TrueNAS
Products
Support & Resources
Solutions
Company
  1. TrueNAS 25.10
  2. /
  3. TrueNAS Tutorials
  4. /
  5. Shares
  6. /
  7. Windows Shares (SMB)
  8. /
  9. Setting Up SMB Private Dataset Shares
Edit page
TrueNAS TrueNAS Stable Version Documentation
This content follows TrueNAS 25.10 (Goldeye) releases.
Use the Product and Version selectors above to view content specific to a different software release.

Setting Up SMB Private Dataset Shares

  18 minute read.

When creating a share, do not attempt to set up the root or pool-level dataset for the share. Instead, create a new dataset under the pool-level dataset for the share. Setting up a share using the root dataset leads to storage configuration issues.

SMB Home Share is a legacy feature for organizations looking to maintain existing SMB configurations. Microsoft deprecated the Home Shares feature in Windows 10 and removed it completely from Windows 11. They no longer support Home Shares as of October 2025. TrueNAS removed the home share option from the SMB share Purpose list in 24.04 (Dragonfish).

The SMB share Other Options in pre-25.10 releases includes a home share legacy option, but it is not recommended for new shares. It is for organizations still using the legacy home shares option to add a single SMB share to provide a personal directory for every user account. Future TrueNAS releases can introduce instability or require configuration changes affecting this legacy feature. This option does not show in 25.10 and later releases unless an existing home share is upgraded to 25.10 or later.

Replacing SMB Home Shares

TrueNAS has removed the Use as Home Share option, found in the Other Options section of the Advanced Options screen for the Add SMB and Edit SMB screens in earlier releases of TrueNAS. The Private Dataset Share found as a Purpose dropdown list option in 25.10 and later releases replaces home shares, and is the recommended method to provide users with a private personal folder they access through an SMB share.

Follow the instructions in the Adding Private Dataset Shares section below to set up private and personal shares.

What is a private dataset and share? The Private Dataset Share option allows creating a private personal directory for a user in the specified dataset, that when correctly configured, provides users with a private folder only they access through an SMB share.

TrueNAS allows creating one private directory per user, while it still allows creating as many non-private directories as desired or needed. When a user first authenticates to a Private Dataset Share, TrueNAS automatically creates a subdirectory named after their username (for example, /mnt/poolname/share-name/username/). Each user only sees and can access their own subdirectory when connecting to the share. Users can create as many directories as needed through a Windows File Explorer.

TrueNAS does not control what Windows allows through the File Explorer. Share ACL settings control who can access the private directory share. If the personal directories show in File Explorer, use Windows file properties and access control to hide the folder in the share.

A user home directory in TrueNAS is a function of the ZFS file system and is not related to the SMB private dataset share or (deprecated Home Share). A user configuration does not need to specify or add a file system home directory for a private dataset share.

Other options for configuring individual user directories include:

  • Configure a single share on the TrueNAS and provision individual user directories on the client OS.
  • Create a single SMB share and configure the ACL so that users can create individual directories on the share that inherit write access for the user and grant read access to the administrator.
  • Create an SMB share using the Private SMB datasets and shares preset, and then create per-user datasets under the umbrella of a single share when users access the share.

Creating an SMB private dataset share requires provisioning users or joining Active Directory, and configuring the system storage and share.

Adding Private Dataset Shares

Private directories are not intended for every user on the system. When setting the Purpose dropdown list to the Private Dataset Share option, TrueNAS might show the private directories to all users with access to the root level of the share but setting the share ACL prevents other users from accessing the private share.

Examples of setting up private SMB shares are those for backups, system configuration, and users or departments that need to keep information private from other users.

This article covers:

  1. Adding the private dataset share user.
  2. Creating the private dataset share and the dataset.
  3. Modifying ACL permissions for the dataset(s) and the share.

Adding the Share User

SMB Access is the default user access type that allows using the account credentials to access data shared with SMB.

When creating a user, you must:

  • Enter a Full Name or description for the user, such as a first and last name.
  • Enter a Username.
  • Enter a Password.
  • Specify or accept the default user ID (UID)

TrueNAS requires other options based on the level of access and role assigned to the user. The Shell option only shows for users with Shell Access or SSH Access selected.

To manually add a new user, click Credentials > Users, and then click Add to open the Add User screen.

  1. Enter a username for the user. Names are case sensitive!

  2. Set the level of access given to this user.

    SMB Access is selected by default. Select TrueNAS Access, then select the administration role from the dropdown list that shows after selecting the TrueNAS Access option.

    • To create an administrator with full access, select Full Admin.
    • To create an administrator with access to manage shares, select Sharing Admin.
    • To create an administrator with read-only access, select Readonly Admin.
    • To allow the user to access the Shell in the UI, select Shell Access.

