Server Message Block (SMB)
5 minute read.Last Modified 2023-08-24 14:36 EDT
Server Message Block shares, also known as Common Internet File System (CIFS) shares, are accessible by Windows, macOS, Linux, and BSD computers. SMB provides more configuration options than NFS and is a good choice on a network for Windows or Mac systems.
TrueNAS uses Samba to share pools using Microsoft’s SMB protocol. SMB is built into the Windows and macOS operating systems and most Linux and BSD systems pre-install an SMB client to provide support for the SMB protocol.
The SMB protocol supports many different types of configuration scenarios, ranging from the simple to complex. The complexity of the scenario depends upon the types and versions of the client operating systems that will connect to the share, whether the network has a Windows server, and whether Active Directory is being used. Depending on the authentication requirements, it might be necessary to create or import users and groups.
Samba supports server-side copy of files on the same share with clients from Windows 8 and higher. Copying between two different shares is not server-side. Windows 7 clients support server-side copying with Robocopy.
SMB Tips and Tricks shows helpful hints for configuring and managing SMB networking.
Another helpful reference is Methods For Fine-Tuning Samba Permissions.
By default, Samba disables NTLMv1 authentication for security. Standard configurations of Windows XP and some configurations of later clients like Windows 7 will not be able to connect with NTLMv1 disabled. Security guidance for NTLMv1 and LM network authentication has information about the security implications and ways to enable NTLMv2 on those clients. If changing the client configuration is not possible, NTLMv1 authentication can be enabled by selecting the NTLMv1 auth option in the SMB service configuration screen.
As of SCALE 22.12 (Bluefin), MS-DOS SMB1 clients cannot connect to TrueNAS SCALE Bluefin. TrueNAS SCALE SMB does not support End-of-Life (EoL) Windows clients, including MS-DOS.
The Samba project, which TrueNAS SCALE uses to provide SMB sharing features, has deprecated the SMB1 protocol for security concerns. The Samba 4.16 release notes announced that they deprecated and disabled the whole SMB1 protocol as of 4.11. If needed, for security purposes or code maintenance, Samba continues to remove older protocol commands and unused dialects or those that are replaced in more modern SMB1 versions.
TrueNAS now uses Samba 4.17. TrueNAS still has SMB1 protocol support but:
- MS-DOS-based SMB clients cannot connect to TrueNAS SCALE Bluefin.
- MS-DOS-based SMB clients are no longer able to connect to any TrueNAS servers.
- SMB clients determined to be end-of-life (EOL) by their vendor are not supported.
Administrators should work to phase out any clients using the SMB1 protocol from their environments.
Client systems that can only use the SMB1 protocol for SMB shares are no longer capable of connecting to SMB shares created in TrueNAS SCALE 22.12 or later.
Refer to Samba release notes for more information.
To view all active SMB connections and users, enter
smbstatus in the TrueNAS Shell.
Most configuration scenarios require each user to have their own user account and to authenticate before accessing the share. This allows the administrator to control access to data, provide appropriate permissions to that data, and to determine who accesses and modifies stored data. A Windows domain controller is not needed for authenticated SMB shares, which means that additional licensing costs are not required. However, because there is no domain controller to provide authentication for the network, each user account must be created on the TrueNAS system. This type of configuration scenario is often used in home and small networks as it does not scale well if many user accounts are needed.
Shadow Copies, also known as the Volume Shadow Copy Service (VSS) or Previous Versions, is a Microsoft service for creating volume snapshots. Shadow copies can be used to restore previous versions of files from within Windows Explorer.
By default, all ZFS snapshots for a dataset underlying an SMB share path are presented to SMB clients through the volume shadow copy service (or accessible directly with SMB if the hidden ZFS snapshot directory is located within the path of the SMB share).
Before using shadow copies with TrueNAS, be aware of these caveats:
If the Windows system is not fully patched to the latest service pack, Shadow Copies might not work. If no previous versions of files to restore are visible, use Windows Update to ensure the system is fully up-to-date.
Shadow copy support only works for ZFS pools or datasets.
Appropriate permissions must be configured on the pool or dataset being shared by SMB.
Users cannot delete shadow copies via an SMB client. Instead, the administrator can remove snapshots from the TrueNAS web interface. Shadow copies can be disabled for an SMB share by unsetting the Enable shadow copies advanced option for the SMB share. Note that this does not prevent access to the hidden
.zfs/snapshotdirectory for a ZFS dataset if it is located within the Path for an SMB share.
macOS includes the Time Machine feature which performs automatic backups. TrueNAS supports Time Machine backups for both SMB and AFP shares.
Configuring a quota for each Time Machine share helps prevent backups from using all available space on the TrueNAS system. Time Machine waits two minutes before creating a full backup. It then creates ongoing hourly, daily, weekly, and monthly backups. The oldest backups are deleted when a Time Machine share fills up, so make sure that the quota size is large enough to hold the desired number of backups. A default installation of macOS is over 20 GiB.
Configure a global quota using the instructions in Set up Time Machine for multiple machines with OSX Server-Style Quotas or create individual share quotas.