NAS Permissions In OMV - A Primer

If preferred, this document is available in PDF form at this location → Getting Started - Permissions

The purpose of this document is to provide an overview explanation of access control settings, using Samba network shares, in a peer-to-peer network. It's a brief explanation of permissions, as implemented within Openmediavault's GUI, with some usable examples. It does not apply, directly, to Domains or LDAP environments.

In Openmediavault's New Users Guide, in the sections Setting up a Shared Folder and Creating a SMB/CIF “Samba” Network Share, permission selections where made that will allow all local LAN users to connect to OMV server shares with write access. For home LAN's with one or two users, this may be adequate.

On the other hand, some home users may want to prevent children from deleting files and provision to allow guest login's with Read only access. Further, small businesses may want to grant or restrict employee access to specific shares. These scenarios will require that permissions are implemented, for NAS share access control.

The password for the root account (the server's super user) should be strong and it should NOT be shared. While this may not be practical when operating a SOHO or business NAS server, the number of users who know the password for the root account should be held to a minimum. (In the business use case, there should be at least two administrators with root access.)

Openmediavault has another super user account “admin” that is used to log into the Web Admin GUI. Given that this user has “root user like” capabilities, admin's password should not be shared either.

The reason why it is important to control who has access to the root and admin accounts and their passwords is, this level of access can be used to override or bypass all permissions discussed in this document.

In most workgroup LAN environments, users log into their PC's using a unique username and password. These “credentials” are stored locally and have permissions associated with them that allow access to the local PC, it's folders and files, and other workstation resources. A username lookup is performed, the password is verified and if all match, access to the workstation is granted. A “local” server logon is very similar, allowing for local server administration.