FreeNas Permissions

[RedZephon]

Hey All,

 

I have recently built a server for our business that will be serving as a file server to store photo, video and other media content, as well as general files. 

 

We have various photographers/videographers that take video and photos and I want them to be able to drop the footage onto the server and access other photo/video content, but not have access to the rest of the files.

 

I am just looking for some general advice I guess on managing permissions with FreeNas (as I have never used it before).

 

Right now we just have 1 2TB drive (with AWS backup), but my plan is to expand as we need it and add more drives. I want to, if I can, keep one collective place to store files so its just an expanding array of storage, I believe I can do that with pools by having multiple drives in 1 pool, but it also seems that I need to have separate pools in order to set different permission sets for users. Looking for advice here.

[Electronics Wizardy]

Do you have active directory or anouther directory management system? Id set that up if you haven't already, it makes permission management much easier.

 

Then link your freenas box to the domain, and set permissions to groups.

[RedZephon]

Just now, Electronics Wizardy said:

Do you have active directory or anouther directory management system? Id set that up if you haven't already, it makes permission management much easier.

 

Then link your freenas box to the domain, and set permissions to groups.

I haven't set anything up yet really, I have experience with linux servers but never freenas so trying to navigate how to work with it

 

[Razor Blade]

Will your staff have physical access or be able to VPN into to your network? You can customize FreeNAS quite a bit. You could have users for everyone if you wanted to. As far as storing everything on one server you could do so with shares where they can dump off their content right on to the server.

[Electronics Wizardy]

Just now, RedZephon said:

I haven't set anything up yet really, I have experience with linux servers but never freenas so trying to navigate how to work with it

 

what os are the workstations running?

 

Id probably setup a windows server to manage the domain, and if your just running a single 2tb hdd, just do a share in windows server.

[RedZephon]

Most of our staff use Macs, myself included, but we have a couple Windows users as well. 

 

We're going to be continually adding drives to this server so I need to make sure its easily expandable.

 

I want to have outside access, working on the best way to do that. I plan to give everyone individual user accounts to restrict permissions.

[Electronics Wizardy]

2 minutes ago, RedZephon said:

Most of our staff use Macs, myself included, but we have a couple Windows users as well. 

 

We're going to be continually adding drives to this server so I need to make sure its easily expandable.

 

I want to have outside access, working on the best way to do that. I plan to give everyone individual user accounts to restrict permissions.

You really want something like active directory, so that way the user logins and accounts on the server are the same, and multiple servers can all share accounts, really makes stuff easier.

 

Why freeNAS, id probably go windows server here.

 

How do you want outside access. VPN is probably the way to go.

[RedZephon]

3 minutes ago, Electronics Wizardy said:

You really want something like active directory, so that way the user logins and accounts on the server are the same, and multiple servers can all share accounts, really makes stuff easier.

 

Why freeNAS, id probably go windows server here.

 

How do you want outside access. VPN is probably the way to go.

FreeNas was just recommended to me. And it was free. open to other alternatives if they are better/cost effective.

[Electronics Wizardy]

7 hours ago, RedZephon said:

FreeNas was just recommended to me. And it was free. open to other alternatives if they are better/cost effective.

What type of budget are we thinking?

 

This is the type of thing that I would probably get a IT provider to help you with esp as you have a buiness running on this.

[Acedia]

On 3/23/2019 at 12:01 AM, Electronics Wizardy said:

You really want something like active directory, so that way the user logins and accounts on the server are the same, and multiple servers can all share accounts, really makes stuff easier.

 

Why freeNAS, id probably go windows server here.

 

How do you want outside access. VPN is probably the way to go.

While Active Directoy is beatable remeber that you need to actually buy a server, at least 16 licenses AND a user cal per user.

[dalekphalm]

On 3/23/2019 at 7:59 PM, Acedia said:

While Active Directoy is beatable remeber that you need to actually buy a server, at least 16 licenses AND a user cal per user.

He's not specifically saying you have to use Active Directory - but he's saying a directory management system (Such as the Linux or macOS equivalents) would make this task significantly easier.

 

Something like FreeIPA (which combines OpenLDAP with a bunch of other utilities/services to cover all the basic functions of an AD server) would work fine as well.

[Mikensan]

Oddly enough I'm pretty sure FreeNAS has a FreeBSD version of AD built into it (Services > domain controller).

 

Be it windows or FreeNAS it's going to be a little time consuming without a full blown domain environment with every machine joined to AD and using home directories to help automate folder creation and permissions during signin.

 

easiest solution:

I would leverage Nextcloud since it can be used through a browser and very easy to use.

I would create a dataset for Nextcloud's main storage, where all users' individual files would reside. Let nextcloud's user management handle permissions.

Then I would create a separate dataset for "shared" storage and share it to all users within nextcloud.

 

Slighty harder solution:

Or you can use FreeNAS' built in user management (Accounts > Users). 

• Create a user for each photographer.
• Create a group "photographers" and add everyone to it.
• Create a windows dataset "Photographers". Set the permission so that the photographers account and your admin account have rights.
• Create a SMB share to this and navigate to it using Windows Explorer. Right click it > properties > security, and remove "full" control from the Photographers group. Read/write is fine.
• Create a folder "Shared" and set the permissions the same way.
• Create individual folders for each photographer. Each folder you're going to want to go to the Security tab > advanced > disable inheritance. Now add yourself, the user, and remove the Photographers group.

This way when they access the share, the only 2 folders they will actually see is their own and the shared. 

It's really not a lot of work for < 100 users. About 1-2 minutes per users to get a folder setup.