TrueNAS Scale: A Step-by-Step Guide to Dataset, Shares, and App Permissions
ฝัง
- เผยแพร่เมื่อ 7 มิ.ย. 2024
- lawrence.video/truenas
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag/
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 www.techsupplydirect.com?aff=2
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 TrueNAS Scale User and App Permissions
01:35 Creating Users
02:28 Creating Datasets & Permission ACL Types
04:12 Creating SMB Share
05:05 Nested Dataset Permissions
05:42 Setting Dataset Permissions
10:49 App Permissions With Shares
14:32 Troubleshooting tips for permissions and shares
#TrueNAS #NAS #Storage - วิทยาศาสตร์และเทคโนโลยี
FINALY!!! The Gods have answered. Been waiting for your update video regarding this. Thank you.
Yes, I love watching videos about using the features of truenas.
They really help to expand knowledge about the many features of truenas
This guide fixed a nagging issue I had where new folders created by an app were non-writable over SMB for my user. Thanks, Lawrence! 😀
As many others have said, this video enabled me to get my Truenas Scale functioning as I wanted it to. Absolutely perfect directions. Thank you so much.
Great video Tom! One quick way I've found on Windows to stop it holding onto the last user is to simply restart the "Workstation" (LanmanWorkstation) service. This will then prompt again for credentials when connecting to a share (Providing the remember me option wasn't ticked). Has saved a lot of time in the past when troubleshooting permissions with different users.
Most helpful video I've watched in regards to Truenas Scale SMB creations and management.
Great content, as always. Definitely more TrueNas content would be great 😊
Without your help I would still stumble around getting a "simple" SMB share up and running. Thank you so much - you really made my day!
Thank you so much for this! This is the best tutorial I've seen so far that explains how ACLs work on TrueNAS!
This definitely helped explain how to share certain folders(movies). Thanks for this. Another Favorite.
Thank you very much, really very useful video, everything is explained step by step and understandable. I can't wait for the promised video with an active directory that would be suitable for our school deployment :)
This could not have come out at a better time. I just moved my NAS to truenas scale and im struggling. Thank you for the help!
Just another awesome video! Thank you Tom for explaining so well
Thanks! This video is a big help in configuring my Truenas Scale Server!
Thank you so much. I was struggling for two months. 3:51 was the issue.
I've been struggling all day with the permissions, thank you for this video!
Wow THANK YOU so much for this guide!! I've spent the past month or so trying to learn TrueNAS/Linux on my own and getting pretty frustrated in the process.
It was really gratifying to hear you explain the common mistakes/misconceptions (most of which I have made). I was starting to think I was just being lazy not doing the research in forums, so it's nice to hear from someone else that it's not as intuitive in some parts. Thanks again for saving me all that time! Looking forward to the next one!
Glad it helped!
THANK YOU. I would love more on all of this. Always struggling with shares and permissions.
Current question is NFS. This video focused on SMB. Shares from Truenas to Proxmox for like Plex or something.
Thanks for all you have done!
This is really helpful, so much of the user permission stuff is complicated for us new users. I didn't even think about the apps user and group 👍
I am a new user of truenas scale. Thank you for this really clear and usefull tips. I needed Jellyfin to be able to access my smb shares that contains my media.
Wonderful video! Thanks so much.
I rarely comment, but this video was fantastic and had just about everything I wanted to know. Thank you.
Glad it was helpful!
Great video on TrueNAS scale permission :) Definitely a great help. Been using scale for some time as its great. Wish there is an option for scale clustering of multiple node to create HA but that is only in their advance pay feature.
That is still a beta feature and done via their TrueCommand software.
I hope this will finally help me understand user permissions on shares in Core. Even though I watched your videos I'm still struggling with the concepts.
An alternative to re-starting the windows to disconnect server connections is open a cmd box and use 'net use \\(The name of the server) /delete'. The command 'net use' will show which servers are connected. I had a problem with disconnecting to an individual server once so used 'net use \\ * /delete' this disconnect all the severs.
2:53 The Share Types cant be switched later, as i had to experience painfully. But your explanation of the different Share Types helped me to get into a problem i had with some datasets and prevented me from making some bad decisions while still working on my first TrueNAS setup.
