Adding and Managing SMB Shares

32 minute read.

Last Modified 2026-03-09 08:51 EDT

When creating a share, do not attempt to set up the root or pool-level dataset for the share. Instead, create a new dataset under the pool-level dataset for the share. Setting up a share using the root dataset leads to storage configuration issues.

TrueNAS has implemented administrator roles to align with FIPS-compliant encryption and security hardening standards. The Sharing Admin role allows the user to create new shares and datasets, modify the dataset ACL permissions, and start/restart the sharing service, but does not permit the user to modify users or grant the sharing administrator role to new or existing users.

Full Admin users retain full access control over shares and creating/modifying user accounts.

Verify your Active Directory connections are working and error-free before adding an SMB share. When an SMB share is configured but not working or is in an error state, AD cannot bind, and TrueNAS cannot start the SMB service.

Creating an SMB share on your system requires adding the share and then getting it working.

Create the SMB share user account.
You can manually add user accounts or use directory services like Active Directory or LDAP to provide additional user accounts. If setting up an external SMB share, we recommend using Active Directory or LDAP, or at a minimum, synchronizing the user accounts between systems.
Create the SMB share and dataset.
You can use the Add SMB screen to create a basic SMB share or a more specific share type with specific feature requirements using the Advanced Options settings before saving the share.
The Add Dataset and the Add SMB share screens allow TrueNAS to create a dataset and SMB share from the same screen. Use either option to create a basic SMB share.
When creating an SMB share that requires customization or is intended for a specific purpose, such as working with Veeam Backup & Restore immutability or a repository for block or fast cloning (requires an Enterprise license), use the Add SMB screen Purpose presets to create the share and dataset for these special SMB shares. For more information on Veeam SMB shares, refer to the Solutions > Integrations Veeam and Veeam Immutability guides.
When setting up multi-protocol (SMB and NFS) shares, refer to the Multiprotocol Shares tutorial for configuration instructions.
This article describes adding a dataset while adding the share using the Add SMB screen.
Modify the share permissions.
After adding or modifying the user account for the share, edit the dataset permissions.
Start the service and mount the share to your other system.

TrueNAS must be joined to Active Directory or have at least one local SMB user before creating an SMB share. When creating an SMB user, ensure that Samba Authentication is enabled. You cannot access SMB shares using the root user, TrueNAS built-in user accounts, or those without Samba Authentication selected.

To add or edit users, go to Credentials > Users, then add or edit an existing user to create the SMB share user(s). Click Add to create a new user or as many new user accounts as needed. Joining TrueNAS to Active Directory creates the user accounts.

Enter the values in each required field, verify SMB Access is selected, then click Save. For more information on the fields and adding users, see Creating User Accounts.

By default, all new users are members of a built-in group called builtin_users. You can use a group to grant access to all users on the server or add more groups to fine-tune permissions for large numbers of users.

Why not just allow anonymous access to the share?

Anonymous or guest access to the share is possible, but allowing guest access can create a security vulnerability, so it is not recommended for Enterprise customers or systems with more than one SMB share administrator account. Using a guest account increases the likelihood of unauthorized users gaining access to your data in the SMB share. Major SMB client vendors are deprecating guest users, partly because signing and encryption are impossible for guest sessions.

What about LDAP users?

Support for LDAP Samba Schema is deprecated in TrueNAS 22.02 (Angelfish) and removed in 24.10 (Electric Eel). Migrate legacy Samba domains to Active Directory before upgrading to 24.10 or later.

You can create an SMB share while creating a dataset on the Add Dataset screen or create a dataset and the share using the Add SMB share screen. This article covers adding the dataset using the Add SMB share screen.

It is best practice to use a dataset instead of a full pool for SMB and/or NFS shares. Sharing an entire pool makes it more difficult to later restrict access if needed.

What are ZFS dataset setting defaults?

TrueNAS creates the ZFS dataset with these settings:

ACL Mode set to Restricted The ACL Type influences the ACL Mode setting. When ACL Type is set to Inherit, you cannot change the ACL Mode setting. When ACL Type is set to NFSv4, you can change the ACL Mode to Restricted.

