If you have 2 or more users that want to have private personal folders, but want to share a common folder that a certain 'group' of users have full common access to, this is a guide to start from. Note: This guide is based on FreeNAS 8.01 beta4 The folders here are for example only, the '/mnt/storage' should be replaced with the name of your volume which you can find by doing a 'df' from the command line on the FreeNAS system (using ssh to login). Look for the line that shows '/mnt/your-volume-name'.

DUE TO FORUM CONSTRAINTS YOU CAN NOW FIND THIS HOW-TO AT THE LINK BELOW:

General Permissions & Sharing folders between users (http://protosd.blogspot.com/2011/12/general-permissions-sharing-folders.html)

I'll still respond to questions here or there, but please read this entire thread before asking questions.






.

protosd, Many thanks on your guide.

I have used this on my NAS. Just though I would let others know, if you have followed this guide and tried to connect to a windows share (CIFS) and you get an error 'Contact you admininstrator' or simmilar when trying to connect - just reboot your PC. I thought I was going crazy, re installed FreeNAS 3 times trying to get this to work. All I needed was a quick reboot.

Dave.

I'm going to add some more info here about permissions since so many people don't understand them. I'll be explaining them from the command line and later try and tie that back into using the GUI. First, here's a screen shot that I'll use as a reference.

http://img690.imageshack.us/img690/9876/permissions1.jpg

Let's start with the first 2 lines:

drwxr-xr-x 20 root wheel 512 Sep 23 19:36 ./
drwxr-xr-x 20 root wheel 512 Sep 23 19:36 ../

The first line with ./ is the directory/folder that you are currently set to & viewing files in.

The second line ../ is the parent directory, or the one that is above the current folder/contains the current folder.

The Owner of both is 'root' and the group is 'wheel'.
The group 'wheel' means that any USER that is a member of that group has the privileges of that group.

So above, any user belonging to 'wheel' only has 'read & execute' permissions.
This means they can list and read files.

Without the execute, a user would not be able to 'ls' (list) the files, or 'cd' to that folder.
With only 'read', a user could look at a file only if they knew the name of the file in that folder.

You can change the group that a FILE or DIRECTORY is a member of by doing:
'chgrp othergroup your-file' or with multiple files with 'chgrp othergroup *.jpg'

If you want to change the group for every file and directory in the current directory AND below it, you would do 'chgrp -R othergroup ./*'

ACEs/ACLs are really awesome, but make things a lot more complicated. It should be covered elsewhere, but if you want more refined permissions it should be done via ACEs/ACLs, as they can provide finer grained access for one or more users or groups.

Using the GUI is this where the 'Datasets' come into play?

Yes, datasets appear as subdirectories to your main volume, but datasets can have their own snapshots, mountpoints, permissions etc. They're great for compartmentalizing your data, and being able to have separate snapshots is nice because they're smaller and you can customize them to expire etc. separately.

Thanks protosd.
I am doing lots of reading the last couple 2 days trying to get up to speed on this.
It is kinda like drinking from a fire hose and I am starting to get a few things confused.

Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?

When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.

It seems that I can do this by creating different 'Shares' and having the 'root' or 'path' (I'm still working on the proper terminology) of one of the share's being 'nested' deeper than the other.

ie: Guest account (or Share) path being rooted at: \Volume_1\Guest

and the Administrator of the Volume being rooted at: \Volume_1

Am I correct in my impression that this in not a good thing?

=============

A quick side question: I saw another post you made ( I am pretty sure it was you ) regarding the setup of 'users', but I just can't find it. It had to do with the checking of disable password and home directories. Do you have the link per chance? Thanks.

Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.


When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.

I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?


It seems that I can do this by creating different 'Shares' and having the 'root' or 'path' (I'm still working on the proper terminology) of one of the share's being 'nested' deeper than the other.

Anything you can do by nesting, you should be able to do un-nested.


Am I correct in my impression that this in not a good thing?

It depends on what you are trying to do. There's nothing wrong with it.


A quick side question: I saw another post you made ( I am pretty sure it was you ) regarding the setup of 'users', but I just can't find it. It had to do with the checking of disable password and home directories. Do you have the link per chance?

I have a vague recollection of that post, but I'd have to search for it. I'll try to post back later and see if I can elaborate on some stuff, I haven't had my 'coffee' yet and I've got a busy day ahead.

****re: Did I understand that it is not a good thing to have 2 "Windows_Shares" on the same volume you create?****

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.

