In general, once the FreeNAS server is configured and running, it doesn't really need much attention, it should just work. However, there are lots of different features which can be configured. In this article by Gary Sims, we will see how user management is done in FreeNAS.

Local User Management

The first step to creating a user is in fact to create a group. Each user must belong to a group. Groups are sets of users who are associated with one another. So in your business, you might have a sales group and a engineering group. At home, you probably only want one group, for example home.

1. To create a group, go to Access: Users and Groups and click on the Group tab.
2. Now click on the add circle.
3. The form is very simple; you need to add a name and a description. For example sales and "The sales people".
4. Now click Add and then apply the changes.

Only a-z, A-Z, and 0-9 are supported in the group name. _ (underscores) and spaces are not supported, neither are punctuation characters like $%&* etc.

Now that you have a group created, you can create a user.

1. Click on the Users tab.
2. And then on the add circle.

There are four mandatory fields:

• Login: This is the unique login name of user. If the user already has a login name on other servers or workstations, like a Windows user name or a Linux user name, it is best to keep it the same here. This way the user doesn't need to try an remember an extra username and also some programs (particularly Windows) try and log in with the Windows user name before asking which name it should use. Keeping them the same will ease integration.
• Full Name: The user's full name. Often, the login name is an abbreviation or short name for the user like john, gary. Here you need to enter the full name so that it is easy to tell which login name belongs to which person.
• Password: Their password (with confirmation). The colon ':' character isn't allowed in the password.
• Primary Group: The group to which they belong, for example sales.



3. To finish, you need to click Add and apply the changes.

You now have a user added to your FreeNAS server. Let's look at what effect adding a user has on the rest of the FreeNAS server.

Using CIFS with Local Users

To use the users you have defined with Windows networking, you need to go to the Services: CIFS/SMB page and change the Authentication field to Local User. Then click Save and Restart to apply your changes.

What this means is that only authenticated users can now access the FreeNAS shares via CIFS.

In version 0.6, this user authentication is for all the shares, the user has access to everything or nothing. This should change with 0.7.

When trying to connect now from a Windows Vista machine, a window pops up asking for a user name and password.

Once authenticated, the user has access to all the user shares on the FreeNAS server.

FTP and User Login

On the Services: FTP, there are two fields that control how users log in to the FreeNAS server:

• Anonymous login: This allows you to enable anonymous login. This means the user connects with the user name anonymous and any password.
• Local User: This enables a local user login. Users log in using the user name and passwords defined in the Access: Users and Groups page.

The two can be used together; however, they do negate one another in terms of security. It is best to run the FTP with either anonymous logins enabled and local user logins disabled or vice versa. If you run with both enabled, then people can still log in using the anonymous method even if they don't have a user account and so, it diminishes the benefits of having the user accounts enabled.

Other than the security benefits, another advantage of local user login with FTP is that you can define a home directory for the user and when the user logs in, they will be taken to that directory and only they have access to that directory and those below it. This effectively offers each user their own space on the server and other users cannot interfere with their files.

To get this working, you need to create a directory on your shared disk. You can do this with any of the access protocols CIFS, NFS, FTP, and AFS. You need to connect to the shared disk and create a new folder.

Then, in Access: Users, either create a new user or edit an existing one (by clicking on the 'e' in a circle). In the Homedirectory, you need to enter the directory for that user. For example for the user john, you might create a directory cunningly named john. Assuming the disk is named store (as per the quick start guide) then the path for the home directory would be: /mnt/store/john.

Click Save and apply the changes. Now when John logs in using the user name john he will be taken directly to the john directory. He doesn't have access to other files or folders on the store disk, only those in john and any sub folder.

chroot() Everyone, but Root

In the advanced settings section of the Services: FTP page, there is a field called chroot() everyone, but root. What this means is that when a user logs in via FTP, the root directory (top or start directory) for them will be the directory set in the Home directory field. Without this set, the user will log in to the server at the physical / and will see the server in its entirety including the FreeNAS and FreeBSD system files. It is much safer to have this box checked. The exception to this is the user root (which in FreeBSD terms is the system administer account). If Permit root login is enabled, then the user root can log in and they will be taken to the root of the actual server. This can be useful if you ever need to alter any of the system files on the FreeNAS, but this isn't recommend unless you absolutely know what you are doing!

