TrueNAS Stable Version Documentation
This content follows TrueNAS 25.10 (Goldeye) releases.
Use the Product and Version selectors above to view content specific to a different software release.
SMB
7 minute read.
The Services > SMB screen displays after going to the Shares screen, finding the Windows (SMB) Shares section, and clicking + Config Service. Alternatively, you can go to System > Services and click the edit icon for the SMB service.
The SMB Services screen displays setting options to configure TrueNAS SMB settings to fit your use case. In most cases, you can set the required fields and accept the rest of the setting defaults. If you have specific needs for your use case, click Advanced Options to display more settings.
Enter the name of the TrueNAS host system if not the default displayed in NetBIOS Name. This name is limited to 15 characters and cannot be the Workgroup name.
Enter any alias name or names that do not exceed 15 characters in the NetBIOS Alias field. Separate each alias name with a space between them.
Enter a name that matches the Windows workgroup name in Workgroup. TrueNAS detects and sets the correct workgroup from these services when unconfigured with enabled Active Directory or LDAP active.
If using SMB1 clients, select Enable SMB1 support to allow legacy SMB1 clients to connect to the server. Note: SMB1 is deprecated. We advise upgrading clients to operating system versions that support modern SMB protocols.
If you plan to use the insecure and vulnerable NTLMv1 encryption, select NTLMv1 Auth to allow smbd attempts to authenticate users. This setting enables backward compatibility with older versions of Windows, but we do not recommend it. Do not use on untrusted networks.
Enter any notes about the service configuration in Description.
For more advanced settings, see SMB Services Screen.
Click Save.
Start the SMB service.
TrueNAS and Samba default behavior for SMB transport encryption allows SMB clients to negotiate different encryption levels for shares. This default setting enables negotiating encryption but does not turn on data encryption globally per share. SMB1 and SMB2 provide different settings to change the level of global or per-share SMB encryption applied to connections. See Samba Server SMB Encrypt(s) for more information.
You can change the SMB service to apply different SMB transport encryption levels to suit your use case. Go to the SMB service, found on the System > Services screen, and click Edit for the SMB service to open the SMB Service screen, then click on Advanced Settings.
Click in the Transport Encryption Behavior field to select the option and behavior you want applied:
- Default - follow upstream/TrueNAS default
- Negotiate - only encrypt transport if explicitly requested by the SMB client
- Desired - encrypt transport if supported by client during session negotiation
- Required - always encrypt transport (rejecting access if client does not support encryption - incompatible with SMB1 server
enable_smb1)
Select the Default option to use the TrueNAS current behavior. If set to default, there is not a technical limitation preventing an SMB client from negotiating an encrypted session if it is required.
If concerned about having Windows SMB clients always using signing in your environment, make a GPO change on the client side to always sign SMB2+ traffic. This defaults to the Windows settings digitally sign communications (always) and to off.
For more information on Windows SMB-client side transport encryption see Windows SMB Signing Policies.
To monitor SMB service event logs, such as when a client attempts to authenticate to the share, use the TrueNAS auditing screen. Go to System > Audit to review event logs including SMB connect, disconnect, create, read or write events, and others.
Enter SMB in the search bar to view only SMB service logs or use the advanced search to further limit results.
Configuring SMB Share Auditing
Configure and enable SMB auditing for an SMB share at creation or when modifying an existing share.
SMB auditing is only supported for SMB2 (or newer) protocol-negotiated SMB sessions. SMB1 connections to shares with auditing enabled are rejected.
From the Add SMB Share or Edit SMB Share screen, click Advanced Options and scroll down to Audit Logging.
Selecting Enable turns auditing on for the share you are creating or editing.
At least one of Watch List or Ignore List must contain entries when enabling audit logging.
Auditing all SMB operations without restrictions creates large audit databases that grow rapidly and consume significant disk space. High-volume SMB environments can generate hundreds of thousands of audit entries per day, leading to increased disk I/O that affects overall system performance and database query delays when reviewing audit logs.
Configure filtering to audit only necessary operations.
TrueNAS 25.10.1 and later automatically disables SMB shares when auditing is enabled and the watch list or ignore list contains invalid groups, such as groups that:
- No longer exist (for example, deleted or renamed groups in Active Directory).
- Are not SMB groups (groups with SMB Group selected in the group configuration).
TrueNAS generates an alert identifying the affected share and the problematic group. The share remains disabled until you resolve the group issue or update the share configuration to remove the invalid group. See Troubleshooting Group Validation Issues for detailed steps.
Use Watch List to specify which groups should have their SMB operations audited. To configure the watch list:
- Click the Watch List field to display available groups on the system.
- Select a group to add it to the list.
- Repeat to add additional groups.
When Watch List contains entries, TrueNAS audits only SMB operations performed by members of the listed groups.
Use Ignore List to exclude specific groups from auditing. To configure the ignore list:
- Click the Ignore List field to display available groups on the system.
- Select a group to exclude it from auditing.
- Repeat to exclude additional groups.
TrueNAS does not record SMB operations performed by members of groups in the Ignore List.
When using both lists: If a user is a member of groups in both Watch List and Ignore List, the Watch List takes precedence and TrueNAS audits that user’s operations.
SMB authentication events are logged globally for all users connecting to the SMB server, regardless of Watch List or Ignore List settings. Watch and ignore lists control subsequent operations (connect, file creates, reads, writes, etc.) but do not filter authentication events. Users in the Ignore List still have their initial authentication logged, but their file operations on the share are not audited.
Review your settings to verify that at least one list contains entries and the correct groups are selected.
Click Save.
After saving, restart the SMB service for audit logging to begin. Go to System Settings > Services, toggle the SMB service off then on, and verify the service is running before testing audit log generation.
If you receive an alert indicating an SMB share has been disabled due to invalid groups in the audit configuration, follow these steps:
Identify the problem:
- Review the alert message to identify which share is affected and which group is invalid.
Check group status:
- Navigate to Credentials > Local Groups to verify the group exists and is configured as an SMB group.
- For Active Directory groups, verify the group exists in AD and the directory service connection is functioning.
- Confirm the group type is set to SMB (not changed from SMB to another type).
Resolve the issue:
- If the group was deleted or renamed: Navigate to Shares > Windows (SMB) Shares, edit the affected share, and update the Watch List or Ignore List to remove the invalid group or replace it with the correct group name.
- If the group exists but is not an SMB group: Edit the group in Credentials > Local Groups and select the SMB Group option, or update the share audit configuration to use a different group.
- If using Active Directory: Verify the Active Directory connection is active in Credentials > Directory Services. If the connection was temporarily offline, restarting the SMB service might re-enable the share once the connection is restored.
Restart the SMB service:
- After correcting the group configuration or share settings, go to System > Services and restart the SMB service to re-enable the share.
- Verify the share is functioning by checking the alert has cleared and testing access from an SMB client.