I love when the people who write documentation for services have no clue how to write documentation and we have to rely on TH-cam videos to understand how to use a piece of software. And then that software gets updated and doesn't update their documentation and the TH-cam videos are immediately outdated. Its such a great system. We really need to keep this going.
Products change and then I make new videos :)
brilliant done with explanation
is it possible to create a hidden share and allow users to see only folders that they have permissions?
This Video helps me A LOT LOT LOT :) Thxxx
Thank you Tom!
Dude, kudos on the studio
Thanks
Great work!!! Can i use Unicode char in dataset name? (Greek)
Do you cover in another video how to add the smb share to ubuntu mount?
Perfect day for your tutorial. I just finished installed the new version of the app today morning and had the same error as yours for .htaccess file not working. Please post if you figure how to fix this. subscribed. And now collabora is not reachable from nextcloud.
Around 2:50 Tom mentions the ability to change the share type after the fact. Any one know how to do that? I forgot to select the share type and now my acl manager looks completely different than the other data set on my system where i remembered to set the share type. I looked everywhere and wasn't able to figure out how to do it in the GUI. Thanks for any help.
Do we have a way to get permission to read NTFS drives from a USB device on the latest version of Scale? apt, and apt-get are unauthorized, even with root access. Can't seem to install ntfs-3g as others have posted on forums.
Seems like some changes have been made, since you recorded this, to the TrueNAS Scale platform; the app menu is setup differently - in particular the advanced (Kubernetes) settings show no host path safety check option - is it deleted now instead of defaulted?
is possible to hide folders or shares to users who do not have permissions?. At the moment, unauthorized users cant access inside, but are able to see folders name. Thanks for your help
Great video, explained a lot to me. But I still don't understand why it's all so confusing. In a month or two, if I need to set something up, I'll have to watch the video again because I'm sure I won't remember everything.
Coming from a normal NAS i have the ability to make home directory to every user for backup purposes and to have access to all users homes from an admin account.
I tried to do this on true nas scale (about 6 months ago) without success.
Of course i created homes but i cant figure out how to give access to all users homes to admins only.
Am i missing something or something is missing from truenas?
I can't seem to figure out how to allow other apps access to the dataset. I'm trying to allow readarr to access a samba dataset, which contains my e-books. Any recommendations?
Curious to know if in the cli of the apps, the group owner of that TH-cam folder will show as 3002 (the gid of the TH-cam group if I'm not mistaken) instead of "apps" (or root or abc depending on the app settings). When files/folders are created in the app inside the TH-cam folder, would they have the "apps" group as group owner or also the 3002 group? And then would an ls show a mix of 3002 and "apps" as group owners of the files/folders depending on where or by whom they were created? If so, it may be my OCD but somehow that really annoys me. 😅
Also not sure if related, but I experienced some permission issues in the past (older version of scale) and figured they were because of the foreign group id/owner (3002 in this case) which is unknown to the app.
It's a bit more complex than that and that is the reason you set it at the dataset level is because ZFS has settings for that extra data to be stored for the ACL
Hey question my PC is being weird when I try to access the Shared Folder thru File Explorer. Whenever I type the IPv4 address in the File Explorer bar instead of being asked the credentials to sign in it just opens my browser to the web configurator. How do I fix this?
seem i hope this is only a bug, when I disabled Host Path Security validate, all my apps disappeared from the Apps deployment section. opened a thread on TrueNas Scale community chat/section...
I am trying to get a influxdb docker image deployed/working...
Can you go over access based enumeration? The setting is grayed out after following your tutorial and I do not want all users to see all folders.
It's been 1hr already and I don't see the TrueNAS + AD video in the description yet 😅
At 4:43, you logged in as tom to the smb share Share_Demo. That share though is owned by the user & group root. How was then tom able to access the share without him existing at the ACLs?
Probably the answer comes later at 13:12 where you mention that tom and marcus are part of the buildin-users and due to that, they can have access to Share-Demo. Right?
Correct
Thank you so much for this video. It is really helpful. I am still having a problem, though. I am using PhotoSync (SMB) configuration. While I don't expect any difference than working with SMB on Windows, every time it creates a directory, the directory gets the following permission: `d---------` instead of `d---rwx---`. Where should I look?
All good, I took the tip from an old video and Strip ACL, then applied it again. It looks like working now. Thanks for all the videos you are making!!!
Great video! Thank you!
Glad you liked it!
