11. 服务

你可以通过 WebGUI 对 FreeNAS® 系统提供的服务进行配置、启动和停止。FreeNAS® 内建了以下服务:

本节内容演示如何启动 FreeNAS® 服务,同时提供了每项服务的可配置选项。

11.1. 控制服务

服务 ‣ 控制服务,图 11.1a,你可以在这里查看系统当前运行了那些服务,同时可以配置、启动和停止服务。默认情况下,除 S.M.A.R.T. 服务以外,其他服务均为停止状态。

图 11.1a: 控制服务

services.png

红色的 “OFF” 图标代表服务已停止,蓝色的 “ON” 图标代表服务已启动。点击图标即可启启动或停止服务。

点击服务旁边的扳手图标即可打开服务配置界面,或直接点击界面左侧树形菜单 “服务” 中的服务名称也可打开服务配置界面。

如果某项服务无法启动,可以在 系统 ‣ 高级 中勾选 “页脚显示控制台信息” 一项,控制台信息将显示在页面下方。点击该区域,会弹出窗口,你可以滚动查看或复制控制台输出的信息,可以在这里查看服务启动错误相关的信息。

如果你想在系统日志中查看服务错误相关的信息,打开 Shell 输入 more /var/log/messages

11.2. AFP

The settings that are configured when creating AFP Shares in Sharing ‣ Apple (AFP) Shares ‣ Add Apple (AFP) Share are specific to each configured AFP Share. In contrast, global settings which apply to all AFP shares are configured in Services ‣ AFP.

Figure 11.2a shows the available global AFP configuration options which are described in Table 11.2a.

Figure 11.2a: Global AFP Configuration

afp1a.png

Table 11.2a: Global AFP Configuration Options

Setting Value Description
Guest Access checkbox if checked, clients will not be prompted to authenticate before accessing AFP shares
Guest account drop-down menu select account to use for guest access; the selected account must have permissions to the volume/dataset being shared
Bind IP Addresses selection used to specify the IP address(es) to listen for FTP connections; highlight the desired IP address(es) in the “Available” list and use the “>>” button to add to the “Selected” list
Max Connections integer maximum number of simultaneous connections
Enable home directories checkbox if checked, any user home directories located under “Home directories” will be available over the share
Home directories browse button select the volume or dataset which contains user home directories
Home share name string overrides default home folder name with the specified value
Database Path browse button select the path to store the CNID databases used by AFP (default is the root of the volume); the path must be writable
Global auxiliary parameters string additional afp.conf(5) parameters not covered elsewhere in this screen

When configuring home directories, it is recommended to create a dataset to hold the home directories which contains a child dataset for each user. As an example, create a dataset named volume1/homedirs and browse to this dataset when configuring the “Home directories” field of the AFP service. Then, as you create each user, first create a child dataset for that user. For example, create a dataset named volume1/homedirs/user1. When you create the user1 user, browse to the volume1/homedirs/user1 dataset in the “Home Directory” field of the “Add New User” screen.

11.2.1. Troubleshooting AFP

You can determine which users are connected to an AFP share by typing afpusers.

If you receive a “Something wrong with the volume’s CNID DB” error message, run the following command from Shell, replacing the path to the problematic AFP share:

dbd -rf /path/to/share

This command may take a while, depending upon the size of the volume or dataset being shared. This command will wipe the CNID database and rebuild it from the CNIIDs stored in the AppleDouble files.

11.3. CIFS

The settings that are configured when creating CIFS Shares in Sharing ‣ Windows (CIFS) Shares ‣ Add Windows (CIFS) Share are specific to each configured CIFS Share. In contrast, global settings which apply to all CIFS shares are configured in Services ‣ CIFS.

Note

after starting the CIFS service, it may take several minutes for the master browser election to occur and for the FreeNAS® system to become available in Windows Explorer.

Figure 11.3a shows the global CIFS configuration options which are described in Table 11.3a. This configuration screen is really a front-end to smb4.conf.