Ok, I thought I might have got that wrong. Thanks.




****re: When I tested the Datasets with a single share, and 2 users I was able to reproduce what you had described above. But what I was going for was to not have one user, browse the files of the other user.****
I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?

Basically . . . yes (2 or more users, but for simplification lets call it 3 users).
I am trying to give each user a place that they can access to store files.
User1 will be the administrator who can see and access everything.
User2 has his/her set of files
User3 has his/her set of files

I created a Volume called:
FreeNAS_Volume_1

I then created a dataset
/mnt/FreeNAS_Volume_1/user2
and assigned the same mount point to user2
and a share called; user2

I then created a dataset
/mnt/FreeNAS_Volume_1/user3
and assigned the same mount point to user3
and a share called; user3

I then created a share called Administrator with a mount point:
/mnt/FreeNAS_Volume_1
and assigned the same mount point to user1

If I login to the share for user 2, I can get in ok, but then I can back out of it and click on the administrators share and "see" all of the datasets for both user 2 and user3. I am not sure what logging into one share would let me 'into' view another shares files.

I can click on any of the shares 'before' I log into user2's share and each one ask me for the login info, but like I said, once you log into one, you can browse the others. This is what I am trying to avoid.

Hopefully that makes sense.



Anything you can do by nesting, you should be able to do un-nested.

I figure it has to do with configuring permissions for users and groups, but I am having issues with that too.
For example when I change the permission set for a single user (or a group) ALL of them get changed! . . . I don't get it.




****re: Am I correct in my impression that this in not a good thing?****

It depends on what you are trying to do. There's nothing wrong with it.

ok, thanks


I have a vague recollection of that post, but I'd have to search for it. I'll try to post back later and see if I can elaborate on some stuff, I haven't had my 'coffee' yet and I've got a busy day ahead.
If I remember correctly, there was something about not setting the "Home Directory" right away and leaving it to '/nonexistent' and something about 'disable password logins' and possibly even about the 'Primary Group' being set to nobody.

I don't know if that helps much. I have been doing as much reading as I can on everything and it is getting a touch jumbled up.

Thanks for the help!

Hi TDPsGM,

Here is the link to the thread you were asking about:
http://forums.freenas.org/showthread.php?1541-odd-files-in-my-media-folder (http://forums.freenas.org/showthread.php?1541-odd-files-in-my-media-folder)

I need some more time to look at what you're trying to do and post the details. Hang in there cause
It is kinda like drinking from a fire hose and I am starting to get a few things confused.

This is kind of what I'm feeling like trying to answers questions right now! :-)

If anyone else wants to jump in and help @TDPsGM please feel free! There are always multiple solutions to stuff in Unix and I'm more of a command line guy than a GUI guy.

Ok, I thought I might have got that wrong. Thanks.

Basically . . . yes (2 or more users, but for simplification lets call it 3 users).
I am trying to give each user a place that they can access to store files.
User1 will be the administrator who can see and access everything.
User2 has his/her set of files
User3 has his/her set of files

I created a Volume called:
FreeNAS_Volume_1

I then created a dataset
/mnt/FreeNAS_Volume_1/user2
and assigned the same mount point to user2
and a share called; user2

I then created a dataset
/mnt/FreeNAS_Volume_1/user3
and assigned the same mount point to user3
and a share called; user3

I then created a share called Administrator with a mount point:
/mnt/FreeNAS_Volume_1
and assigned the same mount point to user1

If I login to the share for user 2, I can get in ok, but then I can back out of it and click on the administrators share and "see" all of the datasets for both user 2 and user3. I am not sure what logging into one share would let me 'into' view another shares files.

I can click on any of the shares 'before' I log into user2's share and each one ask me for the login info, but like I said, once you log into one, you can browse the others. This is what I am trying to avoid.

Hopefully that makes sense.


I figure it has to do with configuring permissions for users and groups, but I am having issues with that too.
For example when I change the permission set for a single user (or a group) ALL of them get changed! . . . I don't get it.




Create another dataset for your Administrator


Make a group for every user, it can be the same as the username


Make sure each user is only a member of their own group and not a member of any other group.
(Account-> Group -> View All Groups)


http://forums.freenas.org/attachment.php?attachmentid=406&d=1320361070


(chmod -R 770 / chgrp -R group) on each dataset (Owner RWX, Group RWX) by using the GUI like below.


http://forums.freenas.org/attachment.php?attachmentid=405&d=1320361069


Make Administrator a member of both of user's groups as well as it's own.