For datasets with NFSv4 ACL type, SMB clients automatically use access-based enumeration. This means directory listings over SMB only include files and directories for which the client has read permissions. This behavior is enabled by default and matches FreeBSD behavior.

Case Sensitivity set to Insensitive

TrueNAS also applies a default access control list to the dataset. This default ACL is restrictive and only grants access to the dataset owner and group. You can modify the ACL later according to your use case.

If you want to organize the SMB share dataset under a parent dataset (for example, under smb-shares), create that parent dataset so you can select it as the parent in step 2 below. Alternatively, you can create the parent and SMB share dataset using the Create Dataset option associated with the file browser in the Add SMB screen by making the create dataset instructions a two-=step process.

To create a basic Windows SMB share and a dataset, go to Shares, then click Add on the Windows Shares (SMB) widget to open the Add Share screen.

Enter or browse to select the SMB share mount path (parent dataset where you want to add a dataset for this share). You cannot use a root dataset for a share. When the dataset selected has an existing ACL, a warning dialog shows. Click Continue. Click on the dataset under which you want to add the SMB share dataset. The blank Path field populates with the path selected in the file browser field directly below it. The Path file browser field is the directory tree on the local file system that TrueNAS exports over the SMB protocol.
Browsing to select a path
Click the arrow to the left of the folder icon to expand that folder and show any child datasets and directories. A solid folder icon shows for datasets and an outlined folder for directories. A selected dataset or directory folder and name shows in blue.
Figure 2: File Explorer Folder Icons
Click Create Dataset. Enter a name for the dataset in the Create Dataset dialog, then click Create. The system creates the new dataset and populates the Name field with the dataset name, which becomes the share name.
To make the new dataset the parent for an SMB share, select the just-added dataset, then click Create Dataset again to add the child dataset for the share.
The path forms part of the share pathname when SMB clients perform an SMB tree connect. Because of how the SMB protocol uses the name, it must be less than or equal to 80 characters. Do not use invalid characters as specified in Microsoft documentation MS-FSCC section 2.1.6.
If you change the name, follow the naming conventions for:
- Files and directories
- Share names
Select a share type on the Purpose dropdown list. The share type selected locks or unlocks the pre-determined Advanced Options settings for the share.
Select Default Share to create a basic SMB share with the Browsable to Network Clients option preselected. This determines whether this share name is included when browsing shares.
Select Private Datasets Share to create an alternative to home shares. See Setting Up SMB Home Shares for more information on replacing this legacy feature with private SMB shares and datasets.
Select Multi-protocol Share to create a multi-protocol share (NFSv4/SMB). Set this if the path is shared through NFS, FTP, or used by containers or apps. Note: This setting can reduce SMB share performance as it turns off some SMB features for safer interoperability with external processes. See Setting Up SMB Multichannel for more information on creating multi-protocol shares.
Select Time Machine Share to create a Time Machine share. The SMB share is presented to Mac OS clients as a Time Machine target. See Adding a Basic Time Machine SMB Share for more information on creating and using Time Machine shares.
Select Final Cut Pro Storage Share (available in TrueNAS 25.10.1 and later) to create a share optimized for Final Cut Pro workflows. The SMB share is configured with Apple-style character encoding and requires Apple SMB2/3 protocol extensions for compatibility with Final Cut Pro. See Setting Up Final Cut Pro SMB Shares for more information on creating shares for Final Cut Pro workflows.
Select External Share to create an external share. Enter the full domain name or IP address and the share name as 192.168.0.200\SHARE in Remote Path.
Select Time Locked Share to create a share that makes files read-only after the grace period you specify expires. This setting does not work if the path is accessed locally or if another SMB share with the Time Locked Share purpose uses the same path. Warning: This setting might not meet regulatory requirements for write-once storage.
(Optional) Enter a short description or explanation of the share purpose or use in Description. This shows on both the SMB widget and Share > SMB screen to help explain how the share is used. For example, if for an external share, enter external share in the field. The description entered shows in the SMB table on the SMB screen and the Windows (SMB) Share widget.
Select Enabled to allow sharing of this path when the SMB service is activated. Leave the checkbox cleared to disable the share without deleting the configuration.
(Optional) Click Advanced Options to show additional configuration settings. Click to configure other advanced settings such as access, audit logging, or settings specific to the type of share selected in Purpose.
Click Save to create the share and add it to the Shares > Windows (SMB) Shares list.

