SMB Shares Screens

Windows (SMB) Shares Widget

If you have not added SMB shares to the system, the SMB widget shows text stating general information about the Windows (SMB) Shares until a share is added.

Windows (SMB) Share Widget without Shares
Figure 1: Windows (SMB) Share Widget without Shares

Add at the top right of the widget opens the Add SMB screen where you configure SMB shares.

After adding an SMB share, it is listed in the table on the widget.

Windows (SMB) Share Widget with Shares
Figure 2: Windows (SMB) Share Widget with Shares

The Windows (SMB) Shares launch header shows the status of the SMB service as either STOPPED (red) or RUNNING (green). Before adding the first share, the STOPPED status displays in the default color. The header is a link that opens the Sharing > SMB screen.

The more_vert dropdown list shows four options available to SMB shares and the SMB service in general:

  • Turn Off/ON Service toggles to Turn Off Service when the SMB service is enabled, and to Turn On Service when the SMB service is disabled.
  • Config Service opens the SMB configuration screen.
  • SMB Sessions opens the SMB Status screen with showing Sessions.
  • Audit Logs opens the Audit screen with a predefined filter applied to show the SMB logs.

The widget shows a table listing SMB shares created in TrueNAS. Each SMB share row on the Windows (SMB) Shares widget shows the path to the shared dataset, a description if one is entered when the share is added, an Enabled toggle that allows you to enable or disable the share, and indicates if audit logging is turned on/off.

The more_vert dropdown list for each share shows four options:

Delete SMB Share Dialog

The delete delete icon opens the Delete dialog.

Delete SMB Share
Figure 3: Delete SMB Shares

Select Confirm to activate the Delete button.

SMB Screen

The Shares > SMB screen shows an expanded presentation of the table on the Windows (SMB) Shares widget.

Shares SMB Screen
Figure 4: Shares SMB Screen

Shares in the breadcrumb at the top of the screen returns you to the main Shares dashboard.

SMB Sessions opens the SMB Status screen.

Columns shows a set of options to customize the list view. Options include Unselect All, Path, Description, Enabled and Reset to Defaults.

Add opens the Add SMB configuration screen.

SMB Table

The SMB table lists all SMB shares added to the system. The table header shows the status of the SMB service as stopped or running. The table columns show the share name, the path to the dataset for the share, and a description, if added during share creation. The Enabled toggle allows you to enable/disable the share. When enabled, the share path is available when the SMB service is active. If disabled, the share is disabled but not deleted from the system. Audit Logging indicates whether auditing for the share is enabled or disabled.

The more_vert dropdown list at the right of each table row shows four options for a share:

Add and Edit SMB Screens

The two SMB share configuration screens, Add SMB and Edit SMB, have the same SMB share setting options.

The Create Dataset option becomes active after selecting a parent dataset in the Path file browse field. It opens the Create Dataset dialog.

Save creates the share (or saves an existing one) and adds it to the Windows (SMB) Shares widget and the SMB table on the SMB screen.

Basic Settings

The Basic Options settings show by default on the Add and Edit SMB screens. Basic settings show for all share options in the Purpose dropdown list, only the External Share option shows the Remote Path setting.

Add SMB Basic Options
Figure 5: Add SMB Basic Options

Browsing to select a path

Click the arrow to the left of the folder icon to expand that folder and show any child datasets and directories. A solid folder icon shows for datasets and an outlined folder for directories. A selected dataset or directory folder and name shows in blue.

SettingDescription
PathSpecifies the mount path for the share. It includes a blank field and a file browser field directly below it. The blank field allows text entry of a share mount path or allows Truenas to populate it with the path to the dataset selected in the file browser field. The file browser allows selecting the mount path to the share dataset on the local file system that TrueNAS exports over the SMB protocol. The arrow_right icon to the left of expands the dataset directory tree.
Create DatasetCreates a dataset for a share while configuring the share. Inactive until the parent dataset is selected. It opens the Create Dataset dialog, where you enter a name for a new dataset. The dataset name becomes the SMB share name. Create adds the dataset and populates Name field on the Add SMB screen.
NameSets the name for the share. This text entry field accepts manual entry or copy/paste of a name for the share that does not exceed 80 characters. A name must not exceed 80 characters because of how the SMB protocol uses the name. A name cannot have invalid characters as specified in Microsoft documentation MS-FSCC section 2.1.6.
Name is automatically populated with the name of the dataset when you use Create Dataset. If not supplied, the share name becomes the last component of the path. This forms part of the full share path name when SMB clients perform and SMB tree connect.
If changing the name, follow the naming conventions for files and directories or share names.
PurposeSets the share type to one selected on the dropdown list. Options are:
  • Default Share -
  • Time Machine Share -
  • Multi-Protocol Share - The SMB share is configured for multi-protocol (SMB and NFS) access. Set this if the path is shared through NFS, FTP, or used by containers or apps. Note: This setting can reduce SMB share performance because it turns off some SMB features for safer interoperability with external processes.
  • Time Locked Share - The SMB share makes files read-only through the SMB protocol after the set grace period ends.
    WARNINGS: This setting does not work if the path is accessed locally or if another SMB share without the Time Locked Share purpose uses the same path.
    This setting might not meet regulatory requirements for write-once storage.
  • Private Datasets Share - This server uses the specified dataset_naming_schema in options to make a new ZFS dataset when the client connects. The server uses this dataset as the share path during the SMB session.
  • External Share - The SMB share is a DFS proxy to a share hosted on an external SMB server.
  • The selected option applies predetermined settings and changes the settings shown in Other Options when showing advanced options.
    Remote PathSets the path to a remote server and share. Each server entry must include a full domain name or IP address and the share name. Separate the server and share name with the \ characters. Example: 192.168.0.200\SHARE. This text entry field accepts copy/paste of a path to the external server and share. Shows when Purpose is set to External Share.
    DescriptionA text-entry field for a brief description or notes about how this share is used. The description entered shows in the Description column on the Windows (SMB) Shares widget on the Shares dashboard and the SMB table on the SMB screen.
    EnabledA toggle that shows the status of the share and allows enabling or disabling the share. This does not enable or disable the SMB service. Enabled is the default setting.

