FreeNAS, CIFS, and user login problems


I have been in the process of converting from the dead-end Windows Home Server product to a FreeNAS server for my home NAS.  I was trying to replicate the same sort of set up that WHS had for user directories.  In WHS, there was a share called "Users" and under that share there were various user directories corresponding to each user account.  I thought it would be pretty simple to replicate that same behavior to allow users to simply attach to \\nas-server-name\Users in Windows, and then navigate to their own user folder.  What follows is how I achieved this, as well as a problem I fought with for a while that prevented certain users from connecting via CIFS.

First, I started off the process by installing FreeNAS to a USB stick, added a few disks in the server, plugged in the USB stick and booted up.  I performed basic config for the networking, and admin account passwords, and turned on the CIFS service.

Next, I created a some user accounts for my wife and myself, and then one for my son.  The primary group for each of these accounts was the same as the user name.  Also, I made sure to create these accounts with the same username as the username each person uses on their computer to login.  This will just help simplify things later on when they go to attach to the shares.  I then created a group called "parents" for my wife and myself, and then created a group called "users" that everyone was part of.

I then created a ZFS RAID-Z set with all the disks I had added to the server.  I then created a ZFS volume called "main" which was the root of my RAID-Z set and set the owner to "nobody" and group to "parents" with read, write, and execute permissions for the owner and group.  I then proceeded to create ZFS datasets underneath the main ZFS volume for each of my share points.  I did this because this would allow me to set size limits on each share type to control disk usage.  For each dataset that I only wanted my wife and I to access, I set the owner to "nobody", and the group to "parents".  For the Users share, though, I set the group to "users".  I also created additional datasets under "Users" for each user to be able to set per user directory quotas, setting the owner to the user for that dataset, and the group to "parents" for all of them.
The "main" volume, and the ZFS datasets below that volume
At this point, I logged in with my user account, and my wife's user account and everything seemed to be working great.  The problem was, I couldn't connect to any share with my son's account!  The problem had to do with the permissions I had set on the "main" volume.  I had set the owner to "nobody" and group to "parents", and I had read, write and execute for the owner and group, but no permissions for other.  This sort of configuration would only allow members of the "parents" group to traverse this directory, which means that my son who was only part of the "users" group couldn't get down to his own share because this top level directory was preventing him from doing so.

The "incorrect" permissions on the main volume.
The reason for this is that *nix file system permissions on directories can be used to control if you can "traverse" a directory or not by setting the "execute" bit on that directory.  Because I didn't allow everyone (or at least a group that my son was part of) to traverse through the main volume, only my wife and I could traverse because we were part of the "parents" group and had the execute permission.

Once I changed the permissions on the "main" volume to allow "Other" to Read and Execute, my son was able to login, and could only go down to his own user directory to work with his files.  My wife and I could see and manipulate everything on the NAS, which is exactly what I was striving for.

Comments

Unknown said…
Great post! Thanks! I'm curious to know how you handled permissions and access on your other directories (Music, Videos, Photos, & Public). Thanks!
March 26, 2013 7:37 PM
Chris DeLashmutt said…
For the other directories, I made the "nobody" user the owner, and then the "parents" group the group owner. Then I set Read, Write and Execute for the Owner and Group, but didn't check any of the boxes for "Other". I just wanted my son to have access to his own directory, for now.

In the future I may tweak this slightly, so that I'll allow "Other" to Read and Execute on most of the "non-sensitive" shares. That way, my son could access Music, and Movies, but couldn't accidentally delete them.
May 01, 2013 7:43 AM
Unknown said…
I noticed using your tip to set permissions at the root level data set, to enable "Other" to only execute; without read access. This still allows users with limited access to down-steam or nested data sets, to login without having read access to the root level dataset. Which is something I have been trying to figure out to protect certain data from unauthorized access by other users.

Thanks for posting this! I have been hoping to avoid going bald trying while to figure out why I had so many issues setting up permissions with limited access. dii
August 22, 2013 1:15 AM
Unknown said…
You, sir, are a star.

It's taken me 3 1/2 hours and multiple attempts to get to the stage where I have a set of folders I can get to, and a limited set of folders my kids can get to.

Many, many thanks.
February 07, 2014 6:25 PM
vedviveka said…
Can your son browse your diretories?
I am struggling since last two days to achieve this..we are five users..I want one or two users to see and access all the five peoples data but restrict remaining three to only access their own home directory or three users directory i.e. first two users should be invisible to remaining three..Can you guide me how to do it..
February 14, 2014 12:17 AM
Post a Comment

Popular posts from this blog

Using Snapshot Isolation with SQL Server and Hibernate

In the course of working on some deadlock issues, I found that MS SQL Server exhibits some unexpected (to me, at least) locking behaviors that can affect performance and cause deadlocks. In the end, I found that SQL Server provides an isolation level called Snapshot isolation which removes the need for locks on rows and removes lock contention. To use this isolation level, you need to execute the following SQL on the database that you want to use the isolation level with (replacing MyDatabase with your database name, of course): ALTER DATABASE MyDatabase SET ALLOW_SNAPSHOT_ISOLATION ON ALTER DATABASE MyDatabase SET READ_COMMITTED_SNAPSHOT ON Next, you need to modify your hibernate.cfg.xml file to add a property to tell Hibernate to use the Snapshot Isolation level: <!-- The 4096 isolation level is the setting to use with the jTDS or Microsoft JDBC drivers --> < property name =”hibernate.connection.isolation”>4096</property> Snapshot isolation is not a panacea...
Read more

Official Pandora Desktop and Hotkey Support?

EDIT: There is a slight problem occasionally with this script not being able to send keys to the Pandora Desktop Air app. I've got an updated version of the script that you can use instead of this one. Pandora is a different sort of online music service that uses the work of the Music Genome Project to automatically selects music similar to an artist or particular song, and then streams it over the Internet for your listening pleasure. You can't select individual songs, but you can skip ones you don't like and make as many music channels as you like to suit your particular tastes. Pandora provides a free version of the product that is supported by visual advertising, and a very inexpensive ($36 USD per year as of the creation of this entry) subscription supported version of the product that provides higher quality streams and no advertising. Traditionally, Pandora has been a Flash-based application that required you to have your bulky browser open to listen on the deskto...
Read more