Start or restart the SMB service when prompted.

Configuring Advanced Options

A basic SMB share does not need to use the Advanced Options settings. Click Advanced Options to finish customizing the SMB share settings.

See SMB Shares Screens for all settings and other possible use cases.

Guest Access

Guest access adds security vulnerabilities and should be avoided.

Guest access allows users to connect to an SMB share without providing credentials. In TrueNAS SCALE 25.10 and later, this feature is only available for shares with the Legacy Share preset (shares that used No Preset in releases before 25.10).

To enable guest access on a Legacy Share:

Go to Shares and click on the share name to expand the share widget, then click Edit.
Click Advanced Options and scroll down to the Access settings.
Select the Allow Guest Access checkbox.
Click Save.

The privileges granted are the same as those for a guest account.

Windows 10 version 1709 and later–and Windows Server 2019 and later–disable guest access by default as a security measure. Windows clients require additional configuration to connect to shares with guest access enabled.
To enable guest access on Windows clients, modify Windows registry settings or Group Policy to allow insecure guest logons. See Microsoft documentation for configuration details.

For new shares:

New shares created in TrueNAS SCALE 25.10 and later cannot select the Legacy Share preset, and therefore cannot use guest access. Guest access has been limited to legacy shares due to security concerns and client-side deprecation:

Windows 10 version 1709 and Windows Server 2019 and later disable guest access by default
Major SMB client vendors are deprecating guest users
Guest sessions cannot use signing and encryption features

Client-specific behavior:

Mac OS clients - Prevent automatic connection as guest account. Users must explicitly select Connect As: Guest. See the Apple documentation for more details.
Windows clients - Require registry or Group Policy modifications to enable insecure guest authentication

Alternative approaches:

Instead of guest access, consider these secure alternatives:

Create a dedicated guest user account with limited permissions
Use share ACL to restrict the guest user to read-only access

If the share is nested under parent datasets, see Using the Traverse Permission.

Read or Write Access

To prohibit writes to the share, select Export Read-Only.

Select Access Based Share Enumeration to restrict share visibility for users with read or write access to the share. This setting applies to datasets with a POSIX ACL type. For datasets with NFSv4 ACL type, access-based enumeration is automatically enabled and does not allow disabling. See the smb.conf manual page.

Host Allow and Host Deny

Hosts Allow and Hosts Deny settings are available for all share presets except External Share.

Use the Host Allow and Host Deny options to allow or deny specific host names and IP addresses.

Use the Hosts Allow field to enter a list of allowed IP addresses. Separate entries by pressing Enter.

Entering values in the Host Allow restricts access to only the addresses entered into this list! This list can break UI access for all other IP or host name entries.

You can find a more detailed description with examples here. Use the Hosts Deny field to enter a list of denied host names or IP addresses. Separate entries by pressing Enter.

Hosts Allow and Hosts Deny work together to produce different situations:

Leaving both Hosts Allow and Hosts Deny free of entries allows any host to access the SMB share.
Adding entries to the Hosts Allow list but not the Hosts Deny list allows only the hosts on the Hosts Allow list to access the share.
Adding entries to the Hosts Deny list but not the Hosts Allow list allows all hosts not on the Hosts Deny list to access the share.
Adding entries to both a Hosts Allow and Hosts Deny list allows all hosts on the Hosts Allow list to access the share and allows hosts not on the Hosts Allow or Hosts Deny list to access the share.

Legacy Share Preset (Upgraded Shares Only)

When you upgrade to TrueNAS SCALE 25.10 from an earlier release, existing shares that used the No Preset option are automatically migrated to the Legacy Share preset. This preset provides access to configuration options that are no longer available for new shares.

Why can’t I create a new legacy share?