Figure 11.3a: Global CIFS Configuration

cifs1.png

Table 11.3a: Global CIFS Configuration Options

Setting Value Description
NetBIOS Name string must be lowercase and and is automatically populated with the system’s hostname; it must be different from the Workgroup name
Workgroup string must match Windows workgroup name; this setting is ignored if the Active Directory or LDAP service is running
Description string optional
DOS charset drop-down menu the character set Samba uses when communicating with DOS and Windows 9x/ME clients; default is CP437
UNIX charset drop-down menu default is UTF-8 which supports all characters in all languages
Log level drop-down menu choices are Minimum, Normal, or Debug
Use syslog checkbox when checked, authentication failures are logged to /var/log/messages instead of the default of /var/log/samba4/log.smbd
Local Master checkbox determines whether or not the system participates in a browser election; should be disabled when network contains an AD or LDAP server and is not necessary if Vista or Windows 7 machines are present
Domain logons checkbox only check if need to provide the netlogin service for older Windows clients
Time Server for Domain checkbox determines whether or not the system advertises itself as a time server to Windows clients; should be disabled when network contains an AD or LDAP server
Guest Account drop-down menu account to be used for guest access; that account must have permission to access the shared volume/dataset
File mask integer overrides default file creation mask of 0666 which creates files with read and write access for everybody
Directory mask integer overrides default directory creation mask of 0777 which grants directory read, write and execute access for everybody
Allow Empty Password checkbox if checked, users can just press Enter when prompted for a password; requires that the username/password be the same as the Windows user account
Auxiliary parameters string smb.conf options not covered elsewhere in this screen; see the Samba Guide for additional settings
Unix Extensions checkbox allows non-Windows CIFS clients to access symbolic links and hard links, has no affect on Windows clients
Zeroconf share discovery checkbox enable if Mac clients will be connecting to the CIFS share
Hostnames lookups checkbox allows you to specify hostnames rather than IP addresses in the “Hosts Allow” or “Hosts Deny” fields of a CIFS share; uncheck if you only use IP addresses as it saves the time of a host lookup
Server minimum protocol drop-down menu the minimum protocol version the server will support where the default sets automatic negotiation; refer to Table 11.3b for descriptions
Server maximum protocol drop-down menu the maximum protocol version the server will support; refer to Table 11.3b for descriptions
Allow execute always checkbox if checked, Samba will allow the user to execute a file, even if that user’s permissions are not set to execute
Obey pam restrictions checkbox uncheck this box to allow cross-domain authentication, to allow users and groups to be managed on another forest, or to allow permissions to be delegated from active directory users and groups to domain admins on another forest
Bind IP Addresses checkboxes check the IP address(es) that CIFS should listen on
Idmap Range Low integer defines the beginning UID/GID this system is authoritative for; any UID/GID lower than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs
Idmap Range High integer defines the ending UID/GID this system is authoritative for; any UID/GID higher than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs

Table 11.3b: Description of SMB Protocol Versions

Value Description
CORE used by DOS
COREPLUS used by DOS
LANMAN1 used by Windows for Workgroups, OS/2, and Windows 9x
LANMAN2 used by Windows for Workgroups, OS/2, and Windows 9x
NT1 used by Windows NT
SMB2 used by Windows 7; same as SMB2_10
SMB2_02 used by Windows Vista
SMB2_10 used by Windows 7
SMB2_22 used by early Windows 8
SMB2_24 used by Windows 8 beta
SMB3 used by Windows 8
SMB3_00 used by Windows 8, mostly the same as SMB2_24

Note

Windows 8.1 and Windows Server 2012 R2 use SMB3.02 which is not yet supported by Samba.

Beginning with FreeNAS® 8.0.3-RELEASE, changes to CIFS settings and CIFS shares take effect immediately. For previous versions, changes will not take effect until you manually stop and start the CIFS service.

Note

do not set the directory name cache size as an “Auxiliary parameter”. Due to differences in how Linux and BSD handle file descriptors, directory name caching is disabled on BSD systems in order to improve performance.

11.3.1. Troubleshooting CIFS

Samba is single threaded, so CPU speed makes a big difference in CIFS performance. Your typical 2.5Ghz Intel quad core or greater should be capable to handle speeds in excess of Gb LAN while low power CPUs such as Intel Atoms and AMD C-30sE-350E-450 will not be able to achieve more than about 30-40MB/sec typically. Remember that other loading such as ZFS loading will also require CPU resources and may cause Samba performance to be less than optimal.

Samba’s write cache parameter has been reported to improve write performance in some configurations and can be added to the “Auxiliary parameters” field. Use an integer value which is a multiple of _SC_PAGESIZE (typically 4096) to avoid memory fragmentation. This will increase Samba’s memory requirements and should not be used on systems with limited RAM.

If you wish to increase network performance, read the Samba section on socket options. It indicates which options are available and recommends that you experiment to see which are supported by your clients and improve your network’s performance.

Windows automatically caches file sharing information. If you make changes to a CIFS share or to the permissions of a volume/dataset being shared by CIFS and are no longer able to access the share, try logging out and back into the Windows system. Alternately, users can type net use /delete from the command line to clear their SMB sessions.

Windows also automatically caches login information. If you wish users to be prompted to login every time access is required, reduce the cache settings on the client computers.

Where possible, avoid using a mix of case in filenames as this may cause confusion for Windows users. Representing and resolving filenames with Samba explains this in more detail.

If a particular user cannot connect to a CIFS share, double-check that their password does not contain the ? character. If it does, have the user change their password and try again.

If permissions work for Windows users but not for OS X users, try disabling “Unix Extensions” and restarting the CIFS service.

If the CIFS service will not start, run this command from Shell to see if there is an error in the configuration:

testparm /usr/local/etc/smb4.conf

If clients have problems connecting to the CIFS share, go to Services ‣ CIFS and verify that “Server maximum protocol” is set to “SMB2”.

It is recommended to use a dataset for CIFS sharing. When creating the dataset, make sure that the “Share type” is set to Windows.

