13. Services¶
Services that ship with FreeNAS® are configured, started, or stopped in Services. FreeNAS® includes these built-in services:
This section demonstrates starting a FreeNAS® service and the available configuration options for each FreeNAS® service.
13.1. Configure Services¶
The Services page, shown in Figure 13.1.1, lists all services. The list has options to activate the service, set a service to Start Automatically at system boot, and configure a service. The S.M.A.R.T. service is enabled by default, but only runs if the storage devices support S.M.A.R.T. data. Other services default to off until started.
Stopped services show the sliding button on the left. Active services show the sliding button on the right. Click the slider to start or stop a service. Stopping a service shows a confirmation dialog.
Tip
Using a proxy server can prevent the list of services from being displayed. If a proxy server is used, do not configure it to proxy local network or websocket connections. VPN software can also cause problems. If the list of services is displayed when connecting on the local network but not when connecting through the VPN, check the VPN software configuration.
Services are configured by clicking (Configure).
If a service does not start, go to Show console messages. Console messages appear at the bottom of the browser. Clicking the console message area makes it into a pop-up window, allowing scrolling through or copying the messages. Watch these messages for errors when stopping or starting the problematic service.
and enableTo read the system logs for more information about a service failure, open Shell and type more /var/log/messages.
13.2. AFP¶
The settings that are configured when creating AFP shares in are specific to each configured AFP share. An AFP share is created by navigating to ADD. In contrast, global settings which apply to all AFP shares are configured in .
, and clickingFigure 13.2.1 shows the available global AFP configuration options which are described in Table 13.2.1.
Setting | Value | Description |
---|---|---|
Guest Account | drop-down menu | Select an account to use for guest access. The account must have permissions to the pool or dataset being shared. |
Guest Access | checkbox | If enabled, clients are not prompted to authenticate before accessing AFP shares. |
Max. Connections | integer | Maximum number of simultaneous connections permited via AFP. The default limit is 50. |
Database Path | browse button | Sets the database information to be stored in the path. Default is the root of the pool. The path must be writable even if the pool is read only. |
Chmod Request | drop-down menu | Set how ACLs are handled. Choices are: Ignore, Preserve, or Simple. |
Map ACLs | drop-down menu | Choose mapping of effective permissions for authenticated users: Rights (default, Unix-style permissions), Mode (ACLs), or None. |
Bind Interfaces | selection | Specify the IP addresses to listen for FTP connections. Select the desired IP addresses in the list to add them to the Bind Interfaces list. |
Global auxiliary parameters | string | Additional afp.conf(5) parameters not covered elsewhere in this screen. |
13.2.1. Troubleshooting AFP¶
Check for error messages in /var/log/afp.log
.
Determine which users are connected to an AFP share by typing afpusers.
If Something wrong with the volume’s CNID DB is shown, run this command from Shell, replacing the path to the problematic AFP share:
dbd -rf /path/to/share
This command can take some time, depending upon the size of the pool or dataset being shared. The CNID database is wiped and rebuilt from the CNIDs stored in the AppleDouble files.
13.3. Dynamic DNS¶
Dynamic DNS (DDNS) is useful if the FreeNAS® system is connected to an ISP that periodically changes the IP address of the system. With dynamic DNS, the system can automatically associate its current IP address with a domain name, allowing access to the FreeNAS® system even if the IP address changes. DDNS requires registration with a DDNS service such as DynDNS.
Figure 13.3.1 shows the DDNS configuration screen and Table 13.3.1 summarizes the configuration options. The values for these fields are provided by the DDNS provider. After configuring DDNS, remember to start the DDNS service in .
Setting | Value | Description |
---|---|---|
Provider | drop-down menu | Several providers are supported. If a specific provider is not listed, select Custom Provider and enter the information in the Custom Server and Custom Path fields. |
CheckIP Server SSL | checkbox | Use HTTPS for the connection to the CheckIP Server. |
CheckIP Server | string | Name and port of the server that reports the external IP address. For example, entering
checkip.dyndns.org:80 uses Dyn IP detection
to discover the remote socket IP address. |
CheckIP Path | string | Path to the CheckIP Server. For example, no-ip.com uses a CheckIP Server of
dynamic.zoneedit.com and CheckIP Path of /checkip.html . |
SSL | checkbox | Use HTTPS for the connection to the server that updates the DNS record. |
Custom Server | string | DDNS server name. For example, members.dyndns.org denotes a server similar to dyndns.org. |
Custom Path | string | DDNS server path. Path syntax varies by provider and must be obtained from that provider. For example,
/update?hostname= is a simple path for the update.twodns.de Custom Server. The
hostname is automatically appended by default. More examples are in the
In-A-Dyn documentation. |
Domain name | string | Fully qualified domain name of the host with the dynamic IP addess. Separate multiple domains with a space,
comma (, ), or semicolon (; ). Example: myname.dyndns.org; myothername.dyndns.org |
Username | string | Username for logging in to the provider and updating the record. |
Password | string | Password for logging in to the provider and updating the record. |
Update period | integer | How often the IP is checked in seconds. |
When using the he.net
Provider, enter the domain
name for Username and enter the DDNS key generated for that
domain’s A entry at the he.net website for
Password.
