At my wits' end trying to configure TrueNAS

[Atadi]

Hi All,

I have been struggling for the better part of a year now, trying to get a TrueNAS Core server setup and configured as I want it.
I have tried doing it on my own, following guides, watching videos and even paying a freelancer to try and set it up with my requirements. I always seem to be running into issues. It is either because the GUI doesn't display what is documented, some functionality is completely missing, or in the case of the freelancer -- what I am trying to achieve is not possible. An example is when creating a zpool and dset, the ACL option is not selectable.

The objective:

- Create a zpool with data transfer performance in mind
- Create a network share for SMB v3 and NFS v4.1 client access
- The share and directories must support Windows ACL
- The NAS must integrate with Active Directory
- Authentication to shares only allowed for AD Group/User

The hardware:

- Intel Xeon E3-1285L v4
- 16 GB ECC Reg
- 1x 160GB SSD (reserved boot-pool)
- 4x 4TB HDD
- 1x 256GB SSD
- 2x 10Gb NIC

The software:

- TrueNAS Core 13.0


So I am hoping that one of you kind souls on here can help. Let me know what could have gone wrong, if there's any particular order that must be followed or any other gotchas that I should be made aware of.

 

[Samuel Tai]

First, you'll have better success starting with TrueNAS Core 12.0-U8.1. There are UI bugs in 13.0 that will frustrate you in pool creation, and other configuration items. Once you have things working in 12.0-U8.1, then you can upgrade to 13.0 to achieve faster performance.

Note, you're doing some tasks out of order. ACLs aren't defined during pool nor dataset creation. They're defined in the Windows share setup.

What's the purpose of the 256GB SSD?

 

[Samuel Tai]

First, you'll need to determine your pool layout.

References

The TrueNAS References section includes additional information on various topics helpful for a TrueNAS user. Copyrights and Trademarks: Provides a list of copyrights and trademarks, and related logos registered as trademarks of iXsystems, dba TrueNAS. ACL Primer: Provides general information on...

www.truenas.com

The path to success for block storage

It seems like I haven't written a sticky for awhile, but just in the last week I've had to cover this topic several times. ZFS does two different things very well. One is storage of large sequentially-written files, such as archives, logs, or data files, where the file does not have the middle...

www.truenas.com

Some differences between RAIDZ and mirrors, and why we use mirrors for block storage

ZFS is a complicated, powerful system. Unfortunately, it isn't actually magic, and there's a lot of opportunity for disappointment if you don't understand what's going on. RAIDZ (including Z2, Z3) is good for storing large sequential files. ZFS will allocate long, contiguous stretches of disk...

www.truenas.com

As a rule of thumb, mirrors achieve higher throughput than RAIDZx. With only 4x 4TB drives, however, it's a wash, and you should go with RAIDZ2 for data safety, as you can lose any 2 drives and still be able to restore your pool. Whereas, with a 2-way stripe of 2-way mirrors, if you lose both drives in one of the stripes, your pool is lost.

 

[Samuel Tai]

Second, determine your dataset structure.

Path to Success for Structuring Datasets in Your Pool

Path to Success for Structuring Datasets in Your Pool So you've got a shiny new FreeNAS server, just begging to have you create a pool and start loading it up. Assuming you've read @jgreco's The path to success for block storage sticky, you've decided on the composition of your pool (RAIDZx vs...

www.truenas.com

 

[Samuel Tai]

Third, join Active Directory.

Setting Up Active Directory

Provides information on how to configure Active Directory (AD) on your TrueNAS.

www.truenas.com

 

[Samuel Tai]

Last, create Windows shares connected to datasets per share. For each share, create the ACL using AD groups.

SMB Share Creation

Provides information on how to create Server Message Block (SMB) shares on your TrueNAS.

www.truenas.com

 

[Atadi]

Hi Samuel,

Thank you greatly for taking the time to explain the correct steps!

I have the first and second steps out of the way and am now preparing for the third, to join/integrate with Active Directory. This is where I have had issues before. I have created a dedicated TrueNAS domain account but I am unable to find any documentation pertaining to least privilege requirements. I do not wish to grant domain admin permissions to this user, so the question is what minimum permissions should the user have?
After many failed attempts in the past, the only option I haven't tried yet was to delegate control to the dedicated TureNAS domain account.

The only detailed documentation I could find for permissions was on Reddit here: https://www.reddit.com/r/freenas/comments/aby68i/does_integrating_with_active_directory_require/

The questions are, though, whether 1. is this official documentation and still relevant to TrueNAS 12/13 and 2. whether these permissions are required at every boot or can I strip certain permissions?

All I really need is to be able to list AD Groups and Users in the TrueNAS UI for the purpose of assigning read and write permissions to shares.

For the sake of documentation for future readers, attached are screenshots from steps 1 and 2.
FYI: The zPool01 was created using 4x HDD in raidz2 and 1x SSD used for LOG.

 

[Atadi]

First, you'll have better success starting with TrueNAS Core 12.0-U8.1. There are UI bugs in 13.0 that will frustrate you in pool creation, and other configuration items. Once you have things working in 12.0-U8.1, then you can upgrade to 13.0 to achieve faster performance.

Note, you're doing some tasks out of order. ACLs aren't defined during pool nor dataset creation. They're defined in the Windows share setup.

What's the purpose of the 256GB SSD?

Forgot to mention this, but the purpose for this SSD was to act as a write buffer (LOG). AFAICT, this is the only beneficial use case for one such disk in this system. System is UPS protected btw.

 

[Samuel Tai]

@anodos is the resident Samba expert, and could tell you the exact permissions the domain join account needs. I don't run Active Directory myself, so I have no experience here.

A log device isn't useful if you don't have iSCSI shares. Furthermore, unless your log device has power loss protection, there is a risk of data loss if your UPS fails. It's not a write cache. It's an indirect write journal.

 

[Samuel Tai]

Also, you may want to change your SMB dataset to be case-insensitive, since Windows expects that.

 

[Atadi]

@anodos is the resident Samba expert, and could tell you the exact permissions the domain join account needs. I don't run Active Directory myself, so I have no experience here.

A log device isn't useful if you don't have iSCSI shares. Furthermore, unless your log device has power loss protection, there is a risk of data loss if your UPS fails. It's not a write cache. It's an indirect write journal.

Gonna wait for @anodos to chime in. I do indeed have power loss protection, but would you recommend another use for the SSD?
I have since saving the screenshots changed the share type to SMB and it is now cases-insensitive.

 

[Samuel Tai]

would you recommend another use for the SSD?

Since you can add and remove log devices from a pool without data loss, you could try the pool with and without a log device, to see if you get any performance benefit with a log device. Monitor the Reporting in both cases, and try some transfer tests.

 

[Samuel Tai]

Looks like you can use a standard domain user account to which domain join has been delegated to join your TrueNAS server to Active Directory. See https://docs.microsoft.com/en-us/an...4domain-join-only34-permission-to-a-stan.html.