How do one import an existing ZFS pool exported from another system?
I have existing pools which I would like to use in TrueNAS
Can you please update this video for 23.10.2? Options have changed and for the life of my I cannot get SMB shares to work from Windows 11, keep getting "You don't have permissions for this", if I try to create folders from Windows, when the user has Full rights to the share. I can only get this to work if I set the Purpose to "Private SMB and Dataset share.
Thanks!
Thanks for all your work on this, this is great. Could you do a video related to truenas scale working with multiples networks and static routes? Thanks in advance, greetings from Detroit.
Why static routes?
Hello, thanks for all the content. I do have a simple question, I am trying to create more data sets inside a sub folder, but I don't want the subfolder users to go into other folder that are not their own dedicated folder is there a way to do that?
example:
NAS
-> Family_shared_folder
-> Mom_folder
-> Dad_folder
-> Sister_folder
-> My_folder
-> Misc_folder (no sub permissions, only inherit permissions from Family_shared_folder)
how would i go and give permission to the sub folder in the family shared folder so the other accounts don't go into the other folders? Because from my understanding i have to provide everyone access to the Family shared folder is that right, but can't they just access all the sub folders?
Create each dataset for each user and give them permission
can we use chmod and chown on those folders for eg on the youtube folder if the smb share is to another linux machine??
For basic permissions it might work.
Hello Tom, my way to leave the running acces on a share is to use "net use" command to see the share and folow by "net use \\ip address\ipc$ /del" or the share corresponding. By do this, no logoff or restart is required, you can type \\host\share et the system ask you for new credential
I have found that not to work because Windows won't forget some permission changes unless it's connected to an AD server.
oops i just posted more or less the same. sorry.
When I add a pool to apps Kubernetes tries to update but sticks at 0%. When I try to install an app I am greeted with "Kubernetes service is not running". I followed the video so I am not sure where the problem lies.
@2:50 No you can NOT change it later. Warning: if you set the share type to SMB (case insensitive for files), you won't be able to use WebDAV for that dataset. It needs Unix permissions, so Generic type will work for both. You can NOT change it once dataset is created, it is immutable. I had to move 2TB of data to new dataset and create the shares.
You're right you can't change the share type, but you can change the ACL type back to POSIX. I think that 'Share Type' is just some kind of abstraction to setup some default options, I'm not sure there's anything that can't be undone so to speak. In Cobra at least you seem to be able to edit the dataset > Advanced Options > ACL Type and you can change it to POSIX which should be what you need for Unix permissions.
@@JoshArchers IIRC WebDAV was not able to see the dataset once created as SMB, even after changing the type to POSIX. So no, it is not the same.
Any update on when the updated Active Directory video will be released? Currently trying to deploy TN in a AD environment and running into issues when trying to migrate data from the current windows share to the TN share. Some of the files on the windows share are owned by ‘system’ or the local admin, or ad users that have been deleted. When using robocopy to copy over the data with /copyall I get an error 1307 (this security id may not be assigned as the owner of this object). Current file server has roughly 3million files on it not sure how I could fix the ownership on a unknown percentage of these file
I don't really have a timeframe on that.
in proxmox using a vm or lxc vs inside trueNAS??? (trueNas is also inside proxmox)
@4:30, what's the effect of that "use as home share"? I'm so confused by it and am not sure if I need to accept it. I thought this meant that every user gets a private sub-folder in that share?
It can be used for users to have a Linux style home folder, not something I ever really use.
Tom or ANYONE, How can I setup a permissions in a dataset to where I (dad builtin_admin) has full control and want my other users (wife and kid builtin_users) to be able to read and write files if they want, but not be able to delete anyone's files ONLY the ones they created/own? I am able to have each user write files to the dataset but the user that creates the file cannot delete their own file. If I give them modify permissions they can delete anything in the dataset. How do I fix this???
Do we need minimum three servers to make a scale out storage like with other Software defined storage solutions ?
th-cam.com/video/vXzLoTK2SJE/w-d-xo.html
is it only me or is it so convoluted there! ;-)
Unable to rename folder name, error message " the action can't be completed because the folder or a file in it is open in another program" please solve this problem
Thanks as always Tom, great work!
So in summary to run an app such as file browser it is an all or nothing permission based on the app user / app group in terms of what file browser's users can see and do.... I wish TrueNAS would just incorporate a web based file browser into their platform that accomplishes user/group permissions per dataset instead of the one size fits all approach via an app.
