Multiprotocol Shares

A multiprotocol or mixed-mode NFS and SMB share supports both NFS and SMB protocols for sharing data. Multiprotocol shares allow clients to use either protocol to access the same data. This can be useful in environments with a mix of Windows systems and Unix-like systems, especially if some clients lack an SMB client.

Carefully consider your environment and access requirements before configuring a multiprotocol share. For many applications, a single protocol SMB share provides better user experience and ease of administration. Linux clients can access SMB shares using mount.cifs.

It is important to properly configure permissions and access controls to ensure security and data integrity when using mixed-mode sharing. To maximize security on the NFS side of the multiprotocol share, we recommend using NFSv4 and Active Directory (AD) for Kerberos authentication. It is also important that NFS clients preserve extended attributes when copying files, or SMB metadata could be discarded in the copy.

Before adding a multiprotocol SMB and NFS share to your system:

1. Configure and start the SMB and NFS services. Ensure that NFS is configured to require Kerberos authentication.

2. Join the TrueNAS server to an existing Active Directory domain. Configure a container, Kerberos admin, and user accounts in AD.

3. Set up a dataset for the new share with Share Type set to Multiprotocol.

Before joining AD and creating a dataset for the share to use, first start both the SMB and NFS services and configure the NFS Service for Kerberos authentication. Configure the NFS service before joining AD for simpler Kerberos credential creation.

Configure the SMB service by clicking Config Service from the more_vert dropdown menu on the Shares screen or by clicking edit on the Services screen. Unless you need a specific setting or are configuring a unique network environment, we recommend using the default settings.

Start the service from the Windows SMB Share header on the Sharing screen or in System Settings > Services.

Click for more information expand

Starting the Service Using the Windows SMB Share

From the Sharing screen, click on the Windows (SMB) Shares more_vert to display the service options, which are Turn Off Service if the service is running or Turn On Service if the service is not running.

Each SMB share on the list also has a toggle to enable or disable the service for that share.

Starting the Service Using System Settings

Go to System Settings > Services and click the toggle for SMB. Set Start Automatically if you want the service to activate when TrueNAS boots.

Configure the NFS service by clicking Config Service from the more_vert dropdown menu on the Shares screen or by clicking edit on the Services screen.

Under NFSv4, ensure the NFSv4 protocol is selected from the Enabled Protocols dropdown menu. For security hardening, we recommend disabling the NFSv3 protocol.

Select Require Kerberos for NFSv4 to enable using a Kerberos ticket.

If Active Directory is already joined to the TrueNAS server, click Save and then reopen the NFS configuration screen. Click Add SPN to open the Add Kerberos SPN Entry dialog.

Click Yes when prompted to add a Service Principal Name (SPN) entry. Enter the AD domain administrator user name and password in Name and Password.

TrueNAS SCALE automatically applies SPN credentials if the NFS service is enabled with Require Kerberos for NFSv4 selected before joining Active Directory.

Start the service from the Unix Shares (NFS) header on the Sharing screen or in System Settings > Services.

Click for more information expand

Starting the Service Using the Unix Shares (NFS) Share

From the Sharing screen, click on the Unix Shares (NFS) more_vert to display the service options, which are Turn Off Service if the service is running or Turn On Service if the service is not running.

Each NFS share on the list also has a toggle to enable or disable the service for that share.

Starting the Service Using System Settings

Go to System Settings > Services and click the toggle for NFS. Set Start Automatically if you want the service to activate when TrueNAS boots.

The NFS service does not automatically start on boot if all NFS shares are encrypted and locked.

Mixed-mode SMB and NFS shares greatly simplify data access for client running a range of operating systems. They also require careful attention to security complexities not present in standard SMB shares. NFS shares do not respect permissions set in the SMB Share ACL. Protect the NFS export with proper authentication and authorization controls to prevent unauthorized access by NFS clients.

We recommend using Active Directory to enable Kerberos security for the NFS share. Configure a container (group or organizational unit), Kerberos admin, and user accounts in AD.

Before creating a mixed-mode share, create the dataset you want the share to use for data storage.

We recommend creating a new dataset with the Share Type set to Multiprotocol for the new mixed-mode share.