13.4. FTP¶
FreeNAS® uses the proftpd FTP server to provide FTP services. Once the FTP service is configured and started, clients can browse and download data using a web browser or FTP client software. The advantage of FTP is that easy-to-use cross-platform utilities are available to manage uploads to and downloads from the FreeNAS® system. The disadvantage of FTP is that it is considered to be an insecure protocol, meaning that it should not be used to transfer sensitive files. If concerned about sensitive data, see Encrypting FTP.
This section provides an overview of the FTP configuration options. It then provides examples for configuring anonymous FTP, specified user access within a chroot environment, encrypting FTP connections, and troubleshooting tips.
Figure 13.4.1 shows the configuration screen for . Some settings are only available in ADVANCED MODE. To see these settings, either click the ADVANCED MODE button or configure the system to always display these settings by setting the Show advanced fields by default option in .
Table 13.4.1 summarizes the available options when configuring the FTP server.
Setting | Value | Advanced Mode | Description |
---|---|---|---|
Port | integer | Set the port the FTP service listens on. | |
Clients | integer | Maximum number of simultaneous clients. | |
Connections | integer | Set the maximum number of connections per IP address. 0 means unlimited. | |
Login Attempts | integer | Enter the maximum number of attempts before the client is disconnected. Increase this if users are prone to typos. | |
Timeout | integer | Maximum client idle time in seconds before client is disconnected. | |
Allow Root Login | checkbox | Setting this option is discouraged as it increases security risk. | |
Allow Anonymous Login | checkbox | Allow anonymous FTP logins with access to the directory specified in the Path. | |
Path | browse button | Set the root directory for anonymous FTP connections. | |
Allow Local User Login | checkbox | Allow any local user to log in. By default, only members of the ftp
group are allowed to log in. |
|
Display Login | string | Specify the message displayed to local login users after authentication. Not displayed to anonymous login users. | |
Allow Transfer Resumption | checkbox | Set to allow FTP clients to resume interrupted transfers. | |
Always Chroot | checkbox | When set a local user is only allowed access to their home directory when they are a member of the wheel group. | |
Perform Reverse DNS Lookups | checkbox | Set to perform reverse DNS lookups on client IPs. Can cause long delays if reverse DNS is not configured. | |
Masquerade address | string | Public IP address or hostname. Set if FTP clients cannot connect through a NAT device. | |
Certificate | drop-down menu | Select the SSL certificate to be used for TLS FTP connections. Go to | to create a certificate.|
TLS No Certificate Request | checkbox | Set if the client cannot connect, and it is suspected the client is not properly handling server certificate requests. | |
File Permission | checkboxes | ✓ | Sets default permissions for newly created files. |
Directory Permission | checkboxes | ✓ | Sets default permissions for newly created directories. |
Enable FXP | checkbox | ✓ | Set to enable the File eXchange Protocol. This is discouraged as it makes the server vulnerable to FTP bounce attacks. |
Require IDENT Authentication | checkbox | ✓ | Setting this option results in timeouts if identd is not running on the client. |
Minimum Passive Port | integer | ✓ | Used by clients in PASV mode, default of 0 means any port above 1023. |
Maximum Passive Port | integer | ✓ | Used by clients in PASV mode, default of 0 means any port above 1023. |
Local User Upload Bandwidth | integer | ✓ | Defined in KiB/s, default of 0 means unlimited. |
Local User Download Bandwidth | integer | ✓ | Defined in KiB/s, default of 0 means unlimited. |
Anonymous User Upload Bandwidth | integer | ✓ | Defined in KiB/s, default of 0 means unlimited. |
Anonymous User Download Bandwidth | integer | ✓ | Defined in KiB/s, default of 0 means unlimited. |
Enable TLS | checkbox | ✓ | Set to enable encrypted connections. Requires a certificate to be created or imported using Certificates. |
TLS Policy | drop-down menu | ✓ | The selected policy defines whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here. |
TLS Allow Client Renegotiations | checkbox | ✓ | Setting this option is not recommended as it breaks several security measures. For this and the rest of the TLS fields, refer to mod_tls for more details. |
TLS Allow Dot Login | checkbox | ✓ | If set, the user home directory is checked for a
.tlslogin file which contains one or more PEM-encoded
certificates. If not found, the user is prompted for password
authentication. |
TLS Allow Per User | checkbox | ✓ | If set, the user password may be sent unencrypted. |
TLS Common Name Required | checkbox | ✓ | When set, the common name in the certificate must match the FQDN of the host. |
TLS Enable Diagnostics | checkbox | ✓ | If set when troubleshooting a connection, logs more verbosely. |
TLS Export Certificate Data | checkbox | ✓ | If set, exports the certificate environment variables. |