The Add SMB screen does not include Legacy Share as an option. This preset only appears in the Edit SMB screen for shares created before 25.10. TrueNAS removed these options from new shares due to:

Security concerns (guest access, recycle bin)
Better alternatives available (ZFS snapshots instead of recycle bin)
Client-side deprecation (guest access no longer supported by major vendors)

Legacy share options:

Legacy shares provide access to additional settings not available in modern presets.

In the Access section:

Enable ACL - Configure additional ACL entries for custom access controls
Allow Guest Access - Enable anonymous access without credentials (not recommended)

In the Other Options section:

Use as Home Share - Configure share as user home directories (see Private Dataset Share for modern alternative)
Time Machine Quota - Set maximum limit on Time Machine backup storage
Legacy AFP Compatibility - Support for migrated AFP shares
Enable Shadow Copies - Export ZFS snapshots as volume shadow copies for VSS clients (see Shadow Copies)
Export Recycle Bin - Move deleted files to a .recycle directory (not recommended - use ZFS snapshots instead)
Use Apple-style Character Encoding - Translate NTFS illegal characters to Unicode private range
Enable Alternate Data Streams - Support multiple NTFS data streams
Enable SMB2/3 Durable Handles - Allow file handles to survive disconnections
Enable FSRVP - Remote VSS protocol support for snapshot management
Path Suffix - Append per-user/computer/IP suffixes to connection path
Additional Parameters String - Add custom smb.conf parameters (advanced users only)
VUID - Time Machine volume UUID for mDNS advertisements

See Legacy Share Settings in the UI reference for complete details on each option.

Apple Filing Protocol (AFP) Compatibility

AFP shares are deprecated and not available in TrueNAS.

To customize your SMB share to work with a migrated AFP share or with your Mac OS, use the share option on the Purpose dropdown list and the Advanced Options settings provided for these use cases:

Time Machine Share enables Apple Time Machine backups on this share.

Use Apple-style Character Encoding, listed under Other Options for all share types except Time Machine Share and External Share, converts NTFS illegal characters like the Mac OS SMB clients do. By default, Samba uses a hashing algorithm for NTFS illegal characters.

Private SMB Datasets and Shares

Used to set up an alternative to the legacy home shares function, select Private Dataset Share on the Purpose dropdown list, and customize settings listed under Other Options.

This allows you to add private datasets and shares for individual users, and is an alternate way to create home shares for them. See Setting Up SMB Home Shares for more information.

SMB Audit Logging

Configure and enable SMB auditing for an SMB share at creation or when modifying an existing share.

SMB auditing is only supported for SMB2 (or newer) protocol-negotiated SMB sessions. SMB1 connections to shares with auditing enabled are rejected.

From the Add SMB Share or Edit SMB Share screen, click Advanced Options and scroll down to Audit Logging.

Selecting Enable turns auditing on for the share you are creating or editing.

At least one of Watch List or Ignore List must contain entries when enabling audit logging.
Auditing all SMB operations without restrictions creates large audit databases that grow rapidly and consume significant disk space. High-volume SMB environments can generate hundreds of thousands of audit entries per day, leading to increased disk I/O that affects overall system performance and database query delays when reviewing audit logs.
Configure filtering to audit only necessary operations.

Configuring Watch List

Use Watch List to specify which groups should have their SMB operations audited. Use Ignore List to exclude specific groups from auditing.

Click the Watch List field to display available groups on the system.
Select a group to add it to the list.
Repeat to add additional groups.

When Watch List contains entries, TrueNAS audits only SMB operations performed by members of the listed groups.

Configuring Ignore List:

Click the Ignore List field to display available groups on the system.
Select a group to exclude it from auditing.
Repeat to exclude additional groups.

TrueNAS does not record SMB operations performed by members of groups in the Ignore List.

When using both lists: If a user is a member of groups in both Watch List and Ignore List, the Watch List takes precedence and TrueNAS audits that user’s operations.

SMB authentication events are logged globally for all users connecting to the SMB server, regardless of Watch List or Ignore List settings. Watch and ignore lists control subsequent operations (connect, file creates, reads, writes, etc.) but do not filter authentication events. Users in the Ignore List still have their initial authentication logged, but their file operations on the share are not audited.

