The scenario is that you have a FreeNAS machine - for reference I am running FreeNAS-11.0-U2 - and you want to have a multi-user system where different users have different permissions to access shares over a local network. Here I will show a quick and basic setup of a new share and setting its permissions. Then I will explain two common issues that are encountered and how to resolve them:
To begin with, the basic steps for creating a new network share is as follows:- Everybody can see and read the shares over the Windows network
- I have set up the users, added them to the proper group, but they still cannot access a Dataset
- Create and manage users and groups
- Create and share the Datasets
Create and Manage Users and Groups
It is probably easier to start with this. So for example we want to have 3 users, Alice, Bob and Charlie. They should all be granted access to some common shared directories and have restricted access to some other directories.
- Create a Group called "Shared". This group will be the owner of later directories (Datasets) accessible to all of the users.
Creating a new group called Shared. - Create the users Alice, Bob and Charlie and add them to the group Shared.
Adding the new user Alice, at the same time assigning her to the Shared group.
Create and Share the Datasets
There are plenty of guides on this and it is not so complicated once you get the hang of it. For reference take a look at doc.freenas.org, forums.freenas.org or tekblog. Here just for the sake of introduction the basic idea.
- Create a new Dataset called "Common" as a Windows share.
Creating a new Dataset called Common. - Change the permissions of the newly created Dataset and set the Owner (user) as root and the Owner (group) the Shared group.
Changing the permissions of the new Datatset. - Share the newly create Dataset. This makes it available over the network.
Creating a new SMB (Windows) sahre for the newly created Dataset
General Errors and Solution
A brief section explaining some (trivial) problems I encountered and found it hard to get an explanation.
Everybody can see and read the share over the network
By default when making Windows shares in FreeNAS the group "Everyone" is added to a share and hence all users who can log in can actually view the share. The solution is to attach the volume in a Windows amchine as the owner of the dataset, right-click the folder, go to permissions and remove the group "Everybody" from the access list. This prevents LAN users from seeing the sahres all together.
By default, the group "Everyone" is added to FreeNAS Windows shares. |
To deny access of local network users without explicit permissions to view the shared Datasets, remove the "Everyone" group from the permissions tab. |
If you have sub-folders in the datase, you will get a prompt asking you if you want to change the permissions recursively, you can say yes.
I have set up the users, added them to the proper group, but they still cannot access a Dataset
This can happen if a parent Dataset is shared and some of its sub-datasets are also shared separately. The issue comes when the sub-dataset has to be shared with an user, but the parent dataset has to be restricted. It took me a while to figure out - as it is often not mentioned - but the parent dataset in FreeNAS has to have the same Owner (group) as the sub-dataset you want to share. Lets look at the following simple share setup as an example.
Example share setup, where Storage Dataset has 2 sub-datatsets. |
- Create a new group, e.g. called "Shared"
- Add Alice to the group Shared
- Make "Shared" the Owner (group) of the Music dataset
- Make "Shared" the Owner (group) of the Storage parent Dataset (this is usually forgotten!)
- To restrict Alice's access to the Series dataset, make sure that it is owned by another group in which Alice is not a member.