    To allow the user to establish an SSH session with the system, select SSH Access. Selecting this option also selects the Shell Access option by default. To limit the user to only Shell access, do not select the SSH Access option.

  3. Enter a password for the user.

    Set up SSH authentication.

    These options only show when you select the SSH Access option.

    Select the optional Allow SSH Login with Password if you want to allow this user to log in to an SSH session and not be prompted to enter a password. This is not recommended as it presents a security vulnerability!

    Manually enter or copy/paste the public key in the Public SSH Key field to assign a public SSH key to the user for key-based authentication.

    Do not enter the private key!

    After adding authentication settings, complete the SSH access by setting up sudo commands in the next step.

    Always keep a backup of an SSH public key if you are using one.

  4. Enter additional details for the user. Setting options change based on the access option selected. Shell Access and SSH Access show the Shell and Sudo Command settings.

    Enter the full name for the user. The full user name is not case sensitive.

    (Optional) Enter the email for the user. Starting in TrueNAS 25.10, system notifications are sent to recipients configured in system email settings rather than user account emails.

    Set up a group.

    Accept the default group setting, which is Create New Primary Group. This creates a group with the same name as the admin user. The role setting adds the user to the appropriate auxiliary group for that role.

    To select a different group, clear the checkmark, and select a new group on the Primary Group dropdown list. Next, select the group in Auxiliary Groups from the dropdown list.

    Accept the default UID Setting Accept the default UID setting or enter a new UID. TrueNAS suggests a user ID starting at 3000, but you can change it if you wish. We recommend using an ID of 3000 or greater for non-built-in users.
    (Optional) Add a home directory for the user.

    Some functions, such as replication tasks, require setting a home directory for the user configuring the task.

    SSH User Validation
    Users must have a home directory and shell access to log in with SSH.

    When creating a user, the default home directory path is set to /var/empty. This directory is an immutable directory shared by service accounts and accounts that should not have a full home directory. If set to this path TrueNAS does not create a home directory for the user. You must change this to the path for the dataset created for home directories.

    Select Create Home Directory to create a new home directory. Leave unselected to select an existing home directory. The file browser field is renamed based on whether you select this option.

    Click the arrow to expand the dataset tree until you reach the home directory parent dataset. After clicking on a dataset, the Create Dataset option activates. Use the Create Dataset option to add a new dataset for the home directory if one does not already exist.

    Leave Default Permissions selected to accept the default permissions, or clear the checkmark to select Read, Write, and Execute for each role (User, Group, and Other) and customize these permissions for the user, group, or other.

    Why did this change in TrueNAS 24.04 (Dragonfish) and later?

    TrueNAS uses the pam_mkhomdir PAM module in the pam_open_session configuration file to automatically create user home directories if they do not exist. pam_mkhomedir returns PAM_PERM_DENIED if it fails to create a home directory for a user, which eventually turns into a pam_open_session() failure. This does not impact other PAM API calls, for example, pam_authenticate().

    TrueNAS 24.04 (or newer) does not include the customized version of pam_mkhomedir used in TrueNAS 13.0 that specifically avoided trying to create the /nonexistent directory. This led to some circumstances where users could create the /nonexistent directory on TrueNAS versions before 24.04.

    Starting in TrueNAS 24.04 (Dragonfish), the root filesystem of TrueNAS is read-only, which prevents pam_mkhomdir from creating the /nonexistent directory in cases where it previously did. This results in a permissions error if pam_open_session() is called by an application for a user account that has Home Directory set to /nonexistent.

    Select the shell option from the dropdown list. Default is zsh when you select Shell Access or SSH Access

    Set up the sudo command options.

    If required, set the sudo permissions to assign. For improved security, temporarily enable limited sudo permissions only when required to complete an administrative task and disable sudo after completing the task. See Allowing Sudo Commands for more information.

    To improve security, deny sudo permissions unless required for specific, recurring administrative tasks, or allow sudo permissions only when needed to perform a discrete task, and then deny again when finished. Do not allow sudo permissions for read-only administrators.

    Select Allow all sudo commands if you want to allow the user to enter sudo commands in the shell or an SSH session, but still have TrueNAS prompt the user for their password. To limit the sudo commands allowed to a few rather than all commands, enter each in the Allowed sudo commands field. Enter each command as an absolute path to the ELF (Executable and Linkable Format) executable file, for example, /usr/bin/nano. /usr/bin/ is the default location for commands. Press enter after each command to separate the entries.