Do not use chmod to attempt to fix the permissions on a CIFS share as it destroys the Windows ACLs. The correct way to manage permissions on a CIFS share is to manage the share security from a Windows system as either the owner of the share or a member of the group the share is owned by. To do so, right-click on the share, click “Properties” and navigate to the “Security” tab. If you already destroyed the ACLs using chmod, winacl can be used to fix them. Type winacl from Shell for usage instructions.

The Common Errors section of the Samba documentation contains additional troubleshooting tips.

11.4. Domain Controller

FreeNAS® can be configured to act either as the domain controller for a network or to join an existing Active Directory network as a domain controller.

Note

this section demonstrates how to configure the FreeNAS® system to act as a domain controller. If your goal is to integrate with an existing Active Directory network in order to access its authentication and authorization services, instead configure Active Directory.

Be aware that configuring a domain controller is a complex process that requires a good understanding of how Active Directory works. While Services ‣ Domain Controller makes it easy to input the needed settings into the administrative graphical interface, it is up to you to understand what those settings should be. Before beginning your configuration, read through the Samba AD DC HOWTO. Once FreeNAS® is configured, use the RSAT utility from a Windows system to manage the domain controller. The Samba AD DC HOWTO includes instructions for installing and configuring RSAT.

Figure 11.4a shows the configuration screen for creating a domain controller and Table 11.4a summarizes the available options.

Figure 11.4a: Domain Controller Settings

directory1a.png

Table 11.4a: Domain Controller Configuration Options

Setting Value Description
Realm string capitalized DNS realm name
Domain string capitalized domain name
Server Role drop-down menu at this time, the only supported role is as the domain controller for a new domain
DNS Forwarder string IP address of DNS forwarder; required for recursive queries when SAMBA_INTERNAL is selected
Domain Forest Level drop-down menu choices are 2000, 2003, 2008, or 2008_R2; refer to Understanding Active Directory Domain Services (AD DS) Functional Levels for details
Administrator password string password to be used for the Active Directory administrator account
Kerberos Realm drop-down menu this drop-down menu will auto-populate using the information from “Realm” when the settings in this screen are saved

11.5. 动态 DNS

如果你的ISP宽带运营商为你提供的是动态IP地址,要通过互联网访问的你的FreeNAS系统,就要借助动态 DNS (DDNS)服务。DDNS服务可以将域名与你当前IP地址自动关联,不论IP地址是否发生变化,你都能够正常访问 FreeNAS® 系统。要使用DDNS服务,你需要注册类似 DynDNS一类的DDNS动态域名解析服务。

图 11.5a 为 DDNS 配置界面,表格 11.5a 概括的配置选项。你在服务配置界面所需填写的内容几乎都要从DDNS服务提供者处获得。DDNS服务配置完成后,不要忘记在 服务 ‣ 服务控制 中启动服务。

图 11.5a: 配置 DDNS

ddns.png

表格 11.5a: DDNS 配置选项

设置 描述
提供者 下拉菜单 列表中提供了很多常用的DDNS服务商;如果你所使用的提供者未在列表中,则留空此项,然后在 “附加参数” 中添加自定义提供者。
IP 服务器 字符串 指定IP测试服务器的主机名和端口号
域名 字符串 格式正确的完整域名 (例如 yourname.dyndns.org)
用户名 字符串 登陆提供商系统的用户名
密码 str字符串ing 登陆提供商系统的密码
更新周期 整数 IP地址检查频率(秒)
强制更新周期 整数 IP地址强制更新周期(秒),即使IP地址没有发生变化也执行检查。
附加参数 字符串 在更新记录时传递给服务提供者的附加参数;例如添加自定义提供者 dyndns_system default@provider.com

如果你要使用 freedns.afraid.org,可以查阅 这篇帖子 中的示例。

11.6. FTP

FreeNAS® 使用 proftpd 提供 FTP 服务。配置并启动 FTP 服务,就可以使用FTP客户端或浏览器浏览和下载文件,使用 FTP 的优势在于有很多跨平台工具支持,其不足在于 FTP 协议并不安全,因此不建议使用此协议传输敏感文件。如需传输敏感文件,请参考加密FTP。

本节介绍 FreeNAS® FTP 配置选项,如何配置匿名FTP,提供配置一个约束用户在其家目录的示例,加密FTP连接,同时提供一些排错技巧。

图 11.6a 为 服务 ‣ FTP 的FTP配置界面。部分选项仅在 “高级模式” 下显示。显示他们需要点击 “高级模式” 按钮,或在 系统 ‣ 高级 中勾选 “默认显示高级选项”。

图 11.6a: 配置 FTP

ftp1.png

表格 11.6a 列出了 FTP 服务的配置项:

表格 11.6a: FTP 配置选项

设置 描述
端口 整数 FTP 服务监听的端口
客户端 整数 同时连接FTP服务器的最大客户端数量
连接 整数 每个IP地址的最大连接数 0 为不限制
登陆尝试 整数 断开连接前允许用户尝试登陆的最大次数;如果用户经常输错密码,请适当调大该值。
超时 证书 断开连接前允许的最大空闲时间(秒)
允许root登陆 复选框 勾选此项会增大系统风险
允许匿名登陆 复选框 启用此项,允许用户匿名登陆FTP,并访问 “路径” 中指定的位置。
路径 浏览按钮 指定匿名FTP访问的目录
允许本地用户登录 复选框 若未启用 “匿名登陆” 则需启用此项
登陆消息 字符串 本地用户登陆成功后显示的消息;匿名登陆用户不显示
文件权限 复选框 “高级模式”; 新建文件的默认权限
目录权限 复选框 “高级模式”; 新建文件夹的默认权限
启用 FXP 复选框 “高级模式”; 启用文件 eXchange 协议,不建议,服务器易收到反弹攻击。
启用断点续传 复选框 允许 FTP 客户端从传输中断中恢复
锁定到主目录 复选框 wheel用户组以外的用户,仅允许访问其家目录。
要求 IDENT 认证 复选框 “高级模式”; 若客户端未运行identd,会导致超时。
执行 DNS 反向解析 复选框 对客户端IP地址执行反向DNS解析查找; 若未配置反向DNS服务器则会导致较长的延迟。
地址伪装 字符串 公开的IP地址或主机名; 如果FTP客户端无法通过NAT设备建立连接则设置此项。
最低 passive 端口 整数 “高级模式”; 用户客户端的 PASV 模式, 默认为 0 代表可以使用 1023 以下的所有端口。
最高 passive 端口 整数 “高级模式”; 用户客户端的 PASV 模式, 默认为 0 代表可以使用 1023 以下的所有端口。
本地用户上传带宽 整数 “高级模式”; 单位 KB/s, 默认 0 为不限制
本地用户下载带宽 整数 “高级模式”; 单位 KB/s, 默认 0 为不限制
匿名用户上传带宽 整数 “高级模式”; 单位 KB/s, 默认 0 为不限制
匿名用户下载带宽 整数 “高级模式”; 单位 KB/s, 默认 0 为不限制
启用 TLS 复选框 “高级模式”; 启用加密连接,需要创建证书或在 Certificates 导入证书。
TLS 策略 下拉菜单 “高级模式”; the selected policy defines whether the control channel, data channel, both channels, or neither channel, of an FTP session must occur over SSL/TLS; the policies are described here
TLS 允许客户端协商 复选框 “高级模式”; checking this box is not recommended as it breaks several security measures; for this and the rest of the TLS fields, refer to mod_tls for more details
TLS allow dot login 复选框 “高级模式”; if checked, the user’s home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates; if not found, the user will be prompted for password authentication
TLS allow per user 复选框 “高级模式”; if checked, the user’s password may be sent unencrypted
TLS 必须提供通用名 复选框 “高级模式”; if checked, the common name in the certificate must match the FQDN of the host
TLS 启用诊断 复选框 “高级模式”; if checked when troubleshooting a connection, will log more verbosely
TLS导出证书数据 复选框 “高级模式”; if checked, exports the certificate environment variables
TLS no certificate request 复选框 “高级模式”; try checking this box if the client can not connect and you suspect that the client software is not properly handling the server’s certificate request
TLS 无证书请求 复选框 “高级模式”; checking this box is not recommended as it bypasses a security mechanism
TLS 会话必须未被重用 复选框 “高级模式”; checking this box reduces the security of the connection so only do so if the client does not understand reused SSL sessions
TLS 导出标准vars 复选框 “高级模式”; if checked, sets several environment variables
TLS 要求DNS名称 复选框 “高级模式”; if checked, the client’s DNS name must resolve to its IP address and the cert must contain the same DNS name
TLS 要求设置IP地址 复选框 “高级模式”; if checked, the client’s certificate must contain the IP address that matches the IP address of the client
证书 drop-down menu the SSL certificate to be used for TLS FTP connections; to create a certificate, use System –> Certificates
附加参数 字符串 “高级模式”; used to add proftpd(8) parameters not covered elsewhere in this screen

The following example demonstrates the auxiliary parameters that will prevent all users from performing the FTP DELETE command:

<Limit DELE>
DenyAll
</Limit>

11.6.1. 匿名 FTP

Anonymous FTP may be appropriate for a small network where the FreeNAS® system is not accessible from the Internet and everyone in your internal network needs easy access to the stored data. Anonymous FTP does not require you to create a user account for every user. In addition, passwords are not required so you don’t have to manage changed passwords on the FreeNAS® system.

To configure anonymous FTP:

  1. Give the built-in ftp user account permissions to the volume/dataset to be shared in Storage ‣ Volumes as follows:

    • “Owner(user)”: select the built-in ftp user from the drop-down menu
    • “Owner(group)”: select the built-in ftp group from the drop-down menu
    • “Mode”: review that the permissions are appropriate for the share

    Note

    for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.

  2. Configure anonymous FTP in Services ‣ FTP by setting the following attributes:

    • check the box “Allow Anonymous Login”
    • “Path”: browse to the volume/dataset/directory to be shared
  3. Start the FTP service in Services ‣ Control Services. Click the red “OFF” button next to FTP. After a second or so, it will change to a blue “ON”, indicating that the service has been enabled.