Do you know if I can run a tape library (MSL 2024) with Truenas? I'm having a supermicro server with both a bunch of SAS disks in an external housing on raid controllers, as well as a tape library. I'm thinking of upgrading, and instead of using my own home made set of vms, use truenas. I'm unsure on whether I can use my tapes / library with truenas. I assume I'll first run the server that I install truenas on and then use some of my bigger disks (I've a bunch of 18TB ones) to transfer the data for once, and then configure the tape library, move connect the disk housing, and ultimately get my disks back and copy the data back. At that point the only question that I wonder is how I'm going to run my tape library.
There is no official support for tape systems in TrueNAS
@@LAWRENCESYSTEMS Thanks for your answer.
@@LAWRENCESYSTEMS But is the underlying system not just Linux? In that case I could leverage that, if it can also serve as client to the shares from truenas. Would be interesting to know if I can hand through some SAS devices directly to some vm running on truenas.
Can you access the youtube SMB share directly? Instead of going through the share SMB parent folder first?
I want to mount the child dataset directly, instead of going through the parent dataset, but it's not working for me in windows...I can see the share but not access it directly, I must browse through the parent dataset first.
It can be configured to share the TH-cam dataset directly
Is TN Scale production worthy yet ?? Been sticking to Core just because she soo stable... Great vid a usual tl
Thank you
For NAS functions like shares and iSCSI, yes. Apps and cluster features are still a work in progress.
Premissions are my Kryptonite... This helped but I would see a more detailed explanation about masks, flags, group objects etc.
I believe you can switch user here:
Control Panel\User Accounts\Credential Manager
Find the IP-number and then edit the user credentials
Then remap the share
On my Truenas it will shows error The file name is too long. How to solve can you help me
i dont see the host safety check in my advanced settings... any idea why its not showing?....thanks
i think they have (re)moved them in the newer 23.xx version, i was searching in the comments for someone to explain where the option went, and whether we need to disable it.
Edit: i found a post on reddit covering the topic, they removed the option and it's currently 'disabled' by default
What about using SMB with NFS together for shares ?
i want my linux vms to be able to connect to them using nfs, but for windows clients to use samba. Is it ok and what permissions are best here? Can i use ACLs for nfs?
i have some weird behavior now with them, for example some files appear to be owned by root, but it is set to user in truenas scale
That's a terrible idea have your Linux systems connect via samba.
@@LAWRENCESYSTEMS yes, that why i want to connect them with nfs, but there are some problems with permissions on shares, that are both nfs and samba
This is an excellent video Tom, but what a mess Scale is. I think it highlights the disconnect between the intent - share permissions - and the process - dataset editing. The ACL editor is a UI mess.
Core run better on my older hardware. But I want a greater number of apps that come with Scale. I am torn between staying with Core or learning Scale. I am trying to stick it out and learn Scale.
What is the definition of the term "dataset" from a truenas and windows perspective?
Somewhat like a folder, but way more features. Full explainer here th-cam.com/video/0d4_nvdZdOc/w-d-xo.html
The "enable host path safety checks" option is missing from my truenas app settings. What do I do? The option simply isn't there.
Yes, also missing "enable host path safety checks'
I think it has to do with a recent update 23.10. But I don’t know how to fix it currently.
they removed that option from 23.10 because of all the problems that default was causing for users.
now you don't need to do anything, it is off by default
I wish that TrueNAS implements Samba to reload automatically (smbcontrol all reload-config) whenever a config change is made in a future release.
Two questions:
1. If I click on any share (private/public) and then the Edit Share ACL (not the Edit Filesystem ACL), it defaults to SID: S-1-1-0, Name: EVERYONE, Permission: FULL, Type: ALLOWED. What it its function, should it be this way for private shares?
2. I've setup a Windows PC with a personal MS account. When I try to access a private share, it asks for credentials. The username on the TrueNAS differs from the PC, but I insert the correct username/password when asked for it. Still, I get access denied. (Public anonymous shares still works fine). It used to work before with a local account on the PC with the same username as in TrueNAS though. Why is that?
Keep up the good work, love your videos!
1) If it shows "Everyone" that is because you have that permission on it, 2) Sounds like the permission is not set.