Repeat step 4 for Administrators dataset

Thanks Protosd for all the help!

I was away from home and just got back and will give this a try.

While away I reread the manual and came across 2 things that may be hanging me up here.

#1. Under the "Account Configuration" section is states:

2. Create a user account for every user in the network where the name of each account is the same as a logon name used on a computer

Is there no way to create a generic "Username" and "Password" that can be used to log into a particular Share/Dataset that is not tied to the computer you are using? That is what I am going for.

#2. The "How To Videos" suggest the Type of ACL should be Unix and not windows. I do have Ubuntu on a couple of machines and so it was my understanding that I should use Unix if everything on the network is not windows based.


This may be out of context, but at the beginning of this thread you spoke of using command line to make changes. In the same "Account Configuration" section it states:


NOTE: It is important to use the GUI for all password and account management. FreeNAS™ uses a configuration database to store these settings. While you can use the command line to modify passwords, users, and groups, changes made at the command line are not written to the configuration database. This means that any changes made at the command line will not persist after a reboot and will be overwritten by the values in the configuration database during an upgrade.

Has this changed at all?

Thanks again for your help.

[LIST]
Create another dataset for your Administrator


Do I have to create the dataset - can I not have the Administrators access point be /mnt/FreeNAS_Volume_1?

That way I can (as the administrator) drill down into the other datasets?

I'm not sure where you saw that, but I'm not aware of anything. I have several Windows shares on my volume without any problems.

There's nothing in Samba restricting you from doing that, and there's nothing in FreeNAS that does that either. It's not necessarily the best use of resources, but there's nothing preventing one from doing this.


I'm not sure I understand what your asking here. You want 2 users, but only 1 of them should be able to see both users directories?

Yes. That's possible as long as the permissions are set appropriately.


Anything you can do by nesting, you should be able to do un-nested.

Yes.


It depends on what you are trying to do. There's nothing wrong with it.

Indeed. I've seen very permissive setups done by users s.t. other users could touch/modify files in their directories in a collaborative manner -- as protosd said, it all depends.

Thanks Protosd for all the help!

I was away from home and just got back and will give this a try.

While away I reread the manual and came across 2 things that may be hanging me up here.

#1. Under the "Account Configuration" section is states:

Is there no way to create a generic "Username" and "Password" that can be used to log into a particular Share/Dataset that is not tied to the computer you are using? That is what I am going for.

#2. The "How To Videos" suggest the Type of ACL should be Unix and not windows. I do have Ubuntu on a couple of machines and so it was my understanding that I should use Unix if everything on the network is not windows based.

This may be out of context, but at the beginning of this thread you spoke of using command line to make changes. In the same "Account Configuration" section it states:

Has this changed at all?

Apart from some volume / dataset management bits, no. Please realize that inventing code to grab info from the underlying system instead of intercepting calls makes things more difficult to implement, test -- and most of all maintain longterm. I think people misunderstand this important point when they gripe about us having middleware to manage this stuff, without understanding the motivation for it.

The same thing ultimately applies for FreeNAS 7 I'm sure.

Create another dataset for your Administrator


Make a group for every user, it can be the same as the username


Make sure each user is only a member of their own group and not a member of any other group.
(Account-> Group -> View All Groups)


http://forums.freenas.org/attachment.php?attachmentid=406&d=1320361070


(chmod -R 770 / chgrp -R group) on each dataset (Owner RWX, Group RWX) by using the GUI like below.


http://forums.freenas.org/attachment.php?attachmentid=405&d=1320361069


Make Administrator a membor of both of user's groups as well as it's own.


Repeat step 4 for Administrators dataset


Ok, I started clean (fresh install of FreeNAS 8) as I wanted to make sure my thrashing around while playing wasn't going to affect anything.

Thanks again Protosd! It worked perfectly, and as I had hoped.

I am still not sure why the manual says:
Under the "Account Configuration" section it states:
2. Create a user account for every user in the network where the name of each account is the same as a logon name used on a computer


I am not entirely happy with just using it blindly as it opens me up to potentially stubbing my toe in the future (I try to understand 'why' it is I am doing something). For now I am comfortable with it.
I can log in from any computer on the network with just the username and password for the share(s) that have been given permission to that user.

There's nothing in Samba restricting you from doing that, and there's nothing in FreeNAS that does that either. It's not necessarily the best use of resources, but there's nothing preventing one from doing this.