    Advanced Options Settings

    Advanced Options settings are grouped into three categories:

    Access and Audit Logging settings show for all share options in the Purpose dropdown list. The Other Options settings change based on the share option selected in the Purpose dropdown list.

    Access Settings

    Access settings customize access to the share and files, and specify allowed or denied access for host names or IP addresses. All share options listed in the Purpose dropdown show these settings.

    SMB Advanced Options Access
    Figure 7: SMB Advanced Options Access
    For datasets with NFSv4 ACL type, SMB clients automatically use access-based enumeration. This means directory listings over SMB only include files and directories that the client has read permissions for. This behavior is enabled by default and matches FreeBSD behavior.
    SettingDescription
    Export Read-OnlyProhibits writes to the share when enabled.
    Browsable to Network ClientsDetermines whether this share name is included when browsing shares when enabled. This is enabled by default. Private dataset shares (the replacement for home shares) are only visible to the owner, regardless of this setting.
    Access Based Share EnumerationRestricts share visibility to users with read or write access to the share. This setting applies to datasets with a POSIX ACL type. For datasets with NFSv4 ACL type, access-based enumeration is automatically enabled and does not allow disabling. See the smb.conf manual page.

    Audit Logging

    The Audit Logging settings enable the auditing function for the SMB share and allow configuring a watch list and ignore list groups that administrators want to monitor. All share options listed in the Purpose dropdown show these settings.

    SMB Audit Logging
    Figure 8: SMB Audit Logging
    SettingDescription
    Enable LoggingEnables audit logging for the SMB share, and shows two additional options: Watch List and Ignore List. This controls whether audit messages are generated for the share.
    Note: Auditing might not be enabled if SMB1 support is enabled for the server.
    Watch ListSets up a list of groups for which you want to generate audit logging messages. Clicking in the field shows the dropdown list of group options. Leave blank to include all SMB users with access to the share. If also setting a limit list, the watch list takes precedence when a conflict occurs.
    Ignore ListWhen selected, this sets up a list of groups to ignore when auditing. If conflict arises where the same groups are in the Watch List and Ignore List (based on user group membership), the watch listing takes precedence, and ops is audited.

    Other Options Settings

    The Other Options settings vary based on the option selected on the Purpose dropdown list.

    When Purpose is set to Default Share, Multi-Purpose Share or External Share, the settings below show in Other Options.

    SettingDescription
    Use Apple-style Character EncodingImplements the default hashing algorithm for NTFS illegal characters that Samba uses. Enabling this option translates NTFS illegal characters to the Unicode private range. Shows for all share types except When Purpose is set to the Time Machine Share or External Share.

    When Purpose is set to Time Machine Share the following settings show in Other Options.

    SettingDescription
    Time Machine QuotaSets the quota for Time Machine shares in bytes.
    VUIDSets the user session identifier to a valid universally unique identifier that conforms to the UUID version 4 format (UUID4). A UUID4 string is defined by RFC 4122. UUID4 strings are randomly generated 128-bit values, typically represented as a 36-character hexadecimal string in the format 8-4-4-4-12 (e.g., 123e4567-e89b-12d3-a456-426614174000). Samba uses the UUID to identify the share uniquely for Mac OS Time Machine backups, ensuring the share is recognized as a valid backup destination. You can generate a UUID4 string using a variety of commands or through websites like https://www.uuidgenerator.net/.
    Auto SnapshotWhen selected, enables automatic snapshot creation for Time Machine shares.
    Auto Dataset CreationWhen selected, TrueNAS creates a dataset automatically if one does not exist.

    When Purpose is set to Time Locked Share, these settings show in Other Options.

