How to define a public SMB-share

L

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
It has been discussed in the past, but on the actual scale system in combination with windows, I simply do not manage :frown:


What I like to archive is a SMB-share which is accessible without any username or password, from a user-pc is within a certain vlan.

So:

- I defined a dataset 'guests' and
- I defined a smb share 'guests' pointing to the dataset
- share of ^type^ 'no presets' (IMHO they are just confusing)
- options Enable ACL; Browsable to Network Clients ; Allow Guest Access
- Host Allow: the IP-ranges which should have access
- Other options: Enable Shadow copies; Enable Alternate Data Streams; Enable SMB2/3 Durable Handles
I doubt if I should 'Enable SMB2/3 Durable Handles', to be honest I think not. I also think it is hardly relevant.

The impact of the following options are not at all clear to me:
- Enable ACL (which ACL's ?? and what are the consequences ??) and
- Allow Guest Access (what does it do !??; Is it truenas is it windows ??)

After(!!) defining this we find in the SMB share menu two sets of ^ACL's^
- Share ACL's which seems to be intended to set windows permissions and
- a bit strange to find that option here, a rather complex menu to set dataset permissions
It is not really clear to me. There is some explanation here:

Managing SMB Shares

Provides information on how to manage Server Message Block (SMB) shares on your TrueNAS.
www.truenas.com www.truenas.com

Since I do not intent to influence windows authorization, I did leave the ^Share ACL's^ at default.
And in principle I do not want to use the (IMHO hardly understandable) Unix ACL editor as well,
since I all ready did define the authorization in the dataset-menu.

So assume we defined the permissions for the dataset as:
owner rwx; group rwx; other rwx

Permission wise that would do, since we intent to allow every one (being in a certain network) to use the share.

However, we also want:
- that there is no logon
- and the user should not / is not known by truenas

So I have been thinking about adding 'nobody' as authorized for the dataset.
However:
- I did not manage to do that and
- I did not manage to get rid of the windows logon screen

So I hope someone knows the solution.

Louis
PS. I have considered defining a user 'guest' with password 'guest' as work around, but for multiple reasons among which security, I do not like that.
 
I

Ilunga

Cadet
Joined
Sep 12, 2023
Messages
1
I hope you have already solved this. Here is what I did:
After creating the dataset, I stripped the ACL after I have created a SMB share using "Edit Filesystem ACL (shield icon on the right on the same line with the smb share. Then I assigned a new ACL "NFS4_Open".
This did the trick for me.
 
L

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
No, I still does not manage :(

First thing to work around is that the shares are not visible if the target computer is not on the same vlan as the source / nas.
Assuming the needed firewall ports are open, you can never the less access the share using a link like
\\mynas.myzone.lan\TheShare TheShare is the sharename as defined in the nas,

So far it works. However when trying to access that share you have to enter credentials of a nas-user having access to the share. And that is exacly what was not the intention.

I had a quick look at the settings of ^TheShare^ and defined a rule ^SMB-open^ but, really have no idea how to configure that one in such a way that it leads to a public share.
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
I have guest access working without problems, but I do not have any Windows clients. Microsoft disabled guest access with Windows 10.

That being said, in the service definition set the guest user to e.g. "nobody". Give the dataset in question to "nobody" and "nogroup" and in the share definition completely disable ACLs as shown in my screenshot. Works with Macs and Windows up to 7.

IMG_0747.jpeg

HTH,
Patrick
 
L

Louis2

Contributor
Joined
Sep 7, 2019
Messages
177
Patrick, thanks!

First thing to note is, that if it is true that windows does not longer support public shares (I think I did read something like that in the past), than this whole exercise is of nu use at all. For normal work I and also potential guests are using windows systems.

So I think I am going to 'solve' this by defining a share called "Public" which as password 'guest' (or some other simple password).

Louis
PS. By the way, I did read somewhere:
I then also set force user and force group so that files won't be owned by whoever makes it. However, there are other ways of doing this. You could also fiddle with ACL's and retain the original ownership info. However, the force group and user options are far easier :)
I did not put any effort to analyze this suggestion.
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
There's a registry entry somewhere but Microsoft's official stance is that guest access is unsupported.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "How to define a public SMB-share"

Similar threads

R
Home directory share - NFS and SMB - How to set ACL correctly?
Replies
2
Views
4K
RandomPrecision
R
M
Changes to the share permissions in Windows are not saved
Replies
0
Views
474
Max82
M
J
SMB Share is inaccessible
Replies
3
Views
1K
jaxsshadow
J
P
can't access smb share
Replies
12
Views
7K
WN1X
WN1X
W
TrueNAS Scale ACLs Not Showing on SAMBA Mount Inside Linux Client
Replies
1
Views
870
willowen100
W
Top