SOLVED TrueNAS-SCALE: How to create a user granted with a privilege of Local Administrator?

[systract]

Just upgraded to TrueNAS-SCALE-22.12.0

Saw a warning message:

Root user has their password disabled, but as there are no other users granted with a privilege of Local Administrator, they can still log in to the Web UI. Please create a separate user for the administrative purposes in order to forbid root from logging in to the Web UI.​

Question: how to create a user granted with a privilege of Local Administrator?

 

[Kris Moore]

Sure! You create a new user and for the groups, add them to the "builtin_administrators" group.

We'll need to document that better, but here's a rough guide:

Managing Users

Provides instructions on adding and managing the administrator and local user accounts.

www.truenas.com

 

[systract]

Thank Kris!

I created a brand new user with "builtin_administrators" group, however when I tried to log in with it through web UI, it keeps complaining wrong username or password:

Did I miss anything?

 

[tprelog]

Do you have the password enabled?

 

[systract]

@tprelog, yes the password is enabled.

Below is the actual error message:

 

[systract]

I didn't disable root password before trying the new account, was that the reason?

 

[Daisuke]

I don't know why you used primary group as builtin_administrators. Standard Linux user creation defines the same userid and groupid, then you can add additional groupids to your user. A standard Linux user also requires a /home directory defined, in your case /mnt/pool/dataset/username.

I'm not saying you should do this, I'm saying when I do this, I don't have any issues logging into UI or ssh with a non-root user in Bluefin 22.12.0. Auxiliary groupid 96 is builtin_administrators, names showing as ids will be fixed in Bluefin 22.12.1.

I didn't disable root password before trying the new account, was that the reason?

Nothing to do with your issue.

 

[rogermooncake]

Sure! You create a new user and for the groups, add them to the "builtin_administrators" group.

We'll need to document that better, but here's a rough guide:

Managing Users

Provides instructions on adding and managing the administrator and local user accounts.

www.truenas.com

Good info. But I have to ask that since this operation will be done by everyone.. create a link on that message popup when clicked will create a new user with all the correct options selected. The admin user should only need to enter a username and password.

Or do this upon installation?

 

[Patrick M. Hausen]

Why would I want to create a new user? I want to continue to login as root.

 

[systract]

I don't know why you used primary group as builtin_administrators. Standard Linux user creation defines the same userid and groupid, then you can add additional groupids to your user. A standard Linux user also requires a /home directory defined, in your case /mnt/pool/dataset/username.

I'm not saying you should do this, I'm saying when I do this, I don't have any issues logging into UI or ssh with a non-root user in Bluefin 22.12.0. Auxiliary groupid 96 is builtin_administrators, names showing as ids will be fixed in Bluefin 22.12.1.

View attachment 60900


Nothing to do with your issue.

The screenshot is helpful, thanks!
I had no preference, was just using default values when creating a new user.

 

[Daisuke]

Why would I want to create a new user? I want to continue to login as root.

You can do that, of course. Myself, I prefer to prohibit direct root access to any Linux box. Until Bluefin, this was not possible. SMB was the first place where non-root permissions were enforced in TrueNAS, it makes sense to be consistent. Is common practice not allowing direct root access to any Linux box, exposed or not to the web.

 

[Patrick M. Hausen]

I'm okay with "root" for a UI with admin privileges, since that is just a name, anyway. I disable root SSH login and password SSH login.

 

[Daisuke]

IMO, is not just a name. It is linked to most important account. Personally, I prefer not to use root for anything. Been doing this for many years, I was happy to see I can finally do it in TrueNAS.

 

[Kris Moore]

We've updated the docs as well to explain this process in more detail. For what its worth, a lot of industry security regulations require disabling of the root user for administration tasks, so this helps move TrueNAS more in that direction.

Managing Users

Provides instructions on adding and managing administrator and local user accounts.

www.truenas.com

 

[Patrick M. Hausen]

IMO, is not just a name. It is linked to most important account. Personally, I prefer not to use root for anything. Been doing this for many years, I was happy to see I can finally do it in TrueNAS.

As long as logging in as "admin" vs. as "root" leads to the exact same UI that is itself running with the exact same privileges, there really is no difference. As soon as we get role based granular administration, we are talking. Maybe this change is just a first step. Also: audit of administrative changes.

OPNsense does it quite nicely. If you use the git plugin to push your changes to a repo it even logs which admin account was responsible for each particular change.

 

[systract]

We've updated the docs as well to explain this process in more detail. For what its worth, a lot of industry security regulations require disabling of the root user for administration tasks, so this helps move TrueNAS more in that direction.

Managing Users

Provides instructions on adding and managing administrator and local user accounts.

www.truenas.com

Awesome!

Is there any recommendation regarding to user's home directory when creating a builtin_administrators?
The default is "/mnt/nonexistent" which I assume is not a good one(?).

 

[anodos]

Awesome!

Is there any recommendation regarding to user's home directory when creating a builtin_administrators?
The default is "/mnt/nonexistent" which I assume is not a good one(?).

builtin_administrators is a group. It's just a default builtin group that automatically has all privileges for API users. From standpoint of middleware, members of this group are de-facto root. There is a privilege API that can grant permissions to local (and in near future AD) groups to middleware API endpoints at a more granular level.

 

[anodos]

Since any user you add as a member of builtin_administrators is a super-user it behooves you to make sure that its homedir is only accessible as that user (e.g. mode of 0o700).

 

[Daisuke]

As long as logging in as "admin" vs. as "root" leads to the exact same UI that is itself running with the exact same privileges, there really is no difference.

Actually, starting with Bluefin it is. If you disable password for root user, like you do, you will not be able to login with root user into UI. In Angelfish you can. People were complaining into forums they cannot login into UI anymore with root user.

 

[systract]

Since any user you add as a member of builtin_administrators is a super-user it behooves you to make sure that its homedir is only accessible as that user (e.g. mode of 0o700).

Thanks!

Guess my question should be: is home directory mandatory for a new builtin_administrator?