  4. Test the connection from a client using a utility such as Filezilla.

In the example shown in Figure 11.6b, a user has input the following information into the Filezilla client:

  • IP address of the FreeNAS® server: 192.168.1.113
  • “Username”: anonymous
  • “Password”: the email address of the user

Figure 11.6b: Connecting Using Filezilla

filezilla.png

The messages within the client indicate that the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site—this is the volume/dataset that was specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the FreeNAS® system).

11.6.2. FTP in chroot

If you require your users to authenticate before accessing the data on the FreeNAS® system, you will need to either create a user account for each user or import existing user accounts using Active Directory or LDAP. If you then create a ZFS dataset for each user, you can chroot each user so that they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of the user’s home directory is limited to the size of the quota.

To configure this scenario:

  1. Create a ZFS dataset for each user in Storage ‣ Volumes. Click an existing ZFS volume ‣ Create ZFS Dataset and set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that will need access to the FTP service.

  2. If you are not using AD or LDAP, create a user account for each user in Account ‣ Users ‣ Add User. For each user, browse to the dataset created for that user in the “Home Directory” field. Repeat this process to create a user account for every user that will need access to the FTP service, making sure to assign each user their own dataset.

  3. Set the permissions for each dataset in Storage ‣ Volumes. Click the “Change Permissions” button for a dataset to assign a user account as “Owner” of that dataset and to set the desired permissions for that user. Repeat for each dataset.

    Note

    for FTP, the type of client does not matter when it comes to the type of ACL. This means that you always use Unix ACLs, even if Windows clients will be accessing FreeNAS® via FTP.

  4. Configure FTP in Services ‣ FTP with the following attributes:

    • “Path”: browse to the parent volume containing the datasets
    • make sure the boxes for “Allow Anonymous Login” and “Allow Root Login” are unchecked
    • check the box “Allow Local User Login”
    • check the box “Always Chroot”
  5. Start the FTP service in Services ‣ Control Services. Click the red “OFF” button next to FTP. After a second or so, it will change to a blue “ON”, indicating that the service has been enabled.

  6. Test the connection from a client using a utility such as Filezilla.

To test this configuration in Filezilla, use the IP address of the FreeNAS® system, the Username of a user that has been associated with a dataset, and the Password for that user. The messages should indicate that the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site—this time it is not the entire volume but the dataset that was created for that user. The user should be able to transfer files between the local site (their system) and the remote site (their dataset on the FreeNAS® system).

11.6.3. Encrypting FTP

To configure any FTP scenario to use encrypted connections:

  1. Import or create a certificate authority using the instructions in CAs. Then, import or create the certificate to use for encrypted connections using the instructions in Certificates.
  2. In Services ‣ FTP. Check the box “Enable TLS” and select the certificate in the “Certificate” drop-down menu.
  3. Specify secure FTP when accessing the FreeNAS® system. For example, in Filezilla input ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects, they should be presented with the certificate of the FreeNAS® system. Click “OK” to accept the certificate and negotiate an encrypted connection.
  4. To force encrypted connections, select on for the “TLS Policy”.

11.6.4. Troubleshooting FTP

The FTP service will not start if it can not resolve the system’s hostname to an IP address using DNS. To see if the FTP service is running, open Shell and issue the command:

sockstat -4p 21

If there is nothing listening on port 21, the FTP service isn’t running. To see the error message that occurs when FreeNAS® tries to start the FTP service, go to System ‣ Advanced, check the box “Show console messages in the footer” and click “Save”. Next, go to Services ‣ Control Services and switch the FTP service off then back on in the GUI. Watch the console messages at the bottom of the browser for errors.

If the error refers to DNS, either create an entry in your local DNS server with the FreeNAS® system’s hostname and IP address or add an entry for the IP address of the FreeNAS® system in the “Host name database” field of Network ‣ Global Configuration.

11.7. iSCSI

Refer to Block (iSCSI) for instructions on how to configure iSCSI. To start the iSCSI service, click its entry in “Services”.

Note

a warning message will occur if you stop the iSCSI service when initiators are connected. Type ctladm islist to determine the names of the connected initiators.

11.8. LLDP

The Link Layer Discovery Protocol (LLDP) is used by network devices to advertise their identity, capabilities, and neighbors on an Ethernet network. FreeNAS® uses the ladvd LLDP implementation. If your network contains managed switches, configuring and starting the LLDP service will tell the FreeNAS® system to advertise itself on the network.

Figure 11.8a shows the LLDP configuration screen and Table 11.8a summarizes the configuration options for the LLDP service.

Figure 11.8a: Configuring LLDP

lldp.png

Table 11.8a: LLDP Configuration Options

Setting Value Description
Interface Description checkbox when checked, receive mode is enabled and received peer information is saved in interface descriptions
Country Code string required for LLDP location support; input 2 letter ISO 3166 country code
Location string optional; specify the physical location of the host

11.9. NFS

The settings that are configured when creating NFS Shares in Sharing ‣ Unix (NFS) Shares ‣ Add Unix (NFS) Share are specific to each configured NFS Share. In contrast, global settings which apply to all NFS shares are configured in Services ‣ NFS.

Figure 11.9a shows the configuration screen and Table 11.9a summarizes the configuration options for the NFS service.