@@LAWRENCESYSTEMS Thanks for your prompt reply. Tried to create a share from scratch (latest version): 1. Created test SMB dataset. 2. Created a share for it and chose Private Dataset/Share. It still shows the same as above (Edit Share ACL). Bug in TrueNAS or should it just be this way? Seems like the Filesystem ACL takes presence anyway...
is it wrong that I want to have each app as its own user on the ACL list? one app shouldn't have access to everything that has an app permission.
like qbittorent app shouldn't have full control on a dataset intended for filebrowser? am I thinking of this wrong?
what happens if in app goes rouge or has a security hole in it
edit: ok. maybe I'm wrong. I think its only mounted paths of specific apps that get permission for that app (and path).
Apps all run as the same user, you restrict them based on paths.
can you do a video on core with Jails for truenas core, creating users for sonarr & radar and getting the permissions setup? i have been having issues and i am at the point that i just want to give up on this truenas thing
Not planning on any seeing as they are not very well supported and there future is limited.
@@LAWRENCESYSTEMS I see, thanks for replying. Does this also mean I should switch to truenas scale or remain with core?
@@herberthiggins1388 If you need more things on the NAS, move to scale.
re 9:20 "rebooting windows for relogin" ... well, there is easier way.
1) close all programs / explorers using these shares
2) in cmd run: net use * /d
3) in cmd run: klist purge
4) if you've managed to save credentials - run control panel / user accounts / credential manager / manage windows credentials -> find one you were logged in to network share and remove it
how did you get the 4:42?
In Windows Explorer you can use two \\ and the IP of the TrueNAS
@@LAWRENCESYSTEMS Thank you sir! :)
Ugh.. I transitioned from Core to Scale and i really need to sett up Permissions again :( but i'm to scared loosing my data to go balls to the wall :S I really should get someone pro to remote into my system and set shit up
Perhaps i could hire someone from fiver
Whats up with rsync deprecation?
That alert kinda scared me ngl
Covered in this video th-cam.com/video/tA0Xsnc4eFM/w-d-xo.html
@@LAWRENCESYSTEMS thanks!
I wish the ? 's were not bigger/bolder than the actual label of the text boxes. ☹️
I'm trying to run a docker app in truenas using the blue botton. I can't for the life of me get the app to be able to use its data set. this video is helpful, jut not in my case...
Thank you for this guide, but the ACL permissions editor is probably the worst UX I've ever seen.
I love watching your videos but for me admin and root in TrueNas Scale has been completely busted for fresh installs. You can't access IP settings, ACLs, or ZFS datasets. This pretty much means unless you upgraded you couldn't interact with ZFS and couldn't setup most things in TrueNas Scale.
Why are you creating a new group for each user? I don't think that's the correct way to handle users and groups.
Retest Scale after 2 years. Found 3 bugs/issues in first 30 minutes. WTH?
Hope you reported them, that is how software improves.
@@LAWRENCESYSTEMS Yes. I did report them right away. Just cant beleiver SCALE still this bad. Also, I still cant figure out the permission for ACLs. How do you apply a user with traverse permission? It seems only work with Owner, Owner Group. Everything else, the permission just wont work.
Instead of restarting the whole PC, you can just restart network (ipconfig /release & ipconfig /renew).
That just resets the DHCP lease, not the SMB networking.
@@LAWRENCESYSTEMS I understand, but still it somehow works for me, after changing the permissions of datasets
instead of restarting windows see the windows credential manager
The apps part is already outdated.
You should probably have started with creating zpools and datasets......just saying.. as a complete and utter noob.. I figured out how to make all the drives a part of a raidz2 pool.. aaaaaaaaaand then confusion struck
I have other videos on that already.
@@LAWRENCESYSTEMS ah.. guess I'll try to find it.. thx
@@philosoaper Here you go th-cam.com/video/0d4_nvdZdOc/w-d-xo.html
I’m getting “Access is Denied.”
I don’t like that Marcus can even see the share folder.
The latest version of Scale is different 😔
It's close enough that this video is still accurate, but I will be making a new one this year,.
@@LAWRENCESYSTEMS Thank You ☺️
@@LAWRENCESYSTEMS it is different enough that we can't make apps access the datasets. if you can be so kind to update this guide for us noobs
ACLs are a fking nightmare
true nas apps being deploing forever.