    Select Allow all sudo commands with no password to allow the user to enter sudo commands in the shell or an SSH session, and not have TrueNAS prompt the user to enter their password. To limit the commands allowed to a few rather than all sudo commands, enter each in the Allowed sudo commands with no password field. Enter each command as an absolute path to the ELF (Executable and Linkable Format) executable file, for example, /usr/bin/nano. /usr/bin/ is the default location for commands. Press enter after each command to separate the entries.

    Alternatively, accept default user sudo permissions and apply permissions to a new administrator group if you choose to use a group to assign permissions.

  5. Click Save to add the user.

Using AD to Add Users and Private Dataset Shares

You can manually add users and groups in TrueNAS, or configure groups in Active Directory and add users to each group, and then have AD add the users and group to TrueNAS. After AD adds users and groups, configure private directories, and if needed for other file system functions not related to private directory shares, configure home directories for the users and group(s). See Managing Users for more information on adding home directories.

Before setting up SMB shares, check system alerts to verify that no errors related to connections to Active Directory are listed. Resolve any issues with Active Directory before proceeding. If Active Directory cannot bind with TrueNAS, you cannot start the SMB service after making changes.

Creating the Private Dataset Share

TrueNAS must be joined to Active Directory or have at least one local SMB user before creating an SMB share. When creating an SMB user, ensure that Samba Authentication is enabled. You cannot access SMB shares using the root user, TrueNAS built-in user accounts, or those without Samba Authentication selected.

You can use an existing dataset or create a new dataset for the share.

We recommend using the Add SMB screen to create a new share and dataset for this procedure, and for any customized SMB share, rather than using the Add Dataset screen to create the share and dataset. In general, when creating a simple SMB share and dataset, you can use either screen. We recommend using the Add Dataset screen to access the dataset advanced setting options when you want to customize the dataset, and using the Add SMB screen to create and customize an SMB share with presets and advanced options.

When using the file browser in the Add SMB or Edit SMB screens, if the parent dataset selected has an ACL, TrueNAS might show a warning message advising you to strip the ACL from the dataset.

Click Continue to close the dialog and continue adding the dataset. Alternatively, close the Add SMB screen, go to the Datasets screen, select the same dataset, locate the Permissions widget, then click Edit to open the Edit ACL screen. Click Strip ACL on the Edit ACL screen. Save the change, then return to the Shares screen and open the Add SMB screen.

TrueNAaS shows a Configure ACL dialog to remind you to edit the ACL if you did not stop to strip the ACL.

Click Configure to open the Edit ACL screen, or No to close the dialog and do nothing.

Before You Begin

Before creating the private share dataset, go to Datasets, select the parent dataset for the private share dataset and check the permissions for that dataset. Select the parent dataset on the dataset tree table, then click Edit on the Permissions widget to open the Edit ACL screen for that dataset. Change the default in Owner and Owner Group to the admin user for your system, and click apply for both owner and owner group. The owner and owner group default user is root, which means only the root user can create the private share dataset unless you add your admin user to the ACL and give the entry full access permissions. When set to root, if another logged-in admin user tries to create a new private dataset share nested under the parent, TrueNAS shows an error message and prevents adding the new private dataset share until you correct the permissions issue. You can leave the Owner and Owner Group set to root, but you must add a user entry for the admin user who creates the private dataset shares. Give that admin user full access permissions.

Adding the Private Dataset Share and Dataset

To create SMB private dataset share, go to Shares, and click Add on the Windows (SMB) Shares widget to open the Add SMB screen.

  1. Select Private Dataset Share on the Purpose dropdown list, then click Advanced Options to configure additional share setting options.

  2. Enter or browse to select the path to the parent dataset for the private share dataset, then click Create Dataset. The Create Dataset dialog opens.

  3. Enter the private dataset name, for example rikka-private, then click Create Dataset. The dialog closes, and Path is populated with the full path to the new dataset.

    If you create a simple share and dataset using the Add Dataset screen, to customize it, go to Shares, select it on the SMB screen (or widget if it shows on the list), then click Edit. Verify the path and Name field are populated, and change the “Purpose” from Default Share to Private Dataset.

    Follow naming conventions for:

    The dataset name populates the share Name field and becomes the share name. The Path field is updated with the dataset name. The share and dataset must have the same name.

  4. (Optional) Click Advanced, scroll down to select Enable Logging to enable SMB share audit logging.

  5. (Optional) Scroll down to Other Options while on the Advanced Options screen to locate the legacy Export Recycle Bin option, which only shows if you select a share created in an earlier TrueNAS release. This allows moving files deleted in the share to a recycle bin in that dataset.

