NextCloud: how to configure local user authentication and allow them local file access

[Stilez]

I'm planning to use NextCloud plugin to replace SFTP among other things, which I used to use. Although FreeNAS services include SFTP, the protocol is deprecated in various browsers such as Firefox and somewhat treated as a legacy protocol, so this helps non-technical Windows users to download files of the server remotely and securely as they're used to doing, without needing 3rd party software, FTP clients, or reverting to bare HTTP. It also means I can expand what I'm giving them access to, by adding other NextCloud features, as well as a more modern UI than FTP had. So it should be really good!

I haven't used NextCloud before, but it supports authentication via PAM, SMB and FTP, user access via HTTPS, and can allow access to pool directories via "external storage" backends such as local files, FTP and SMB. So it looks like NextCloud can do everything I need to replace SFTP, although it'll need extra config to get there.

I've got sa new NextCloud install working and can login by web, so thats OK so far. I've also added the PAM, SMB/FTP authentication extensions and the "External Storage" extension, although not configured them yet. (A message implies I need to make changes to php.config?) I've tried to follow the documentation to get the basics I want up and running, as some of my users will be meeting between Christmas and New Year, and I'd like to be able to offer at least basic file access by then. But I doubt I'll figure all of this out by then, left to myself, but hoping it's not difficult, and someone can walk me through it.

What do I need to do, regarding a clean NextCloud plugin setup, to get these basics up and running?


GOALS/PRIORITIES:
(The following would be all I need to achieve, to allow users in over Christmas! Everything else can wait)

1. HTTPS ONLY: I want connection to NextCloud to be HTTPS only - either denying HTTP, or "transparently" redirecting to HTTPS.
   
   
2. NEXTCLOUD GUI CERTIFICATE: I don't yet have a certificate authority set up, so I'll have to use a local CA (host or jail) with a self-signed cert for the moment.
   
   
3. USER AUTH: I want the login to authenticate users against the users defined in underlying OS - either PAM, or via SMB or some other way (as the server is running on the same box, it could use any of these, they all ultimately authenticate locally the same way)
   
   
4. POOL DIRECTORY BROWSEABLE BY NEXTCLOUD USERS VIA "EXTERNAL STORAGE", FROM NEXTCLOUD JAIL: After users log in, I want them to be able to see the pool file system under "external storage", at leasat to the extent that ACLs allow. Since NextCloud is running in iocage that means configuring external storage and also allowing the jail to access the dir in the pool that users would previously have seen.
   
   
5. POOL ACLS CONTROL WHAT NEXTCLOUD USERS CAN SEE AND DO WITH POOL FILES SHOWN UNDER "EXTERNAL STORAGE": I want to be sure that what users can do with the files they see, will be limited as before, by the ACLs set in the pool. That presumably means that I need to keep UIDs/GIDs in sync for these users, between the host and the jail. If I do that, does it automatically follow that the ACLs will work as I expect and I'll get correct access control provided to users who try to access files from NextCloud (within its jail), too? Or do I need to do anything else?
   
   
6. USER/GROUP MAINTENANCE - CORRECT WAY TO DO IT: For myself, I also need the correct way to keep UIDs/GIDs in sync, if needed? Meaning, if I create a new user or group, or change an existing one, what's the appropriate process for creation/changes, so the host and jail UID/GIDs remain synced and ACLs in the pool will give the same access to a user whetherthey're accessing via CLI locally (i.e. me!), SMB from the LAN, or NextCloud UI in its jail?

RELEVANT SYSTEM INFO:

The system is on 11.2 release. NextCloud isn't in use, it's a pristine default install using the plugin. My pool's access rights are controlled by ACLs. Currently, only local users access the pool, via SMB, and access control works fine for that. There aren't many users, so I maintain the list of users manually in the FreeNAS UI, and add membership of various groups to them. From that point onward, ACLs conditioned on user groups nicely handle everything related to access control.


A quick run-down how to achieve this, would be really helpful for next week's events - thank you!

 

[samuel-emrys]

I can't answer all of your questions, but I can address a few:

1. I'm not sure whether the plugin uses apache or nginx as the web server, but if it's apache (I assume it is), configuring HTTPS will mean adding a port 80 redirect to 443, and an entry for 443 (SSL) in the vhost file. I wrote a guide for a manual installation (not plugin) that deals with this - I would assume the process is largely the same, so perhaps that will be helpful to you. Note that you will probably need to have your self signed cert ready to go before doing this.

3. It seems like there is a Nextcloud SSO app that might satisfy your needs here?

4. You can mount a host file system (directory) into your Nextcloud jail using fstab. This would make it accessible outside the jail, and you can then configure a SMB share for this to make it visible to users as a directory. If the username and password are the same for the host OS and the FreeNAS user, I believe SMB supports SSO automatically, so all you would need to do is map the SMB share as a drive on the client and it would appear at login. The permissions could get hairy here though; my installation shows the DAC permissions as www:www, so you'd either have to add your user to the www group, or use some other access control method (I'm assuming these permissions are required by Nextcloud). MAC might be something worth looking into. I'm not too familiar with access control lists though, so you might have a better idea than I do.