Review your settings to verify that at least one list contains entries and the correct groups are selected.

Click Save.

After saving, you may need to restart the SMB service for audit logging to begin. Go to System Settings > Services, toggle the SMB service off then on, and verify the service is running before testing audit log generation.

Managing SMB Shares

To manage an SMB share, click more_vert dropdown list to the right of each share to see the options for the share you want to manage. Options are:

Edit opens the Edit SMB screen where you can change settings for the share.
Edit Share ACL opens the Share ACL screen, where you can add or edit ACL entries.
Edit Filesystem ACL opens the Edit ACL screen, where you can edit the dataset permissions for the share. The Dataset Preset option determines the ACL type and the type of ACL Editor screen that opens (POSIX or NSFv4).
Delete opens a delete confirmation dialog. Use this to delete the share and remove it from the system. Delete does not affect shared data.

Configuring SMB Auditing

Configure and enable SMB auditing for an SMB share at creation or when modifying an existing share.

SMB auditing is only supported for SMB2 (or newer) protocol-negotiated SMB sessions. SMB1 connections to shares with auditing enabled are rejected.

From the Add SMB Share or Edit SMB Share screen, click Advanced Options and scroll down to Audit Logging.

Selecting Enable turns auditing on for the share you are creating or editing.

At least one of Watch List or Ignore List must contain entries when enabling audit logging.
Auditing all SMB operations without restrictions creates large audit databases that grow rapidly and consume significant disk space. High-volume SMB environments can generate hundreds of thousands of audit entries per day, leading to increased disk I/O that affects overall system performance and database query delays when reviewing audit logs.
Configure filtering to audit only necessary operations.

Configuring Watch List

Use Watch List to specify which groups should have their SMB operations audited. Use Ignore List to exclude specific groups from auditing.

Click the Watch List field to display available groups on the system.
Select a group to add it to the list.
Repeat to add additional groups.

When Watch List contains entries, TrueNAS audits only SMB operations performed by members of the listed groups.

Configuring Ignore List:

Click the Ignore List field to display available groups on the system.
Select a group to exclude it from auditing.
Repeat to exclude additional groups.

TrueNAS does not record SMB operations performed by members of groups in the Ignore List.

When using both lists: If a user is a member of groups in both Watch List and Ignore List, the Watch List takes precedence and TrueNAS audits that user’s operations.

SMB authentication events are logged globally for all users connecting to the SMB server, regardless of Watch List or Ignore List settings. Watch and ignore lists control subsequent operations (connect, file creates, reads, writes, etc.) but do not filter authentication events. Users in the Ignore List still have their initial authentication logged, but their file operations on the share are not audited.

Review your settings to verify that at least one list contains entries and the correct groups are selected.

Click Save.

Modifying ACL Permissions for SMB Shares

When using the file browser in the Add SMB or Edit SMB screens, if the parent dataset selected has an ACL, TrueNAS might show a warning message advising you to strip the ACL from the dataset.
Figure 5: Strip ACL Warning
When this happens, click Continue to close the dialog so you can continue adding the dataset.
Alternatively, close the Add SMB screen, go to the Datasets screen, select the same dataset, locate the Permissions widget, and then click Edit to open the Edit ACL screen.
Click Strip ACL on the Edit ACL screen. Save the change, then return to the Shares screen and open the Add SMB screen.
If you did not stop to strip the ACL, TrueNAaS shows a Configure ACL dialog to remind you to edit the ACL.
Figure 6: Configure ACL Dialog
Click Configure to open the Edit ACL screen, or No to close the dialog and do nothing.

You have two options that modify ACL permissions for SMB shares:

Edit Share ACL modifies ACL permissions that apply to the SMB share.
Edit Filesystem ACL modifies ACL permissions at the share dataset level.

See the ACL Primer for general information on Access Control Lists (ACLs) in general, the Permissions article for more details on configuring ACLs, and Edit ACL Screen for more information on the dataset ACL editor screens and setting options.

You cannot access SMB shares with the root user. Change the SMB dataset ownership to the admin user (Full Admin user).

