Using TrueNAS to host files for Windows devices can be a little convoluted. Windows permissions are radically different that Linux or FreeBSD permissions. I am going to try and explain how to make secure Windows (SMB or Samba) shares on TrueNAS. These instructions assume your TrueNAS server is NOT joined to a Windows domain.
Windows Connections
Windows maintains IPC connections (including username and passwords) to network storage after you have closed the File Explorer window. To see what connections are being maintained, run this command:
1
2
3
4
5
6
7
8
9
PS C:\Users\Dave> net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK \\192.168.1.20\IPC$ Microsoft Windows Network
The command completed successfully.
To delete a connection a connection, use this command:
1
2
PS C:\Users\Dave> net use \\192.168.1.20\IPC$ /d
\\192.168.1.20\IPC$ was deleted successfully.
World writable share
Gonna keep this simple…
Native Windows sharing permissions has two layers:
- Windows share permissions - Think of this as the front door. If you don’t have this key, you shall not pass! (snicker)
- Folder and file permissions - Permissions on specific folders and files.
Native Linux (NFS) sharing permissions:
- Folder permissions - You would see this if you ran “ls -lha /tmp/folder” with permissions for an owner, a group and everyone else.
- File permissions - The same as folder permissions but at the file level.
Linux SMB or Samba sharing permissions - The SMB server allows you to define the “Share ACL” much like the Windows share permissions. You can also edit the folder and file permissions from the command line in the shell.
Here is how you could make a “simple” Windows share on TrueNAS:
- Create user accounts in TrueNAS. You could just create one account for everyone to use, but it will be more secure if you create individual user accounts.
- Create a dataset specifically for the files to be hosted on. The only default setting you will need to change is at the bottom of the page. Change Share Type to SMB.
- Once you have created the dataset, edit it’s permissions. By default, the permissions for this dataset is “Open” meaning anyone at the OS or FreeBSD level can add files to this dataset. So if you have a user account on the TrueNAS box, you can add/change/delete files on this dataset.
- Create a Windows Share - Browse to the dataset path, something like /mnt/tank/samba-share. Provide a name and (optionally) a description.Leave the “Purpose” as the default for now.
In Windows Explorer or the “Run” dialog box, type in the FQDN or IP address of the TrueNAS server and the SMB share should be available.
Restricted Share
This is a share that only specific user accounts or specific users in a group can access the files.
- Create user accounts.
- Create a group and add members to this group who will have access to the share.
- Create a dataset specifically for the files to be hosted on. The only default setting you will need to change is at the bottom of the page. Change Share Type to SMB.
- Edit the permissions on the dataset you just created. Select an ACL preset of “Restricted”.
- Change “Group” to the group you just created. Tick the “Apply Group” checkbox.
- “owner@” will be able to change permissions plus add/change/delete files.
- “group@” will be able to add/change/delete files.
- If you already have files in this dataset that need to be changed, tick the “Apply permissions recursively” box.
- Click on Save.
- This sets up the permissions on the folder/file level for the OS.
- Create a Windows Share - Browse to the dataset path, something like /mnt/tank/samba-share. Provide a name and optionally a description. Leave the “Purpose” as the default for now.
World readable, specific group writable
This is a share that only specific user accounts or specific users in a group can change the files. All other builtin_users can view the files.
Following the steps for “Restricted Share”, edit the permissions and add an “ACL item”.
- Change “Who” to “Group” and “Group” to “builtin_users”
- Change “Permissions” to “Read”