Creating a Dataset expand

To create a dataset using the default settings, go to Datasets. Default settings include the settings datasets inherit from the parent dataset.

Select a dataset (root, parent, or child), then click Add Dataset.

Enter a value in Name.

Select either Sensitive or Insensitive from the Case Sensitivity dropdown.

Select the Share Type, then click Save. Options are Generic, Multiprotocol, SMB, or Apps.

You can create datasets optimized for SMB shares or with customized settings for your dataset use cases.

If you plan to deploy container applications, the system automatically creates the ix-applications dataset, but it is not used for application data storage. If you want to store data by application, create the dataset first, then deploy your application. When creating a dataset for an application, select App as the Share Type setting. This optimizes the dataset for use by an application.

Review the Share Type and Case Sensitivity options on the configuration screen before clicking Save. You cannot change these or the Name setting after clicking Save.

After joining AD and creating a dataset, adjust the dataset/file system ACL to match the container and users configured in AD.

To configure a multiprotocol share on your system:

1. Complete the first steps above.

2. Create the SMB share with Purpose set to Multi-protocol (NFSv4/SMB) shares.

3. Create the NFS share with Security set to KRB5.

4. Connect client system(s) to the share.

To create the SMB share, go to Shares.

1. Click on Windows Shares (SMB) to select it and then click Add. The Add SMB configuration screen displays the Basic Options settings.

   

2. Enter the SMB share Path and Name.

   Enter the path or use the arrow_right icon to the left of folder/mnt to locate the dataset you created for the multiprotocol share.

   The Name is the SMB share name, which forms part of the share pathname when SMB clients perform an SMB tree connect. Because of how the SMB protocol uses the name, it must be less than or equal to 80 characters. It cannot have invalid characters as specified in Microsoft documentation MS-FSCC section 2.1.6. If you do not enter a name, the share name becomes the last component of the path. If you change the name, follow the naming conventions for:

   • Files and directories
   • Share names

3. Select Multi-protocol (NFSv4/SMB) shares from the Purpose dropdown list to apply pre-determined Advanced Options settings for the share.

4. (Optional) Enter a Description to help explain the share purpose.

5. Select Enabled to allow sharing of this path when the SMB service is activated. Leave it cleared if you want to disable the share without deleting the configuration.

6. If needed, use Advanced Options to set up guest access, read only access, to set up allowed and denied hosts. or to optimize the SMB share for Apple OS. See Adding SMB Shares for more information.

7. Click Save to create the share and add it to the Shares > Windows (SMB) Shares list.

To create the NFS share, go to Shares.

1. Click on Unix (NFS) Shares to select it and then click Add. The Add NFS Share configuration screen displays the Basic Options settings.

   

2. Enter the path or use the arrow_right icon to the left of folder/mnt to locate the dataset you created for the multiprotocol share.

3. Enter text to help identify the share in Description.

4. If needed, enter allowed networks and hosts.

   Adding Networks and Hosts expand

   If you want to enter allowed networks, click Add to the right of Networks. Enter an IP address in Network and select the mask CIDR notation. Click Add for each network address and CIDR you want to define as an authorized network. Defining an authorized network restricts access to all other networks. Leave empty to allow all networks.

   If you want to enter allowed systems, click Add to the right of Hosts. Enter a host name or IP address to allow that system access to the NFS share. Click Add for each allowed system you want to define. Defining authorized systems restricts access to all other systems. Press the X to delete the field and allow all systems access to the share.

5. Enable Kereberos security.

   Click Advanced Options.

   

   If needed, select Read-Only to prohibit writing to the share.

   Select KRB5 from the Security dropdown to enable the Kerberos ticket that generated when you joined Active Directory.

6. Click Save to create the share.

After you create and configure the shares, connect to your mulitprotocol share using either SMB or NFS protocols from a variety of client operating systems including Windows, Apple, FreeBSD, and Linux/Unix systems. For more information on accessing shares, see Mounting the SMB Share and Connecting to the NFS Share.

Related Content

• Adding SMB Shares
• AFP Migration
• Adding a Basic Time Machine SMB Share
• Adding iSCSI Block Shares
• Adding NFS Shares
• NFS Shares Screens
• Block (iSCSI) Share Target Screens
• Shares
• Using an iSCSI Share