Figure 11.9a: Configuring NFS

nfs1a.png

Table 11.9a: NFS Configuration Options

Setting Value Description
Number of servers integer run sysctl -n kern.smp.cpus from Shell to determine the number; do not exceed the number listed in the output of that command
Serve UDP NFS clients checkbox check if NFS client needs to use UDP
Bind IP Addresses checkboxes select the IP address(es) to listen for NFS requests; if left unchecked, NFS will listen on all available addresses
Allow non-root mount checkbox check this box only if the NFS client requires it
Enable NFSv4 checkbox the default is to use NFSv3, check this box to switch to NFSv4
Require Kerberos for NFSv4 checkbox check this box when using Kerberos authentication with NFSv4
mountd(8) bind port integer optional; specify port for mountd(8) to bind to
rpc.statd(8) bind port integer optional; specify port for rpc.statd(8) to bind to
rpc.lockd(8) bind port integer optional; specify port for rpc.lockd(8) to bind to

11.10. Rsync

Services ‣ Rsync is used to configure an rsync server when using rsync module mode. See the section on Rsync Module Mode for a configuration example.

This section describes the configurable options for the rsyncd service and rsync modules.

11.10.1. Configure Rsyncd

Figure 11.10a shows the rsyncd configuration screen which is accessed from Services ‣ Rsync ‣ Configure Rsyncd.

Figure 11.10a: Rsyncd Configuration

rsyncd.png

Table 11.10a summarizes the options that can be configured for the rsync daemon:

Table 11.10a: Rsync Configuration Options

Setting Value Description
TCP Port integer port for rsyncd to listen on, default is 873
Auxiliary parameters string additional parameters from rsyncd.conf(5)

11.10.2. Rsync Modules

Figure 11.10b shows the configuration screen that appears when you click Services ‣ Rsync ‣ Rsync Modules ‣ Add Rsync Module.

Table 11.10b summarizes the options that can be configured when creating a rsync module.

Figure 11.10b: Adding an Rsync Module

rsync3.png

Table 11.10b: Rsync Module Configuration Options

Setting Value Description
Module name string mandatory; needs to match the setting on the rsync client
Comment string optional description
Path browse button volume/dataset to hold received data
Access Mode drop-down menu choices are Read and Write, Read-only, or Write-only
Maximum connections integer 0 is unlimited
User drop-down menu select user that file transfers to and from that module should take place as
Group drop-down menu select group that file transfers to and from that module should take place as
Hosts allow string see rsyncd.conf(5) for allowed formats
Hosts deny string see rsyncd.conf(5) for allowed formats
Auxiliary parameters string additional parameters from rsyncd.conf(5)

11.11. S.M.A.R.T.

FreeNAS® uses the smartd(8) service to monitor disk S.M.A.R.T. data for disk health. To fully configure S.M.A.R.T. you need to:

  1. Schedule when to run the S.M.A.R.T. tests in System ‣ S.M.A.R.T. Tests ‣ Add S.M.A.R.T. Test.
  2. Enable or disable S.M.A.R.T. for each disk member of a volume in Volumes ‣ View Volumes. By default, this is already enabled on all disks that support S.M.A.R.T.
  3. Check the configuration of the S.M.A.R.T. service as described in this section.
  4. Start the S.M.A.R.T. service in Services ‣ Control Services.

Figure 11.11a shows the configuration screen that appears when you click Services ‣ S.M.A.R.T.

Figure 11.11a: S.M.A.R.T Configuration Options

smart2.png

Note

smartd will wake up at every configured “Check Interval”. It will check the times you configured in System ‣ S.M.A.R.T. Tests to see if any tests should be run. Since the smallest time increment for a test is an hour (60 minutes), it does not make sense to set a “Check Interval” value higher than 60 minutes. For example, if you set the “Check Interval” for 120 minutes and the smart test to every hour, the test will only be run every 2 hours since the daemon only wakes up every 2 hours.

Table 11.11a summarizes the options in the S.M.A.R.T configuration screen.

Table 11.11a: S.M.A.R.T Configuration Options

Setting Value Description
Check interval integer in minutes, how often to wake up smartd to check to see if any tests have been configured to run
Power mode drop-down menu the configured test is not performed if the system enters the specified power mode; choices are: Never, Sleep, Standby, or Idle
Difference integer in degrees Celsius default of 0 disables this check, otherwise reports if the temperature of a drive has changed by N degrees Celsius since last report
Informational integer in degrees Celsius default of 0 disables this check, otherwise will message with a log level of LOG_INFO if the temperature is higher than specified degrees in Celsius
Critical integer in degrees Celsius default of 0 disables this check, otherwise will message with a log level of LOG_CRIT and send an email if the temperature is higher than specified degrees in Celsius
Email to report string email address of person or alias to receive S.M.A.R.T. alerts

11.12. SNMP

SNMP (Simple Network Management Protocol) is used to monitor network-attached devices for conditions that warrant administrative attention. FreeNAS® uses Net-SNMP to provide SNMP. When you start the SNMP service, the following port will be enabled on the FreeNAS® system:

  • UDP 161 (listens here for SNMP requests)

Available MIBS are located in /usr/local/share/snmp/mibs.