    SettingDescription
    Use Apple-style Character EncodingImplements the default hashing algorithm for NTFS illegal characters that Samba uses. Enabling this option translates NTFS illegal characters to the Unicode private range.
    Grace PeriodSets the delay before access times out or the share locks. Only shows when Purpose is set to the Time Locked Share option.

    When Purpose is set to Private Dataset Share the following settings show in Other Options.

    SettingDescription
    Use Apple-style Character EncodingImplements the default hashing algorithm for NTFS illegal characters that Samba uses. Enabling this option translates NTFS illegal characters to the Unicode private range. When Purpose is set to the Time Machine Share or External Share options, this setting does not show.
    Dataset Naming SchemaSets TrueNAS to require the naming schema used when Auto Dataset Creation is enabled. If a schema is not set, the server uses the username if it is not joined to Active Directory. If the server is joined to Active Directory, it uses domain/username. Only shows when Purpose is set to the Private Dataset Share option.
    Auto QuotaSets the specified ZFS quota in gibibytes (GiB) on new datasets. If the value is zero, TrueNAS disables automatic quotas for the share. Only shows when Purpose is set to the Private Dataset Share option.

    Create Dataset

    The Create Dataset dialog adds a new dataset under the parent dataset selected in the file browser Path field on the Add SMB or Edit SMB share screens.

    Create Dataset Dialog
    Figure 13: Create Dataset Dialog

    Edit Share ACL Screen

    The Share ACL for sharename screen edits permissions at the share level for the selected share. Settings configure new ACL entries for the selected SMB share and apply them at the entire SMB share level, but do not apply to the dataset. It is separate from file system permissions. To configure dataset permissions, use the Edit Filesystem ACL option.

    The Share ACL for sharename screen opens after clicking on the Edit Share ACL icon on the Windows (SMB) Shares widget or the more_vert on the Sharing SMB details screen.

    SMB Share ACL Screen
    Figure 14: SMB Share ACL Screen

    ACL Entries shows a block of settings that specify who and the permissions they are granted.

    Add shows a block of these settings to enter who, the permissions level, and type.

    Save stores the share ACL and immediately applies it to the share.

    SettingDescription
    SIDShows the security identifier (SID) trustee value or to whom this ACL entry (ACE) applies. SID is a unique value of variable length that identifies the trustee. Shown as a Windows Security Identifier. Save and re-open Edit Share ACL to update.
    WhoSets permissions to apply to the ACL entry for the domain for the selected account (who). Options are:
  • User - Select to show the User field. Enter or select a user (who) from the dropdown list to apply the permissions for this ACL entry, shown as a username.
  • Group - Select to show the Group field. Enter or select a group (who) from the dropdown to apply the permissions for this ACL entry, which is shown as a group name.
  • everyone - Select to apply the ACL entry permissions to everyone.
  • PermissionSets the level of access to a selected predefined permission combination from the dropdown list. Options are:
  • FULL - Grants read access, execute permission, write access, delete objects, change permissions, and take ownership (RXWDPO) permissions.
  • CHANGE - Grants read access, execute permission, write access, and delete object (RXWD) permissions.
  • READ - Grants read access and execute permission on the object (RX). For more details, see smbacls(1).
  • TypeSets how TrueNAS applies permissions to the share to the selected option on the dropdown list. Options are:
  • ALLOWED - Denies all permissions by default, except manually defined permissions.
  • DENIED - Allows all permissions by default, except manually defined permissions.
  • Edit Filesystem ACL Screen

    The Edit Filesystem ACL option sets permissions at the dataset level. It opens the Edit ACL screen for the dataset the share uses. See Edit ACL Screen for more information on the settings found on this screen.

    SMB ACL Editor
    Figure 15: SMB ACL Editor

    Use the ACL editor screen to set file system permissions for the shared dataset. See Permissions for more information on configuring permissions.

    SMB Status Screens

    The SMB Status screen shows a table of SMB session IDs from the audit logs for SMB share sessions. It opens after clicking SMB on the icon on the System > Services screen, or after clicking SMB Sessions on the more_vert dropdown list on the Windows (SMB) Shares widget.

    SMB Status Sessions Tab
    Figure 16: SMB Status Sessions Tab

    The SMB Status screen shows information related to SMB sessions, for example:

    • Sessions ID - The current SMB sessions (default view).
    • Hostname - The host name associated with the session ID.
    • Remote machine - The remote machine information.
    • Username - The username associated with the session.
    • UID - The user ID associated with the session.
    • GID - The group ID for the user associated with the session.
    • Session Dialect - The version of the SMB protocol.
    • Encryption - The share encryption.
    • Signing - The security mechanism used, such as an authentication algorithm like AES-128-GCM, etc.

    Refresh updates the information shown on the screen.

    Column shows a dropdown list of options to customize the information included in the table on the screen.

    Sharing or SBM on the top breadcrumb returns to the selected screen name.