jonatas.baldin
Cadet
- Joined
- Feb 26, 2013
- Messages
- 1
Hello everyone, I've created a lab to test FreeNAS 8.3 and I want to share what I could learn already about permissions.
If there's something wrong, please, correct me.
SCENARIO (fake one) :)
In my network there's just Windows stations, so I choose CIFS protocol for sharing.
In my company we have some departments, they are:
- Directors (board of Directors);
- Engineers;
- Financial;
- Purchases;
- IT.
The points are
- Every department needs it's own share folder, with their own access to rwx;
- Every user need it's own share folder, with its own access to rwx;
- The board of directors must have access to rwx in any folder;
- Must share a common share folder, where anyone can rwx.
PART 1 - GROUPS/USERS
First, lets create the groups (departments) and users (employees).
- All users will have his 'Home Directory' configured to /nonexistent (so, 'Home Directory Mode' will be useless).
- Use some hard passwords :p
GROUP - USERS
directors - director1,director2
engineers - engineer1,engineer2,director1,director2
financials - financial1,director1,director2
purchases - purchase1,director1,director2
it - jonatas.baldin,director1,director2
PS: The directors in all groups looks like something terrible to configure, but in the GUI is easy, just select all of them and "drag'n'drop" to the group.
PART 2 - VOLUMES/DATASETS
I've created a ZFS volume, named volume1, using two disks in mirroring, with out any special configuration (like compression or dedup).
In the permissions of the master volume, I set up:
Owner (user): nobody
Owner (group): nogroup
Mode: all the nine boxes checked.
In this volume, I created these datasets with these permissions for the departments:
- directors - user: director1; group: directors; mode: the owner/group 6 boxes checked;
- engineers - user: engineer1; group: engineers; mode: the owner/group 6 boxes checked;
- financials - user: financial1; group: financials; mode: the owner/group 6 boxes checked;
- purchases - user: purchase1; group: purchases; mode: the owner/group 6 boxes checked;
- it - user: jonatas.baldin1; group: it; mode: the owner/group 6 boxes checked;
For each personal share I had to create another share. I'll put here just one example, for each dataset I had to change the Owner (user):
- director1-personal - user: director1; group: nogroup; mode: the owner 3 boxes checked, only.
For the common share I created this:
- common - user: nobody; group: nogroup; mode: all 9 boxes checked.
PART 3 - CIFS
I created one share configuration for each dataset.
There's no secret here, it goes equal to every share (but the common share). Example:
- directors - name: directors, path: /mnt/volume1/directors; and mark the boxes that is usefull (just read the FreeNAS User Guide, there's a lot of stuff there).
- director1-personal - name: director1-persional; path: /mnt/volume1/director1-personal; ...
- common - name: common; path: /mnt/volume1/common; Allow Guest Access and Only Allow Guest Access checked;
PART 4 - SERVICE CIFS
In the service CIFS configuration there are some details to adjust, but isn't a big deal. Just make sure that the Guest Account is defined to nobody.
And so...
Now:
- All departments have their own place to share data;
- All users have their own place to store their particular files,
- All users can share files with other departments using the common folder;
- The board of Directors can see everything in the departments share (take care!).
I guess this mini article can help someone! Any doubts just post here, I (and the communite) will try to help out.
Bye!
If there's something wrong, please, correct me.
SCENARIO (fake one) :)
In my network there's just Windows stations, so I choose CIFS protocol for sharing.
In my company we have some departments, they are:
- Directors (board of Directors);
- Engineers;
- Financial;
- Purchases;
- IT.
The points are
- Every department needs it's own share folder, with their own access to rwx;
- Every user need it's own share folder, with its own access to rwx;
- The board of directors must have access to rwx in any folder;
- Must share a common share folder, where anyone can rwx.
PART 1 - GROUPS/USERS
First, lets create the groups (departments) and users (employees).
- All users will have his 'Home Directory' configured to /nonexistent (so, 'Home Directory Mode' will be useless).
- Use some hard passwords :p
GROUP - USERS
directors - director1,director2
engineers - engineer1,engineer2,director1,director2
financials - financial1,director1,director2
purchases - purchase1,director1,director2
it - jonatas.baldin,director1,director2
PS: The directors in all groups looks like something terrible to configure, but in the GUI is easy, just select all of them and "drag'n'drop" to the group.
PART 2 - VOLUMES/DATASETS
I've created a ZFS volume, named volume1, using two disks in mirroring, with out any special configuration (like compression or dedup).
In the permissions of the master volume, I set up:
Owner (user): nobody
Owner (group): nogroup
Mode: all the nine boxes checked.
In this volume, I created these datasets with these permissions for the departments:
- directors - user: director1; group: directors; mode: the owner/group 6 boxes checked;
- engineers - user: engineer1; group: engineers; mode: the owner/group 6 boxes checked;
- financials - user: financial1; group: financials; mode: the owner/group 6 boxes checked;
- purchases - user: purchase1; group: purchases; mode: the owner/group 6 boxes checked;
- it - user: jonatas.baldin1; group: it; mode: the owner/group 6 boxes checked;
For each personal share I had to create another share. I'll put here just one example, for each dataset I had to change the Owner (user):
- director1-personal - user: director1; group: nogroup; mode: the owner 3 boxes checked, only.
For the common share I created this:
- common - user: nobody; group: nogroup; mode: all 9 boxes checked.
PART 3 - CIFS
I created one share configuration for each dataset.
There's no secret here, it goes equal to every share (but the common share). Example:
- directors - name: directors, path: /mnt/volume1/directors; and mark the boxes that is usefull (just read the FreeNAS User Guide, there's a lot of stuff there).
- director1-personal - name: director1-persional; path: /mnt/volume1/director1-personal; ...
- common - name: common; path: /mnt/volume1/common; Allow Guest Access and Only Allow Guest Access checked;
PART 4 - SERVICE CIFS
In the service CIFS configuration there are some details to adjust, but isn't a big deal. Just make sure that the Guest Account is defined to nobody.
And so...
Now:
- All departments have their own place to share data;
- All users have their own place to store their particular files,
- All users can share files with other departments using the common folder;
- The board of Directors can see everything in the departments share (take care!).
I guess this mini article can help someone! Any doubts just post here, I (and the communite) will try to help out.
Bye!