Figure 11.12a shows the SNMP configuration screen. Table 11.12a summarizes the configuration options.

Figure 11.12a: Configuring SNMP

snmp1.png

Table 11.12a: SNMP Configuration Options

Setting Value Description
Location string optional description of system’s location
Contact string optional email address of administrator
Community string password used on the SNMP network, default is public and should be changed for security reasons
SNMP v3 Support checkbox check this box to enable support for SNMP version 3
Username string only applies if “SNMP v3 Support” is checked; specify the username to register with this service
Password string only applies if “SNMP v3 Support” is checked; specify and confirm a password of at least 8 characters
Auxiliary Parameters string additional options not covered in this screen, one per line

11.13. SSH

Secure Shell (SSH) 允许通过一个加密的网络安全的传输文件。将你的 FreeNAS® 系统配置成 SSH 服务器,网络内的用户需要使用 SSH 客户端软件 进行连接和传输文件。

本节介绍 FreeNAS® SSH 配置选项,提供配置一个约束用户在其家目录的示例,同时提供一些排错技巧。

图 11.13a 服务 ‣ SSH 配置界面。SSH 配置完成后, 不要忘记在 服务 ‣ 控制服务 中启动服务。

图 11.13a: SSH 配置

ssh1.png

表格 11.13a 配置选项。部分选项仅在 “高级模式” 下显示。显示他们需要点击 “高级模式” 按钮,或在 系统 ‣ 高级 中勾选 “默认显示高级选项”。

表格 11.13a: SSH 配置选项

设置 描述
TCP 端口 整数 SSH 连接请求开放的端口; 默认为 22
允许 Root 密码登录 复选框 出于安全原因,不建议启用 root 登录,系统默认禁用此项。若启用此项,必须在 “用户管理” 中为 root 用户设置密码。
允许密码认证 复选框 如不勾选,所有用户都需要秘钥验证;这需要同时在客户端和服务器上做 额外设置
允许 TCP 端口转发 复选框 允许用户绕过防火墙直接使用 SSH 的 端口转发功能
压缩连接 复选框 可以减少低速网络的延迟
主机私有密钥 字符串 “高级模式”; 粘贴一个主机秘钥作为默认秘钥
SFTP 日志等级 下拉菜单 “高级模式”; 选择 SFTP 服务器日志级别 syslog(3)
SFTP 日志设备 下拉菜单 “高级模式”; 选择 SFTP 服务器使用的日志设备 syslog(3)
额外选项 string “高级模式”; 在 sshd_config(5) 中附加额外选项,每行一条;附加的选项大小写敏感,拼写错误会导致 SSH 服务无法启动。

sshd_config(5) 中比较常用的 “额外选项”:

  • 如果 SSH 连接中断,则附加 ClientAliveInterval
  • ClientMaxStartup 默认为 10; 若需要增加 SSH 并发连接数,则附加此项。

11.13.1. 仅使用 SCP

通长情况下,在 账户 ‣ 用户 ‣ 添加用户 中创建的用户均可通过 ssh 在网络内访问 FreeNAS® 系统。用户默认进入账户设置中指定的 “家目录” ,与此同时,用户也可以进入其他任何系统目录,这将是极大的安全隐患。

我们可以授权用户使用 scpsftp 命令在其本地计算机和家目录之间传输文件,同时又限制其使用 ssh 登录。想要实现这种配置,在 账户 ‣ 用户 ‣ 所有用户,选择用户并点击 “修改用户”,修改 “Shell” 为 scponly。为所有需要限制 SSH 访问的用户重复执行上述设置。

使用其他系统测试配置,以上述设置的用户身份运行 sftpsshscpsftpscp 应该工作正常,而 ssh 则应无法工作。

注意

如 WinSCP 和 Filezilla 等客户端可以绕过 scponly shell。因此,这里的配置我们假设用户是通过命令行使用 scpsftp

11.13.2. SSH 故障排除

附加到 sshd_config(5) 中的 “额外选项” 大小写敏感,拼写错误会导致 SSH 服务出错。

若客户端收到 “反向 DNS” 或超时错误,请在 网络 ‣ 全局配置 的 “主机名数据库” 中为客户端添加一条 IP 记录。

在配置 SSH 时,应该及时对配置进行测试,确保 SSH 用户账户有权限在本地与目标目录间传输文件,同时确保其权限没有逾越你的配置范围。当配置出现问题时,查看 SSH 错误信息可以准确定位错误原因。使用 Shell 输入以下命令:

tail -f /var/log/messages

有关身份认证相关的错误信息可在 /var/log/auth.log 找到。

11.14. TFTP

简单文件传输协议 (TFTP) 是 FTP 的一个轻量级版本,通常用于在两台设备之间传输配置文件或启动文件,如路由器。TFTP 仅有几个命令且不支持身份验证。

如果将 FreeNAS® 用作一些网络设备的图片和配置文件存储,则配置并启用 TFTP 服务。TFTP服务使用 69 端口。

注意

FreeNAS® 8.3.0之前的版本,TFTP 限制单个文件最大尺寸为 32MB。

图 11.14a 为 TFTP 配置界面,表格 11.14a 为可配置项:

图 11.14a: TFTP 配置

tftp.png

表格 11.14a: TFTP 配置项

设置 描述
目录 浏览按钮 选择用作存储的目录 位置;部分设备要求制定目录名,请参考设备文档中的说明。
允许新建文件 复选框 如果网络设备需要向系统发送文件,则启用此项。(例如备份配置文件)
端口 整数 TFTP监听的UDP端口号,默认为69
用户名 下拉菜单 选择执行TFTP服务的用户身份;所选用户必须对设置的 “目录” 有操作权限。
掩码 整数 新建文件的权限掩码,默认为 022 (任何认可读不可写);一些设备需要宽松的权限掩码。
额外选项 字符串 参考 tftpd(8) 中提供的选项,每行一项。

11.15. UPS

FreeNAS® 采用 NUT (Network UPS Tools) 实现对UPS设备的支持。当FreeNAS®系统连接了UPS设备,在 服务 ‣ 控制服务 配置并启动UPS服务。

图 11.15a 为 UPS 配置界面:

图 11.15a: UPS 配置界面

ups.png

表格 11.15a 为 UPS 配置界面中的配置项。

表格 11.15a: UPS 配置项

设置 描述
UPS 模式 下拉菜单 选择
标识 字符串 可以包含字母数字、空格、逗号、连字符和下划线。
驱动程序 下拉菜单 请查看支持的USP设备列表 http://www.networkupstools.org/stable-hcl.html
端口 下拉菜单 选择UPS设备连接的串口或USB端口(查看下方注释)
附加参数 字符串 填写的参数会附加到 ups.conf(5)
描述 字符串 可选
关机模式 下拉菜单 可选 当使用UPS电池供电时关机当UPS电量不足时关机
关机定时器 数字 单位秒;当使用UPS电池供电时,在所指定时间后执行关机操作,除非此时恢复交流电源供电。
监察员帐户 字符串 默认为 upsmon
监察员密码 字符串 默认为 fixmepass,建议及时修改;不可包含空格或#号。
其他用户 字符串 指定其他拥有管理权限的用户;请查阅 upsd.users(5) 中的示例。
远程监控 复选框 如果启用此项,则默认监听所有网卡且监察员为 upsmon 密码为 fixmepass
状态更新时发送邮件 复选框 如果启用,系统活动状态将通过电子邮件件报告。
收件人Email email地址 如果 “状态更新时发送邮件” 被选中,状态更新信息将发送到此处设置的邮箱。
Email subject 字符串 如果 “状态更新时发送邮件” 被选中,邮件将使用此处设置的主题。

注意

如果你使用USB接口的UPS设备,检测设备名称的最简单方法是在 系统 ‣ 高级 中启用 “显示控制台信息”。插入USB设备时,控制台中将显示类似 /dev/ugenX.X 的设备名称;

upsc(8) 可以用来从UPS守护进程中获取状态变量,例如当前的电源和电压信息。可以在Shell中执行以下格式的命令。手册中还提供了其他的使用示例。

upsc ups@localhost

upscmd(8) 可以用来想UPS设备直接发送命令,当然,这需要UPS设备支持发送命令。仅管理员用户有权执此项操作。只有拥有管理权限的用户才可以发送命令,包括 “其他用户” 选项中设置的用户。

11.16. WebDAV

Beginning with FreeNAS® 9.3, WebDAV can be configured to provide a file browser over a web connection. Before starting this service, you must create at least one WebDAV share using Sharing ‣ WebDAV Shares ‣ Add WebDAV Share. Refer to WebDAV Shares for instructions on how to create a share and then how to connect to it once the service is configured and started.

The settings in the WebDAV service apply to all WebDAV shares. Figure 11.16a shows the WebDAV configuration screen. Table 11.16a summarizes the available options.

Figure 11.16a: WebDAV Configuration Screen

webdav2.png

Table 11.16a: WebDAV Configuration Options

Setting Value Description
Protocol drop-down menu choices are HTTP (connection always unencrypted), HTTPS (connection always encrypted), or HTTP+HTTPS (both types of connections allowed)
HTTP Port string only appears if the selected “Protocol” is HTTP or HTTP+HTTPS and is used to specify the port to be used for unencrypted connections; the default of 8080 should work, if you change it, do not pick a port number already being used by another service
HTTPS Port string only appears if the selected “Protocol” is HTTPS or HTTP+HTTPS and is used to specify the port to be used for encrypted connections; the default of 8081 should work, if you change it, do not pick a port number already being used by another service
Webdav SSL Certificate drop-down menu only appears if the selected “Protocol” is HTTPS or HTTP+HTTPS; select the the SSL certificate to be used for encrypted connections; to create a certificate, use System –> Certificates
HTTP Authentication drop-down menu choices are Basic Authentication (unencrypted) or Digest Authentication (encrypted)
Webdav Password string default is davtest; this should be changed as it is a known value