Using the Edit Share ACL option configures the permissions for just the share, but not the dataset the share uses. The permissions apply at the SMB share level for the selected share. They do not apply to other file sharing protocol clients, other SMB shares that export the same share path (i.e., /poolname/shares specified in Path), or to the dataset the share uses.

After creating the share and dataset, modify the share permissions to grant user or group access.

Click on share Edit Share ACL to open the Edit Share ACL screen to modify permissions at the share level.

Select either User in Who, then the user name in User, and then set the permission level using Permissions and Type.

(Optional) Click Add then select Group, the group name, and then set the group permissions.

Click Save.

See Permissions for more information on setting user and group settings.

Configuring Dataset File System ACL

You cannot access SMB shares with the root user. Change the SMB dataset ownership to the admin user (Full Admin user).

To configure share owner, user and group permissions for the dataset Access Control List (ACL), use the Edit Filesystem ACL option. This modifies the ACL entry for the SMB share the path (defined in Path) at the dataset level. To customize permissions, add Access Control Entries (ACEs) for users or groups.

To access the dataset (filesystem) permissions, click on the more_vert dropdown list to the right of each share then on Edit Filesystem ACL to open the Edit ACL screen for the dataset associated with the share. You can also go to Datasets, select the dataset (same name as the share), then click Edit on the Permissions widget to open the Edit ACL screen.

Samba Authentication selected by default when SMB share users are created or added to TrueNAS manually or through a directory service, and these users are automatically added to the builtin-users group. Users in this group can add or modify files and directories in the share.

The share dataset ACL includes an ACE for the builtin-users group, and the @owner and @group are set to root by default. Change the @owner and @group values to the admin (Full admin) user and click Apply under each.

To restrict or grant additional file permissions for some or all share users, do not modify the builtin-users group entry. Best practice is to create a new group for the share users that need different permissions, reassign these users to the new group and remove them from builtin-users group. Next, edit the ACL by adding a new ACE entry for the new group, and then modify the permissions of that group.

Private dataset (home share) users can modify the builtin-users group ACE entry to grant FULL_CONTROL

If you need to restrict or increase permissions for some share users, create a new group and add an ACE entry with the modified permissions.

Changing the built-in-user Group Permissions

To change permissions for the builtin_users group, go to Datasets, select the share dataset, and scroll down to the Permissions widget.

Click Edit to open the Edit ACL screen. Locate the ACE entry for the builtin-users group and click on it.
Check the Access Control List area to see the if the permissions are correct.
Figure 8: Edit ACL Permissions
Enter or select Group in the Who field.
Begin typing builtin_users in the Group field until it displays, then click on it to populate the field.
Select Basic in the Permissions area then select the level of access you want to assign in the Permissions field. For more granular control, select Advanced then select on each permission option to include.
Click Save Access Control List to add the ACE item or save changes.

To change the permission level for some share users, add a new group, reassign the user(s) to the new group, then modify the share dataset ACL to include this new group and the desired permissions.

Go to Groups, click Add and create the new group.
Go to Users, select a user, click Edit, remove the builtin-user entry from Auxiliary Groups and add the new group. Click Save. Repeat this step for each user or change the group assignment in the directory server to the new group.
Edit the filesystem (dataset) permissions. Use one of the methods to access the Edit ACL screen for the share dataset.
Add a new ACE entry for the new group. Click Add Item.
Select Group in the Who field, type the name into the Group field, then set the permission level.
Select Basic in the Permissions area then select the level of access you want to assign in the Permissions field. For more granular control, select Advanced then select on each permission option to include.
Click Save Access Control List.

If restricting this group to read only and the share dataset is nested under parent datasets, go to each parent dataset, edit the ACL. Add an ACE entry for the new group, and select Traverse. Keep the parent dataset permission set to either Full_Control or MODIFY but select Traverse.

Using the Traverse Permission

If a share dataset is nested under other datasets (parents), you must add the ACL Traverse permission at the parent dataset level(s) to allow read-only users to move through directories within an SMB share.

