SAMBA - confused with browseable

[noclaf]

Hi
Just moved to TrueNAS From XigmaNAS and I'm bit confused with how browseable is (not) working in TrueNAS. I had no issues before, but now...

Situation
I have 1 dataset with 2 main folders : Public and Private
I want to make the Public browseable (i.e. user with credentials opening 192.168.... will see this one folder) but Private accessible only using direct 192.168....\Private
Previously I just made two shares and said that Private is not browseable and tadaaa, it was working like that. But TrueNAS is behaving weirdly :

Issues I ran into (in a kind of chronological order):
1) I tried to use "Default shared parameters" but then "browseable" cannot be turned off in advanced
2) I tried "Private SMB Datasets..." but then even user accessing directly 192.168....\Private was told that this path does not exist (wut?)
3) ok, I set up both folders as "default share parameters" and forced therefore to make them "browseable", but turned off the default dataset share, so I have 3 shares now:
dataset /mnt/pool_5x8TB/dataset no
Private /mnt/pool_5x8TB/dataset/Private yes
Public /mnt/pool_5x8TB/dataset/Public yes
(yes/no is for whether the share is enabled)

I would expect that typing \\192.168.... will result in error (because it's turned off) and people will have to use directly Public / Private. But no. Both Public and Private ARE accessible, but also just the IP will show the "root" of the share with both folders.

I'm superconfused at this point. Could you please advise how to make the one folder not browseable but accessible? And what's wrong with my set-up?
Note : in all cases I was making my attempts from the same computer using the same credentials. User accessing the SMB is at the same time part of the group owning all the files (if that matters).

 

[noclaf]

Problem solved. I reconfigured client and recreated the shares and now it's working. Please don't ask why or how. :-D Apparently as I was setting it up I misclicked somewhere. Now it's working as expected :
Public - default share params
Private - private share and not browseable
Public is visible when accessing IP, Private is not, but directly is.

Still, I wonder why the IP is accessible when I turned off the share of the dataset itself.

 

[jgreco]

Don't expect any insight from me as to the browsable issue.

It's unclear on what you mean by

why the IP is accessible when I turned off the share of the dataset itself.

Sharing and datasets are only loosely related. Good practice tends to be to create a dataset for every share, but I'm not aware of anything that resembles the comment you've just made. A share is a protocol-level thing. From a UNIX point of view, it is a userland process accessing the filesystem. This does not render IP's accessible or inaccessible, and I don't think it magically goes away if something happens to the dataset. You do need all of these things to be correctly configured to successfully share data in a dataset. What are you doing, and what are you actually seeing?

 

[noclaf]

I have
/mnt/pool/dataset/
with 2 folders
Public
Private

now there are 3 SMB shares :
dataset
dataset/Public
dataset/Private

dataset share is turned off and the folders are turned on.
now accessing IP (w/o indicating any folder) will open the dataset (the "root" of the dataset) even though the dataset share is turned off. So I wonder that by sharing any folder withing the dataset I automatically share the whole dataset?

 

[jgreco]

Dunno. I personally wouldn't do that, just because it's confusing and I like to shoot for clarity.

 

[Ericloewe]

accessing IP (w/o indicating any folder) will open the dataset (the "root" of the dataset) even though the dataset share is turned off

Are you sure? Accessing the root of an SMB server typically (always?) shows all the available shares. If you're sharing all non-root datasets, I can imagine this looking a lot like what you're describing.

You can validate this by creating a file on the root dataset and seeing if it's accessible via SMB. I suspect it won't be.

 

[jgreco]

Accessing the root of an SMB server typically (always?) shows all the available shares.

Yeesh, really? Who designed THAT?

[a little experimentation later]

This does not appear to be exactly true. We have some shares here that do not show up in the root, but are nevertheless accessible. The two significant things about them are that the only FreeNAS config tickbox checked is "Enabled" and that there's an auxiliary parameters containing "valid users = {list}"

I think this is controlled by "Browsable to Network Clients" but I never know whether SMB's words mean the things you would expect them to mean. I'm not going to mess with a production server that's currently doing the correct thing.

I hate SMB.

 

[Ericloewe]

I think this is controlled by "Browsable to Network Clients"

Yeah, I think that's right now that you mention it.

 

[anodos]

Yeesh, really? Who designed THAT?

[a little experimentation later]

This does not appear to be exactly true. We have some shares here that do not show up in the root, but are nevertheless accessible. The two significant things about them are that the only FreeNAS config tickbox checked is "Enabled" and that there's an auxiliary parameters containing "valid users = {list}"

I think this is controlled by "Browsable to Network Clients" but I never know whether SMB's words mean the things you would expect them to mean. I'm not going to mess with a production server that's currently doing the correct thing.

I hate SMB.

You're not really accessing the "root" of the SMB server per-se. Just a hidden IPC$ share and issue an RPC call via srvsvc named pipe requesting server to list available shares. You can also do same through `rpcclient` utility (netshareenum). In TrueNAS at least we prevent anonymous IPC$ access (you have to be an authenticated user). File Explorer in Windows (and various other graphical file managers hide the nitty-gritty details and show you as connecting to the "root" of the server).

"Browseable to Network Clients" == "This share will be included in the response to share enumeration requests".

 

[anodos]

For example:

Code:

root@homenas[~]# rpcclient //127.0.0.1 -U isouser -c netshareenum
Enter WORKGROUP\isouser's password:
netname: homes
    remark:  
    path:    C:\mnt\dozer\homes\isouser
    password:  
netname: isouser
    remark:    Home directory of isouser
    path:    C:\mnt\dozer\homes\isouser
    password:  
netname: TM_SMB
    remark:  
    path:    C:\mnt\dozer\SMB49TM
    password:  

In addition to the browsable parameter, you can also append a $ character to the share name to remove from browse list. There are generally multiple ways to alter the browse list results.

 

[Ericloewe]

And they say we computer folks are unintelligible.