I need to set up home directories for a couple of my administrator accounts on my TrueNAS server. I want to enable SSH public key authentication for them, and I can’t do that without a $HOME/.ssh/keys directory for each user on the server.
I’m having trouble finding a tutorial on how to do this, especially if I want to use a parent dataset UserHomes with child datasets for each individual user. Maybe that’s not the best way? The closest I’ve found is this tutorial for SMB Home Shares, which is depreciated and not recommended for new server setups. See: Setting Up SMB Home Shares | TrueNAS Documentation Hub .
Some of the questions I have:
Which Dataset Preset? (I suspect generic, as I’m not looking to share these folders but might want to access them via SSH.)
Who should be the owner? Which group?
Are there any special considerations for owner/group/other setttings on the child datasets?
If someone has a working configuration for this and would be able to share, I’d really appreciate it. Not being able to turn on SSH or have a place to put scripts to do things like automated rsync jobs has made certain things unnecessarily difficult.
I have never used this feature since most TrueNAS systems we have in production environments are connected to Active Directory when being used as a NAS. I assume the “generic” preset as you are wanting to follow standard Linux style permissions and I would have use user be the owner. Maybe someone here has some more insights.
I’ve never used Active Directory before, as it seemed overkill for a home NAS, but I’m really starting to wonder if I should cave and learn it. TrueNAS seems to either assume it’s in use, or strongly favor its use in several cases.
OTOH, that’s not a transition I’m really ready to dive into while I’m still trying to get the initial configuration and file transfer and reorganization done.
I played with this back in FreeNAS 9 or 10 and don’t remember having any luck. The only way I’ve been able to get non-windows accounts access to any share or dataset was to add them to the Wheel group and then have Wheel with full permissions. It was probably the really lazy and insecure way to do this, but each of these uses was supposed to be Wheel level anyway and they were all controlled by me as the only one using them.
I guess the question is, for local users with a local home folder, do you need to create a share first and give permission to each of these accounts for their home folders?
Probably not. In my case, if my users had home folders inside a dataset and were authorized for SSH access, they could SSH in and do whatever they wanted.
If I wanted to, I could just create a top-level dataset for each user and make them the owner, and that would solve this issue in the kludgiest possible way. The only reason I haven’t done that yet is that it feels like there has to be a more elegant solution that isn’t Active Directory.
Not that there’s anything wrong with using Active Directory, but this feels like a feature that should exist and be usable without a third party authentication server.
I agree, it may come down to kludgefest to make it work, or at least the easy way to make it work.
I would not suggest buying a Windows Server license to run an AD, I would suggest the community edition of Zentyal which I’ve used for a while in my tiny lab at my actual home (my “real” homelab is at work due to noise and power, and needing to model stuff for real work). Zentyal can be run on some pretty low powered hardware, I have it running on a Mele Quieter 2Q which is pretty low powered for it’s age. An n100 processor would be more than most homes would need. They have a certification book if you want to dig deep into Zentyal, I think the book was $50usd from their store (dead tree version) and answered more than a few questions when I was more actively using it.
I need to step back and actually understand what AD is supposed to do. I’ve never actually used it or LDAP for anything.
I’m still not sure it’s worth it to set all that up just to have a place to put SSH public keys, but it probably has additional benefits of which I am unaware. I’ve got other services that can pull auth data from LDAP or AD, so I suppose it’d make administration simpler.
OTOH, I’m very used to keeping my passwords organized and centrally stored in 1Password, so I can always sign into anything with a few keystrokes.