Thanks for weighing in on this gcooper!

Could you clarify this for me?

I'll take a stab at it because I was wondering about setting it up this way, and maybe this is what you meant (I don't have the time to test my theory just yet but her it goes):

1. Have 1 Share on the Volume.

2. Set up the datasets within that volume

3. Assign permissions to those datasets

4. Set the 'Home Directory' to those data sets in each users "Home Directory" field.

Did it get that right? I am assuming then every user can log into that share with their own unique username and pw and be off the the races (so to speak).

I'll play with it later tonight, but am I on the right track with what you were inferring?

I have to ask because I am just not finding it.
Where is the "Change Permissions" option in the GUI so that I can set user permissions in a share or group?

Yeah, they can be a little tricky to find if you're not used to working with the GUI. They're under Storage -> Volumes -> View All Volumes
For each mountpoint there's an icon on the right that looks like a little stack of disks with a 'wand' or something over the top of it.

Ahh, I see, that is for changing permissions for the volume. I'm wanting to change the permissions for a folder so I can set a user to read only and set others according to what they should be.
I don't see a option in the gui for that.
For instance I have a media user. This user has access to my HomeShares folder but I want that user set to read only.

Hmmm, in that case the GUI can't do that, at least not yet. I'm not sure what the plans are for adding that. You'll have to reference the black screenshot above and make those changes from the command line. Permissions can be really difficult for beginners to understand and to explain in a forum like this. Take a look at YouTube, there are a ton of videos explaining permission for Unix/Linux.

Thanks, I'm doing that now and thanks for turning me in the right direction. The video link you gave me (http://www.youtube.com/watch?v=4U7PxdAwvM8) really helps me understand how to set permissions better.
Thanks a ton!

Very informative thanks FreeNAS team...

wonderful explanation, protosd. Thank you :) Precisely what I needed to know.

Just a few questions:
1. Is there a limit on how many users can be setup this way? I may have just about a 100 users.
2. Could the "Storage" share be hidden when alpha/beta user logs in? I enabled the home folders, and just want them to see their own folder show up when they login (plus the common share floder).
3. Is there a way to save this configuration to a file when all the settings are done? I'd like to keep a backup in case my usb melts :)
4. How much coffee do you guys drink?

wonderful explanation, protosd. Thank you :) Precisely what I needed to know.

Just a few questions:


Appreciate the feedback Digitaltrash :-)


1. Is there a limit on how many users can be setup this way? I may have just about a 100 users.

There should be no problem adding 100 users like this, but there could be other problems. You'll need more RAM the more simultaneous users you have. You'll probably need to do some tuning, sysctl.conf & loader.conf. I'm not sure if FreeNAS has other limitations, but I think it should be ok. Normally you would let a server handle the user part and then the server would handle accessing the NAS.

How many users will be online at the same time?
Will they possibly be attempting to access the same files simultaneously?


2. Could the "Storage" share be hidden when alpha/beta user logs in? I enabled the home folders, and just want them to see their own folder show up when they login (plus the common share floder).

I'm not sure what you mean here. The storage can be eliminated if you only want users to access their own files, but it can't just disappear when someone logs in.


3. Is there a way to save this configuration to a file when all the settings are done? I'd like to keep a backup in case my usb melts :)

Yup, read the docs, and you'll see Under System->Settings "Save Config". That won't save changes you make to loader.conf or sysctl.conf (Yet anyway, maybe 8.1).


4. How much coffee do you guys drink?

Not a lot, but more is always good ;-)

You can hide shares however and then just make them a mount point or a shortcut on the users desktop. No one would otherwise be able to access the folder unless they knew exactly what the name and the path was.
I did that on mine by disabling "Browsable to Network Clients" under the CIFS share that I have created. I also double checked the permissions so that if anyone did find it that they wouldn't have access to it unless they were supposed to. 771=User has full access, group has full access, others have only executable access. Typically you'll use either 770 or 700.
BTW big thanks goes out to protosd for educating me on how to understand permissions, it's been a HUGE life saver!