After adding the group and assigning it to the user(s), next modify the dataset ACLs for each dataset in the path (parent datasets and the share dateset).

Add the new group to the share ACL. Use one of the methods to access the Edit ACL screen for the share dataset.
Add a new ACE entry for the new group. Click Add Item to create an ACE for the new group.
Select Group in the Who field, type the name into the Group field, then set the permission level.
Click Save Access Control List.
Return to the Datasets screen, locate the parent dataset for the share dataset, use one of the methods to access the Edit ACL screen for the parent dataset.
Add a new ACE entry for the new group. Click Add Item to create an ACE for the new group.
Select Group in the Who field, type the name into the Group field, then select Traverse.
Click Save Access Control List.
Repeat for each parent dataset in the path. This allows the restricted share group to navigate through the directories in the path to the share dataset.

Starting the SMB Service

To connect to an SMB share, start the SMB service.

After adding a new share, TrueNAS prompts you to start or restart the SMB service.

You can also start the service from the Windows (SMB) Share widget or on the System > Services screen from the SMB service row.

From the Sharing screen, click on the Windows (SMB) Shares more_vert to display the service options, which are Turn Off Service if the service is running or Turn On Service if the service is not running.

Each SMB share on the list also has a toggle to enable or disable the service for that share.

Starting the Service Using System Settings

To make SMB share available on the network, go to System > Services and click the SMB Start Service button to start the service. Toggle Start Automatically on if you want the service to activate when TrueNAS boots.

Configuring the SMB Service

Configure the SMB service by clicking Config Service from the more_vert dropdown menu on the Windows (SMB) Shares widget header or by clicking on the Services screen. Unless you need a specific setting or are configuring a unique network environment, we recommend using the default settings.

Enabling SMB Stateful Failover

TrueNAS Enterprise
SMB Stateful Failover requires an Enterprise license and a High Availability (HA) configuration. When enabled, this setting is incompatible with:
Enable SMB1 support
Any share using the Multi-Protocol Share or Legacy Share purpose
Any auxiliary SMB parameters

TrueNAS 26 and later supports stateful SMB HA failover for Enterprise systems. When enabled, TrueNAS maintains SMB session state across controller failover events, so SMB clients can recover existing connections without re-authentication.

TrueNAS blocks updates while this setting is active because the underlying CTDB clustering layer requires matching versions on both controllers.
To upgrade an HA system with Stateful Failover enabled:
Disable Stateful Failover and click Save.
Upgrade both controllers.
Re-enable Stateful Failover and click Save.

Enabling Stateful Failover

Go to System > Services and click the Configure icon on the SMB service row to open the SMB Service screen.
Click Advanced Settings to expand the advanced options.
Select the Stateful Failover checkbox.
Click Save.

Enabling Spotlight Search for macOS

TrueNAS supports macOS Spotlight search on SMB shares through the TrueSearch indexing service. When enabled, macOS users can use native Finder search to quickly locate files on mounted SMB shares.

Spotlight search requires an Enterprise license or TrueNAS Connect configuration. If neither is configured, the Enable Search (Spotlight) setting is disabled and a notice displays with a link to configure TrueNAS Connect.

Enabling Spotlight Search

Go to System Settings > Services and locate the SMB service row.
Click the edit Configure icon to open the SMB Service screen.
Click Advanced Settings to expand the advanced options.
Select Enable Search (Spotlight).
Click Save.

After enabling, TrueSearch indexes all enabled SMB shares. Encrypted datasets are excluded from indexing to protect sensitive data.

TrueSearch indexes all enabled SMB shares globally. You cannot enable indexing for individual shares.

Open Finder.
Click Go > Connect to Server in the menu bar.
Enter the SMB share address in the format smb://<TrueNAS-IP>/<sharename> and click Connect.
Enter the username and password for a TrueNAS user account with access to the SMB share, then click Connect.

The mounted share appears in the Finder sidebar under Locations.

Using Spotlight Search on macOS

After mounting the SMB share:

Open Finder and navigate to the mounted SMB share.
Press Cmd+F or click the search icon in the Finder window.
Click the SMB share name in the search bar to set the search scope to the mounted share. Spotlight search does not return results from SMB shares when searching This Mac.
Enter search terms. Spotlight supports searching by file name, file content, and file type.

