iXsystems blog: Users, Permissions, and ACLs in FreeNAS

Joon

Social Media Guru
Moderator
Joined
Aug 14, 2017
Messages
35
In this tutorial, we’re going to talk about setting up Users, Permissions, and ACLs in FreeNAS. ACL stands for Access Control List, which designates access control entries for users and administrators on FreeNAS systems, specifically for Windows SMB shares. This tutorial assumes you already have your pool configured. If you need help getting started with configuring a pool, we recommend you watch our ZFS Pools Overview video first.

Setting up a FreeNAS group and user account

First, you’ll want to set up a FreeNAS user account and configure specific permissions.

Users-1.png


To do this, click “Groups” under the left side menu under “Accounts”.
  • Click “ADD
  • You can leave the Group ID as is, it will be unique to this group.
  • Give it a name, In this how-to, we’ll call it “officegroup
  • Sudo is a root command, leave this unchecked to avoid giving root access to the group on this system.
  • Click “SAVE” when you’ve finished typing in your settings.
User-2.png


Users-3.png


Next, go to “Accounts”, “Users”, then “ADD” a User
  • Fill in the required fields of Full Name, I’ll name it “Office User
    • Give the user a name. For this tutorial, we’ll name this “officeuser”.
    • Give it a unique password
  • For Primary Group, choose the group you created earlier (officegroup) from the drop-down list. You can also check New Primary Group and it will create a group along with the user with the same name
  • Then click “SAVE” when you’re finished choosing your settings.
users_5.png


Setting up Permissions (for non-SMB datasets)

Permissions are generally used for non-SMB or Generic datasets, so that means any dataset using AFP or NFS shares. SMB datasets for Windows clients will utilize ACLs which we’ll talk about in the next section.
If you haven’t already, go ahead and create a Generic share-type dataset by clicking the three dots on your pool and then choosing “Add Dataset”. Name your dataset and click “SAVE”.

users_6.png


users_7.png


From the Pools window, open the Permissions options by clicking the three dots on the right of your target dataset, and “Edit Permissions”.

users_8.png


You can set the Owner to the user you created earlier, which was “officeuser” and the group to “officegroup”. On the right side under Access, this is where you can set the Read and Write permissions. Go ahead and check “Write” to give editing permissions when you assign this Group to the dataset.

users_9.png


Check “Apply Permissions Recursively” if you want to set these permissions to all directories and files that are currently in the dataset. Check “Traverse” to apply permissions to any child datasets, or datasets within the dataset. Click “SAVE” when done.

Setting up ACLs (for SMB datasets)

Next, we’ll talk about ACLs, or “Access Control List”. ACL is a security feature used in Microsoft Windows, which designates access control entries for users and administrators on a system. FreeNAS interacts with it through the SMB protocol. Note that the “Edit ACL” feature was recently introduced in FreeNAS 11.3.
If you haven’t already, go ahead and create an SMB dataset by clicking the three dots on your pool and “Add Dataset”. Name your dataset, and choose “SMB” under the Share Type. Lastly, click “SAVE” to proceed.

users_10.png


You can create a share for this SMB dataset as well, by going to “Sharing“, choosing “Windows Shares”, and then selecting “ADD”. Browse to the path of your SMB dataset. You’ll notice it says ACL next to the folder because you set the Share type as SMB earlier. In this tutorial, let’s call this “smbshare” and click “SAVE” to continue.

users_11.png


users_12.png


From the SMB window, open the share options by clicking the three dots on the right, and “Edit ACL”. On the left side, leave “root” and “wheel” as the original owners of the dataset.

pasted-image-0.png


users_13.png


users_14-1.png


To give another user ownership permissions, click “Add ACL Item”, then choose “User” for the Who field, and “officeuser” for the User field. You may copy the same settings as the ACL items above on the right side. Do the same for the group, and choose “officegroup” for the Group field. Note: to set open permissions or guest access, you can choose “OPEN” from the “Default ACL Options” dropdown list.

users_15.png


The settings on the right side under “Group” allow you to configure the dataset’s ACL settings according to your network and security needs. Note that when you set the Share Type to “SMB”, the ACL options will default to that specific configuration, which is shown here. Lastly, click “SAVE” when you’re finished choosing your settings.

If you want to read more about configuration and recommendations for ACLs, make sure to check out the FreeNAS Documentation.

Now you have properly set up Permissions and ACLs for your datasets. Repeat the process above each time you need to give a User specific permissions to access a shared dataset on your network or simply use the same group with a new user. To learn how to access a share on Windows with the specific user, make sure to check out our Windows SMB Shares tutorial.

Thank you for reading this tutorial! Be sure to watch our other tutorial videos on our YouTube channel.
 
Top