Hello !
Thank you ! Everything is working well.
Juste a question : on each computer, I can see the owner folder (for example "beta") and another folder named "homes". I can't find this folder on Freenas ; I think it's not a folder but an alias.
Is ther a solution to erase this alias ?
Thank you,
Mirus

Thank you for your reply, protosd :D


... You'll need more RAM the more simultaneous users you have.
I am planning on getting 32-64GB dedicated Xeon server built for this. I've read somewhere that with ZFS, one should consider getting a gig of memory per tb of storage, as a rule of thumb. I could have as much as 30-50 simultaneous users logged in, but not reading/writing to the same files/folders. I'm thinking 12TB storage tank should be enough. Now I need to read up on link aggregation and a good intel controller, any suggestions where would be a good start?


You'll probably need to do some tuning, sysctl.conf & loader.conf Thanks for the heads up! Will search the forum for these settings.


The storage can be eliminated if you only want users to access their own files, but it can't just disappear when someone logs in. That's precisely what I was asking. It would be nice for a user to log in to the contents of his/her home directory upon just entering \\freenas in IE, nothing else.

Another question came up: Is there any way to log-in as a different user on a W7 machine, after someone has already logged-in? It seems that if I log-in as user A, I remain logged-in as user A until I log-off from windows (I'm using freenas user/pass combination that differs from windows user/pass combo) and there is no way to log-out. Sure, one can use the \\IP_here instead of netbios name, but I feel that there must be a simpler and cosher way of doing this. Any ideas?

Thanks for all your responses, again :)

Mirus: I'm not sure what exactly you're referring too but if there is a alias named "Homes" then it is probably a user. If log into SSH and look at your mounted hard drives, ie. /mnt/storage you should see any folders that have been created. Your best bet in creating and managing folders is from the command prompt via SSH. For example I have folders named Home, User, Offsite. I set the permissions of these folders from command using chmod and selecting the groups for these folders using chgrp (groups have to be created first to set your groups). Once your folders have been created you can create your shares using your gui and then share them to the network. By using groups you can choose who has and doesn't have access to folders by adding or removing them from groups via the gui.

Digitaltrash: 32-64GB of RAM should be more than enough. You can also double check to see what your memory usage is via the gui under reporting and if you don't have enough RAM add more at a later date. You can do this by keeping an eye on your swap usage. If you have to much swap you may need more RAM. I'm running 8GB with 12TB of storage and for 3 to 6 users it's more than enough.
A good server intel controller will do the trick for link aggregation. I'm using dual onboard NIC on my Supermicro X7DBN server. They use a e1000 chipset and link aggregation works great.
I have to agree that it would be GREAT if folders could be hidden when users log in. I would LOVE this feature too and I think we should make it a suggestion on the forum to bring it to the developer's attention. Meanwhile what you could do if you wanted to is make the folders not browsable for those you want hidden (You can do this via the gui by clicking on your share) and then when you map the drives via script on a domain controller or when you map the drive directly from that person's desktop type the path in directly. Just because it's not browsable doesn't mean it's not accessible. For instance I have a folder that is not browsable but is it available but I have to type the path in and the user that wants to access it has to have permission otherwise the user would get "access denied.
In regards to logging in via a different user via W7, to my knowledge there is not besides logging off and back in. Besides doing such things posses security vulnerabilities from the desktop itself because if you are the admin and someone else sat down at that desktop they now have administrative rights to those files and that is not good practice.

Sorry guys, I'm spread a little thin and can't answer as easily. Thanks for jumping in Visseroth, appreciate the help.


Mirus: I'm not sure what exactly you're referring too but if there is a alias named "Homes" then it is probably a user.

There is a setting in CIFS to enable a 'Homes' directory, that might be what you are seeing. If you don't want it, just turn it off in the CIFS settings.


I have to agree that it would be GREAT if folders could be hidden when users log in.

I'm not sure what you guys are referring to here. It sounds like users are able to see a folder and then after logging in it disappears, that doesn't make sense so I'm sure there's another explanation. What is in the hidden folders/ What the purpose of having them?


In regards to logging in via a different user via W7, to my knowledge there is not besides logging off and back in.

There is *some* way to clear the cache on windows and switch users, but it's a hack. It's been posted here in the forums, but I'm not sure where.

I'll try and explain this as best I can.
What we were talking about was a set of hidden folders that would only show up for the user if the user has permission to access them. All other folders that the user does not have permission to access would be hidden there by eliminating clutter and possibly even hiding information from user that they don't need to know or see. IE folder names.

I'll try and explain this as best I can.
What we were talking about was a set of hidden folders that would only show up for the user if the user has permission to access them. All other folders that the user does not have permission to access would be hidden there by eliminating clutter and possibly even hiding information from user that they don't need to know or see. IE folder names.