Learning FreeNAS

Configure and manage a network attached storage solution Turn a PC into a Network Attached Storage server with FreeNAS Configure, manage, and troubleshoot your FreeNAS installation Up to date with the latest FreeNAS release Includes a comprehensive troubleshooting section For more information, please visit: http://www.PacktPub.com/learning-freenas/book

Authenticating AFP Users

Like CIFS and FTP, the Apple Filing Protocol (AFP) can also use the local user authentication features of FreeNAS.

In the Services: AFP page, there are two options for controlling access to the server via AFP:

• Enable guest access, meaning that anyone can connect without giving a username or password. The users have full read and write access.
• Enable local user authentication, meaning that only users defined on the FreeNAS server (on the Access: Users page) can access the server. The user name and password set in the FreeNAS server need to be given to authenticate.

Like FTP, the two can be used together, however, they do negate one another in terms of security. It is best to run the AFP service with either guest logins enabled and local user logins disabled or vice versa. If you run with both enabled then people can still log in using the guest account even if they don't have a user account and so it reduces the benefits of having the user accounts enabled.

With just local user authentication enabled, initial connections from an Apple Macintosh will fail. In the top right-hand corner of the Finder window, there is a button labeled Connect As... Use that to enter a user name and password.

Connect to the FreeNAS Server via SSH

SSH is a network protocol that allows data to be exchanged over an encrypted (secure) channel between two computers. It is commonly used as a secure command line interface to a remote computer. This means that you can access the command line interface of the FreeNAS server from a remote computer without having to access the keyboard the and monitor of the FreeNAS server. On the FreeNAS server, it is also used in conjunction with the Unison suite of programs. Unison uses SSH to log in to the server and start the synchronization process.

On the Access: Users: Add page, there is a field called Full Shell, which when enabled, gives that user access to the FreeNAS server via SSH.

To test SSH connectivity:

1. Create a user and make sure that Full Shell is enabled.
2. Go to the Services: SSHD and enable the service.
3. Make sure that Password authentication is ticked.
4. Click Save and Restart.
5. Connect to the FreeNAS server using a SSH client (see below).

Password Authentication

It is possible to connect to the FreeNAS server without giving a user name and password but by relying on an exchange of encryption keys that verify that you are who you claim to be. With Password Authentication enabled, you are able to log in just using a username and password.

You can connect to the FreeNAS server via the command line program SSH using Linux and Mac OS X. For Windows, you will need a SSH client, the best one is called Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/).

From a Linux or OS X command line type:

ssh -l john 192.168.1.250

Don't forget to change the address to that of your FreeNAS if you aren't using the default.

The -l tells the SSH program which user you want to use as the login name, in this case, I have chosen john.

The first time you log in, you may be asked if you trust the remote machine as you are about to enter into encrypted communications with it. It should read some thing like this:

The authenticity of host '192.168.1.250 (192.168.1.250)' can't be established.

DSA key fingerprint is b2:d0:99:cb:6e:b2:53:95:4d:f6:b3:02:1d:bc:36:db.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.250' (DSA) to the list of known hosts

Answer yes and then type in the password for the user. You are now connected to the FreeNAS server via SSH. From here, you can access the command line tools of the FreeNAS server.

Services that Don't Use Local User Accounts

Not all services provided by FreeNAS use local accounts for authentication, most notably NFS. This requires a note of caution. If you have NFS enabled, and are using local user authentication for CIFS, FTP, and AFP be aware that users can still connect to the FreeNAS server using NFS without any username and password. This is an easy way for people to circumvent the local user authentication process.

Summary

In this article, we have seen how we can create users and how we can use local user authentication with CIFS, FTP, AFP, and SSH.

• Installation of FreeNAS
• Troubleshooting the FreeNAS server

About the Author

Gary Sims is a freelance Linux/FreeBSD consultant and writer from the UK and has been working with open-source software since the mid 1990s. He first saw Linux while completing his degree in Business Information Systems at Portsmouth University. Then while working for Digital Equipment Corp he came in to contact with DEC's Ultrix and later Digital UNIX (formerly OSF/1). While developing enterprise software for DEC on its UNIX platforms he became more and convinced of the benefits of open source and open-source Unix-like operating systems like Linux and FreeBSD. After leaving DEC he became a software contractor and after moving to Romania in 2003 he became a freelance Linux/FreeBSD consultant and writer and started publishing articles for the Open Source Technology Group (owners of Linux.com and SourceForge.net). This then led to him writing his first book with Packt.