Search results appear as files are found in the TrueSearch index.

The instructions in this section cover mounting the SMB share on a system with the following operating systems.

Mounting on a Linux System

Verify that your Linux distribution has the required CIFS packages installed.

Create a mount point with the sudo mkdir /mnt/smb_share command.

Mount the volume with the sudo mount -t cifs //computer_name/share_name /mnt/smb_share command.

If your share requires user credentials, add the switch -o username= with the username after cifs and before the share address.

Mounting on a Windows System

To permanently mount the SMB share in Windows, map a drive letter in the computer for the user to the TrueNAS IP and share name. Select a drive letter from the bottom of the alphabet rather than from the top to avoid assigning a drive dedicated to some other device. The example below uses Z. Open the command line and run the following command with the appropriate drive letter, TrueNAS system name or IP address, and the share name.

net use Z: \\TrueNAS_name\share_name /PERSISTENT:YES

Where:

Z is the drive letter to map to TrueNAS and the share
TrueNAS_name is either the host name or the system IP address
share_name is the name given to the SMB share

To temporarily connect to a share, open a Windows File Explorer window, type \\TrueNAS_name\share_name and then enter the user credentials to authenticate with to connect to the share. Windows remembers the user credentials, so each time you connect, it uses the same authentication credentials unless you restart the system. After restarting, you are prompted to enter the authentication credentials again.

Mounting on an Apple System

Before you begin this process, have the username and password for the user assigned to the pool or the credentials for the guest if the share has guest access ready.

Open Finder > Go > Connect To Server Enter the SMB address as follows: smb://192.168.1.111.

Input the username and password for the user assigned to that pool or a guest user if the share has guest access.

For further tuning in Mac OS, Apple provides some enterprise-specific pointers in their Adjust SMB browsing behavior in macOS article.

Mounting on a FreeBSD System

Mounting on a FreeBSD system involves creating the mount point and mounting the volume.

Create a mount point using the sudo mkdir /mnt/smb_share command.

Mount the volume using the sudo mount_smbfs -I computer_name\share_name /mnt/smb_share command.

External SMB shares are essentially redirects to shares on other systems. Administrators might want to use this when managing multiple TrueNAS systems with SMB shares, and if they do not want to keep track of which shares are on which boxes for clients. This feature allows admins to see and connect to any TrueNAS system with external shares active.

Create the SMB share on another TrueNAS remote server (for example, system1), as described in Adding an SMB Share above.

We recommend using Active Directory or LDAP when creating user accounts, but at a minimum, synchronize user accounts between the system with the share (system1) and on the TrueNAS system where you set up the external share (for example, system2).

On system2 (the local system), select External Share, enter the full domain name or IP address, and the share name. Separate the server and share name with the \ character. Example: 192.168.0.200\SHARE in Remote Path.

Click Save to add the share.

Repeat the system2 instructions above on system1 to see the SMB shares on each system.

Figure 10: Set Up Another External SMB Share

Repeat for each TrueNAS system with SMB shares to add as an external share.

When setting up an external share between TrueNAS systems that are on different releases, for example, one system is on 25.04 and the other is on the latest release of 25.10, follow the external share instructions for each release.

Set the TrueNAS 25.04 system SMB Purpose to the default preset, leave the default settings associated with this share as is, and then enter the redirect path to share on the 25.10 system as EXTERNAL:ipaddress\sharename in the Path field. For example, EXTERNAL:10.220.3.33\testshare2. Be aware, changing the path also changes the SMB share name. Verify the share name is set to the desired or existing share name and not renamed to the redirect string in Path.

Set the TrueNAS 25.10 system SMB Purpose to External Share, and then enter the path to the share on the 25.04 system as ipaddress*sharename* in the Remote Path field. For example, 10.220.1.34*testshare*.

Add descriptions to each share that identify the purpose of the share. The description shows on the Windows (SMB) Shares widget and the SMB screen.

Save changes made to the share.

Industry

Use Cases

Support

Resources

Community