I don't think what you're asking for can be done easily, it's generally why users have separate folders. You can make a folder 'execute' only and that will prevent users for seeing the files or doing an 'ls', but it doesn't really accomplish what you're expecting and opens a whole other can of worms. If your users were using strictly Unix/Linux you could put a dot in front of the folder or file and that would make it hidden, but still not completely if you know how to look for it. There is a thing called ACL's (Access Control Lists) which @gcooper alluded to a few post above which would probably do what you're expecting, but they're difficult to implement with the GUI and still even more difficult to understand than regular Unix/Linux permissions. Windows has something similar with it's security permissions too. They've borrowed a lot of stuff from 'other' OS's.... Anyway, I'm going blind staring at this white background here in the forums and really hope one of the Admins will give us some optional themes with colors more soothing to the eyes.... ;-)

Hey guys, apologies for not staying in touch past weeks. I've been very busy.

Visseroth,
Thank you very much for your input. I'll be definitely checking out the gui statistics on RAM (and other) usage. The stats is one of the many great features in FreeNAS.


A good server intel controller will do the trick for link aggregation. I'm using dual onboard NIC on my Supermicro X7DBN server. They use a e1000 chipset and link aggregation works great.
If you don't mind me asking, how did you set yours up? Which Lagg did you use? When you pump data, does it actually route traffic properly (that is, according how you configured your lagg)? Also, did you need some specific features on your router/switch box for it to work without breaking your network setup? I've never done this, so my mind wonders :o


I have to agree that it would be GREAT if folders could be hidden when users log in. I would LOVE this feature too and I think we should make it a suggestion on the forum to bring it to the developer's attention.
My solution is to map it as a network drive (In WIN environment) for each user individually, directing it to their home folder by default, i.e. \\freenas\storage\username and then creating a shortcut in their folder for the "common" share. This is good enough for me, and the user does not see folders of other users right away, without some sneaking around. I found that using:
net use x: \\freenas\storage\username /persistent:yes /user:username password works really well in cmd (much better than the mapping wizard, which considerably slows things down for some reason).

protosd


There is *some* way to clear the cache on windows and switch users, but it's a hack. It's been posted here in the forums, but I'm not sure where. My share name is \\backup. Doing either a \\freenas or \\ip_addess directly, brings up a login screen again. I can login as anyone, even if someone is already logged on under their name. This is kinda necessary when I need to do some "god" functions. Any links to the hack way of doing this? Good hacks never hurt!

Finally, I've noticed that if a user goes to \\freenas\storage, where all of the user folders are located, they (anyone, really) can change the name of any folder (i.e. any other users' home folder). That's a bit dangerous! Can you guys confirm this on your boxes?

Digitaltrash,

I have a link about purging login credentials, not the one I was trying to remember, but here it is:

How-to-forget-network-share-credentials (http://option9.blogspot.com/2009/08/how-to-forget-network-share-credentials.html)

Also, not to be a jerk, but it would be great if you could post this in another thread so we can keep this discussion on topic about permissions. I'm actually pretty sure there's a couple threads about this topic already. It makes it difficult for people to find stuff when threads get sidetracked (hijacked) with simple questions like this.


If you don't mind me asking, how did you set yours up? Which Lagg did you use? When you pump data, does it actually route traffic properly (that is, according how you configured your lagg)? Also, did you need some specific features on your router/switch box for it to work without breaking your network setup? I've never done this, so my mind wonders

digitaltrash, protosd is right, this is getting quite off the main subject. Start another thread and let me know and I'll help you where I can their.

digitaltrash, protosd is right, this is getting quite off the main subject. Start another thread and let me know and I'll help you where I can their.

Sure thing, not a problem. I did get carried away.

But the folder name change is on the topic. Seems to me like that should not be happening. Ideas?

Well if everyone has group access to all the folders in that directory then they would be able to change the name. It's about setting the permissions on the directories correctly. Change the permissions on user folders to 700 and make them sticky.
See this http://www.youtube.com/watch?v=4U7PxdAwvM8 (I'd tell ya how to make them sticky but I'm still learning myself)

Sorry I don't have time to respond properly. I'd advise against setting the sticky bit, it can be very dangerous security wise, and in 30+ years working with Unix, I can tell you the needs for it are rare. You should be able to do what you need with user/group permissions and ownership/group set properly on the directory. It's just a matter of taking the time to create the right groups for everyone, add them into those groups or multiple groups if necessary, chmod 770 the directory, and then chown/chgrp the directory with the right owner/group. I understand it can be overwhelming if you're new to it. I do all the permission setting from the command line, but if you do, the GUI/database is not going to scan all your files/folders to pickup those changes. I'd learn how to do it from the command line, that way you'll know things are working the way you expect them to and not get bitten by some idiosyncrasy of the GUI.