    Files are renamed to a per-user subdirectory within .recycle directory at the root of the SMB share if the path is the same dataset as the share. If the dataset has a nested dataset, the directory is at the root of the current dataset. If this is the case, there is no automatic deletion based on file size.

  6. (Optional) Select any other advanced option that applies to your share needs.

  7. Click Save.

  8. Enable or restart the SMB service when prompted and make the share available on your network.

When prompted by the system to configure the dataset ACL, accept the option. The Edit ACL screen for the new private share dataset opens.

Setting ACL Permissions

The private dataset share requires both the dataset and share ACL permissions to allow or prevent access to the share.

Dataset ACL permissions are configured on the Edit ACL screen. Share ACL permissions are configured using the Share ACL for rikka-private screen.

Setting Dataset Permissions

First, set the dataset permissions to allow your admin user and the user assigned to the private directory share access. Your admin user must have permissions granted for the parent dataset covered in Before You Begin and the private dataset covered in this section. If you want or need to grant another user access to the private share dataset, other than the private share user or a group of users, add an ACL entry to the dataset and share ACL to allow access to the private dataset.

Accessing the Edit ACL screen with the dataset permissions:

  • From the Datasets screen, select the dataset row for the private share dataset. Click Edit on the Permissions widget to open the Edit ACL screen. See Setting Up Permissions for more information on editing dataset permissions.

  • From the Shares screen, click the triple dot icon for the share row, then click Edit Filesystem ACL to open the Edit ACL screen.

Set the permission for the private dataset to allow additional users or a group if others are permitted to access the private directory share.

Click the Owner dropdown, select the administration user with full control, and then repeat for Group. You can set the owning group to your Active Directory domain admins. Click Apply Owner and Apply Group to apply the changes.

Add Dataset ACL Permissions
Figure 9: Add Dataset ACL Permissions
Set the owning group to Domain Admins
Figure 10: Set the owning group to Domain Admins

Click Use Preset and choose NFS4_HOME. If the dataset has a POSIX ACL, choose HOME. Click Continue.

Next, click Add Entry to add user entries for each user that needs access to the dataset. To assign required permissions, select User in Who and locate the user name in the User dropdown list. Select the required permissions. Repeat for each user that needs access. Alternatively, if you added users to a group, select, set Who to Group and locate the group in the dropdown list.

As of TrueNAS 22.12 (Bluefin) and later, TrueNAS does not support SMB client operating systems that are labeled by their vendor as End of Life or End of Support. This means MS-DOS (including Windows 98) clients, among others, cannot connect to TrueNAS SMB servers.

The upstream Samba project that TrueNAS uses for SMB features notes in the 4.11 release that the SMB1 protocol is deprecated and warns portions of the protocol might be further removed in future releases. Administrators should work to phase out any clients using the SMB1 protocol from their environments.

After adding all users or groups and setting the required permissions for each, click Save Access Control List.

Setting the Share Permissions

If the private dataset is nested under a parent dataset that also has other private datasets nested under it, you must set the share ACL permission to restrict access to the files in the private share dataset (directory). Windows File Explorer shows all datasets nested under the share parent but blocks other users not granted access permission from opening and viewing the contents of that folder or directory.

Click the triple dot icon at the right of the private dataset share on the Shares screen, then click Edit Share ACL to open the Share ACL for rikka-private screen.

Set the Share ACL Permissions
Figure 11: Set the Share ACL Permissions

Change Who from the default everyone@ to the private dataset share user. In the example, the user is rikka for the rikka-private share. Leave Permissions set to Full and Type set to Allowed. Click Add to show another Add entry group of settings. Change Who to the admin user to allow for share maintenance tasks, like moving the directory to a new location if that becomes necessary.

If granting other users in a group to a private share for that group, add an entry for each user and change the level of permissions to what is needed. For example, if the group members can read the files but not change them, set Permission to READ for those users, and grant the user that maintains the documents either FULL or CHANGE permissions.

Click Save when finished.

Adding Share Users with Directory Services

You can use Active Directory or LDAP to create the share users.

If not already created, add a pool, then join Active Directory.

Go to Storage and create a pool.

Next, set up the Active Directory that you want to share resources with over your network.

When creating the share for this dataset, use the SMB preset for the dataset, but do not add the share from the Add Dataset screen.

Do not share the root directory!

Go to Shares and follow the instructions listed above using the Private Dataset Share preset, and then modify the file system permissions of the dataset to use the NFSv4_HOME ACL preset.

Related Content

Tutorials
Getting Started
UI Reference

Have more questions?

For further discussion or assistance, see these resources:

Found content that needs an update?  You can suggest content changes directly! To request changes to this content, click the Feedback button located on the middle-right side of the page (might require disabling ad blocking plugins).