UPDATE account_bsdusers SET bsdusr_smbhash='*' WHERE bsdusr_uid='youruidhere';

and quit

Code:

sqlite> .q

Reload the GUI, and here is the end result:

 

[cyberjock]

First, I got to say.. I totally cringed when I read about SQL editing with sqlite3. It can get very scary, and a typo can spell disaster.

But, why do you care if an account is a "built-in" account or not? I'm not sure what value is added by being labeled as a built-in account.

 

[qwertymodo]

Why do I care? Simply because those accounts aren't users and I don't want to see them listed as users when they aren't. Seriously, sqlite isn't that scary.

As for the slightly longer "why do I even need these accounts", I'll give an example. Say you install the BTSync plugin, and want to properly configure permissions on your dataset. After browsing around, you find this solution wherein you create a matching user/group pair in both the FreeNAS host and also in the btsync jail. Then, when you grant permissions to the btsync user on a directory in FreeNAS, and mount that directory into the jail, the btsync application can access that directory. Also, because the btsync user exists within the FreeNAS user list, it will properly display when you run commands like lsof, or ls -l, instead of just displaying 817:817, leaving you to wonder what UID/GID 817 means. I recently ran into an issue with my NIC and listen queue overflows that led me to this post, but when I ran the lsof command, all of the results were unknown UID's, which was completely useless. So I grepped through all of my (jailroot)/(jail)/etc/passwd files to find the users, and then added them into FreeNAS. Once I had done that, however, I now had 10+ "users" listed that aren't actual users. I don't want to see them in the treemenu.

I understand wanting to keep average users out of the raw db, but come on... it's BSD for crying out loud. If I wanted a server that only allowed me to configure things the way the GUI allowed, I'd run Windows ;)

 

[cyberjock]

sqlite might not be scary in and of itself. But fat-fingering an entry can make your system unbootable. :P