Why is it that the sticky bit is a security issue. My thought was if he set the user's folder to 700 w/sticky bit or even 300 and all folders and files following that folder to 700 then the user would have access to the folder and all its contents but wouldn't be able to change the name of their primary folder and no other users besides root and the owner would have access to their personal folder

Why is it that the sticky bit is a security issue. My thought was if he set the user's folder to 700 w/sticky bit or even 300 and all folders and files following that folder to 700 then the user would have access to the folder and all its contents but wouldn't be able to change the name of their primary folder and no other users besides root and the owner would have access to their personal folder

Visseroth, that's an interesting idea. One thing with Unix is there are always lots of different ways to do the same thing. I think the sticky bit when set on a folder like you were suggesting would probably be ok. I've worked a lot with Unix and in all that time have never had a need to use the sticky bit on a folder and have never seen user accounts setup that way. Some strange things might happen from windows, but like I said, I've never needed or seen it done. There are other situations, like for /tmp or /var/tmp where the sticky bit on a folder is a security advantage. For most of us, this it will probably never be an issue, but temporary files stored in /tmp can be replaced with nefarious substitutions that can compromise a system. The sticky bit when used without caution on regular files like scripts for example can allow a person to substitute another script and gain access/privileges. If you notice on the nightly security emails from FreeNAS, it does a scan for files with the sticky bit so you can keep an eye out for problems.

You also need to be careful, if you set the wrong permissions and make your login directory unreadable you won't be able to login.

Hi

I m trying to follow this tutorial
http://forums.freenas.org/showthread.php?1122-Set-Permission-to-allow-users-to-share-a-common-folder-amp-have-private-personal-folder
but i don't have the browse button in CIFS share
440
is it normal? I have one ufs volume
thanks for your help

Hi Yoan,

This is a tutorial that I wrote. You didn't mention what version you are using, that was written during beta-4.

Can you post the version from the system information screen in the GUI?

Also, you should have posted your question in that thread to keep the topic consolidated. Please post/look there for follow up, so this post can be merged.

EDIT: Posts merged into original thread

Thanks for your quick answer, i use this version OS version: FreeBSD 8.2-RELEASE-p1 FreeNAS Build: FreeNAS-8.0-RELEASE-i386

Thanks for your quick answer, i use this version OS version: FreeBSD 8.2-RELEASE-p1 FreeNAS Build: FreeNAS-8.0-RELEASE-i386

Hi Yoan, you will need to upgrade to 8.02 to follow the tutorial. Beta-4 (or 8.0.1 beta-4), comes after 8.0, so 8.0 doesn't have that in the GUI.

Here's a link for 8.02:

http://sourceforge.net/projects/freenas/files/FreeNAS-8.0.2/

Why i didn't think about it ? upgrade done, i have the browse button
Thanks a lot

Hi, I followed the http://protosd.blogspot.com/2011/12/general-permissions-sharing-folders.html tutorial, but I’m still can’t set the permissions to have each user access ONLY to his own folder.
Can you help me to set the rules not from command line, but over the GUI?
I have create a lot of users and I want to have read/write access only on their own folders!
How can I merge each user to the specific folder?

Thanks for your time

Easiest way is going to be from the command line using putty.

Visseroth is correct, the GUI doesn't have a file manager or method of setting permissions on a per user or per folder basis. The only way you *might* be able to do it would be creating a separate dataset for each user and changing the users home directory to that dataset, but you still don't have a way to change all of the settings in the GUI.

I would also recommend you learning as much command line as you can anyhow because the best way to manage any FreeBSD or Linux system is from the command prompt. Heck even MS realized this and created power tools for Windowz

Thanks a lot for your quick answer!
I'll search for the basics freeBSD commands...

Thanks a lot for your quick answer!
I'll search for the basics freeBSD commands...

http://www.freebsd.org/cgi/man.cgi

Also, not that I want to advertise anything here, but I found unixcbt courses helpful for dummies like me :)

WARNING: Please note that while this will work with Unix filesystems, etc this will mess stuff up with Windows if you're not using simple sharing (i.e. user, group, other).

