Allowing emby access to direcories with permissions controlled by FreeIPA

[el_Pedr0 1]

Hi all,

 

Just installed Emby in my environment where users and groups are managed centrally by FreeIPA. Please could anyone advise on how best to let emby have *write access to my media files.

 

Setup:

* Proxmox host

* freeipa server installed on a centos container

* emby installed on an ubuntu 18.04 server container

* emby container is a freeipa client

 

I have mounted my media directories on the emby server so that they are accessible at /mnt/Library/Movies, /mnt/Library/TVShows, etc.

The /mnt/Library directory tree is owned by myipauser : myipagroup and has 775 permissions.

 

Things I've tried to research:

* Trying to add the emby user to the myipagroup (but haven't found a way to add a local account to a freeipa group either on the freeipa server or on the emby machine)

* Running emby as an IPAuser that is in the myipagroup (being new to emby, I don't understand the implications of this)

 

I'd be grateful for any advice. How can I grant emby *write access to the media *directories in this set up?
 

 

 

(Edited 02 May 12:53 to clarify write permissions required)

Edited May 2, 2020 by el_Pedr0

[mark-in-dallas 87]

I'm still a noob with Linux, and am not familiar with FreeIPA, but what I did and what at least works for me was to add my user account to the Emby group.  In your case it would be adding myipauser to the emby group.  If you don't need access to the directories outside of Emby, you could alternatively chown the directories to emby :emby, or do both.  

 

I don't know the implications of using a third party user management program, so this may not work for your configuration. and if not I'm sure someone with far more experience will be along to offer a better solution or one that will work, but this is quick and easy and easy to reverse if it doesn't work.

[el_Pedr0 1]

Thanks for the reply mark-in-dallas.

 

When I set up my library in Emby, I enabled the options to allow emby to create nfos and save artwork in the library folders. Is it the emby system user that does this (i.e. the one actually called emby)? If so, I need to give the emby system user write permissions. Your suggestion would allow an ipa user to join the emby group, but I would need to do something that does it the otherway round: add the user 'emby' to an ipa group.

 

Unfortunately I can't chown to emby:emby because the ipa system is unaware of the 'emby' system user or group and so all the other machines in the environment would not understand the ownership.

Have I understood the situation correctly?

[mark-in-dallas 87]

Actually no, but that's probably because I didn't do a great job of explaining myself.

 

I added my user account to the emby usergroup because I wanted my user account to be able to delete files and folders created by Emby, not because it was needed for Emby to function.  Your users don't actually need to have access to the emby group, nor does Emby need to have access to other groups, as long as the emby user has access to the drive, files and folders used and/or created by Emby, and the media that you have made available to Emby.

 

And the ipa system shouldn't need to be aware of the emby system or user, because your users are accessing Emby, which is then in turn accessing what it needs using its own emby account.  

 

If your media files need to be accessible to ipa users outside of Emby, then no the solution I offered would not work, but if they are only to be able to access those files using Emby, then chowning to emby :emby should work fine. 

 

Worst case scenario is that you try it and it does not work, and then you  can just chown them back to myipauser :myipagroup

Edited May 4, 2020 by mark-in-dallas