Hi, I did the tutorial, but I have a problem, I can't log in from windows to FreeNAS, windows always says that I entered a wrong password. I tried

username
password

and
freenas\username
password

but with no luck.

thanks :)

You need to search some other postings, the answer is in the forums, it's been asked a lot I just don't remember the answer. It's probably something that belongs in the FAQ. You might check that "Authentication Model" is set to "local user" under Services->Control Services->CIFS and see if that helps.

I am having issues setting up permissions. I have read the quide and your tutorials with no luck. I am setting up a home network and media server. I want guest to be able to see the data but not be able to delete or add data.

1st thing I tried:
Added 2 groups
Admin
User

Added User
(Me added password) Assoc. w/ both groups
(Guest add no password) Assoc. w/ User

Added Share (Server)
(Inherit Owner/permissions)
Added Share (Media) sub folder in Server
(Read Export Only)

Added Permissions
Me/Admin (checked all boxes)
Guest/USER (Read/Execute)
(Set permission recursively box will not stay checked)

All PC's can see both share Media is read only but all PC's can mod the Server Share. What am I doing wrong? What would be the best way to set this up? I would like to have a login set to access the Server Share.

Thanks

thankyou you

Hi Guys,

I have followed this tutorial and had a play around etc but from what i understand is that when a user is using windows that has a username and password to log into windows e.g alpha, then the account on freeNAS has to match windows when sharing the CIFS otherwise the private and public folders associated to the username alpha and also that group then you would still be denied access to these folders?

Is that correct? :confused:

Edit: I am currently using the latest freeNAS version 8.3.0 release x64 so i am pressuming nothing is different although this tutorial is for an older version?

no, nothing is different that i know in regards to permissions.

If a user does not have a username and password that matches your FreeNAS records they can use and username and password that matches the FreeNAS records if prompted for a login to get access to a folder that they would normally not have access to. However if their username and password matches the records on FreeNAS so there by they have already logged in then they will not be able to access other folders that they have not been granted the rights too.

Makes sense?

no, nothing is different that i know in regards to permissions.

If a user does not have a username and password that matches your FreeNAS records they can use and username and password that matches the FreeNAS records if prompted for a login to get access to a folder that they would normally not have access to. However if their username and password matches the records on FreeNAS so there by they have already logged in then they will not be able to access other folders that they have not been granted the rights too.

Makes sense?

The problem i have after experimenting with the permissions as in the tutorial is that i cannot seem to be able to log into the private folder with the given username alpha. I have added a password and still cannot log into the folder alpha or the alpha-beta folder for that matter and comes up with an error message "the specified network password is not correct" in windows so not sure what i have done wrong?

I originally had the guest permissions setup from following the section in the manual on configuring anonymous access to the windows CIFS and removed this prior to trying to configure more advanced permissions apart from the CIFS.

I'd approach this differently and include all relevant users in a group which should have access to the common share and give that group ownership of the common dir.

I'd approach this differently and include all relevant users in a group which should have access to the common share and give that group ownership of the common dir.

What i was trying to achieve was 3 user accounts with passwords that could access all the CIFS that were common and allow each user to have their own folder where other users without permission could not access, view files etc basically like the tutorial.

When i am logging into FreeNAS via SSH, i am logging in with the root account?

I'm a bit confused that if i am logged in as root then am i supposed to do su and swap users to admin to be able to do the following?



su (enter Admin password)
chown alpha /mnt/storage/home/alpha
chown beta /mnt/storage/home/beta
chgrp commongrp /mnt/storage/home/alpha-beta
chmod 770 /mnt/storage/home/alpha-beta
chmod 700 /mnt/storage/home/alpha
chmod 700 /mnt/storage/home/beta

Link dont work.
Sorry, the page you were looking for in this blog does not exist.

He got rid of his blog. There were some.. problems.. with some individuals and whatnot. sorry :(

You can still find it in the Archive: http://web.***.org/web/20120317221828/http:///2011/12/general-permissions-sharing-folders.html

Yes, and I'll be emailing them to remove that unauthorized copy also.

I couldn't find your toturial, how I can find it?(Mh_10040@yahoo.com)

You can't. His tutorial is no longer offered.

So, what can I do for configuring this method for some folders?

Check the "sticky" notes at the top of the "HowTo Guides/Configuration" section of the forums.