TLS No Certificate Request | checkbox | ✓ | Set if the client cannot connect and it is suspected the client is poorly handling the server certificate request. |
TLS No Empty Fragments | checkbox | ✓ | Setting this option is not recommended as it bypasses a security mechanism. |
TLS No Session Reuse Required | checkbox | ✓ | Setting this option reduces the security of the connection. Only use if the client does not understand reused SSL sessions. |
TLS Export Standard Vars | checkbox | ✓ | If enabled, sets several environment variables. |
TLS DNS Name Required | checkbox | ✓ | If set, the client DNS name must resolve to its IP address and the cert must contain the same DNS name. |
TLS IP Address Required | checkbox | ✓ | If set, the client certificate must contain the IP address that matches the IP address of the client. |
Auxiliary Parameters | string | ✓ | Used to add proftpd(8) parameters not covered elsewhere in this screen. |
This example demonstrates the auxiliary parameters that prevent all users from performing the FTP DELETE command:
<Limit DELE>
DenyAll
</Limit>
13.4.1. Anonymous FTP¶
Anonymous FTP may be appropriate for a small network where the FreeNAS® system is not accessible from the Internet and everyone in the internal network needs easy access to the stored data. Anonymous FTP does not require a user account for every user. In addition, passwords are not required so it is not necessary to manage changed passwords on the FreeNAS® system.
To configure anonymous FTP:
Give the built-in ftp user account permissions to the pool or dataset to be shared in
:- User: select the built-in ftp user from the drop-down menu
- Group: select the built-in ftp group from the drop-down menu
- Mode: review that the permissions are appropriate for the share
Note
For FTP, the type of client does not matter when it comes to the type of ACL. This means that Unix ACLs are used even if Windows clients are accessing FreeNAS® via FTP.
Configure anonymous FTP in
by setting these attributes:- Allow Anonymous Login: set this option
- Path: browse to the pool/dataset/directory to be shared
Start the FTP service in FTP row. The FTP service takes a second or so to start. The sliding button moves to the right when the service is running.
. Click the sliding button on theTest the connection from a client using a utility such as Filezilla.
In the example shown in Figure 13.4.2, The user has entered this information into the Filezilla client:
- IP address of the FreeNAS® server: 192.168.1.113
- Username: anonymous
- Password: the email address of the user
The messages within the client indicate the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site. This is the pool or dataset specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the FreeNAS® system).
13.4.2. FTP in chroot¶
If users are required to authenticate before accessing the data on the FreeNAS® system, either create a user account for each user or import existing user accounts using Active Directory or LDAP. Create a ZFS dataset for each user, then chroot each user so they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of a user home directory is limited to the size of the quota.
To configure this scenario:
Create a ZFS dataset for each user in Add Dataset. Set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that needs access to the FTP service.
. Click the (Options) button, thenWhen Active Directory or LDAP are not being used, create a user account for each user by navigating to , and clicking ADD. For each user, browse to the dataset created for that user in the Home Directory field. Repeat this process to create a user account for every user that needs access to the FTP service, making sure to assign each user their own dataset.
Set the permissions for each dataset by navigating to Edit Permissions button, then assign a user account as User of that dataset. Set the desired permissions for that user. Repeat for each dataset.
, and clicking the (Options) on the desired dataset. Click theNote
For FTP, the type of client does not matter when it comes to the type of ACL. This means Unix ACLs are always used, even if Windows clients will be accessing FreeNAS® via FTP.
Configure FTP in
with these attributes:- Path: browse to the parent pool containing the datasets.
- Make sure the options for Allow Root Login and Allow Anonymous Login are unselected.
- Select the Allow Local User Login option to enable it.
- Select the Always Chroot option to enable it.
Start the FTP service in FTP row. The FTP service takes a second or so to start. The sliding button moves to the right to show the service is running.
. Click the sliding button on theTest the connection from a client using a utility such as Filezilla.
To test this configuration in Filezilla, use the IP address of the FreeNAS® system, the Username of a user that is associated with a dataset, and the Password for that user. The messages will indicate the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site. This time it is not the entire pool but the dataset created for that user. The user can transfer files between the local site (their system) and the remote site (their dataset on the FreeNAS® system).
13.4.3. Encrypting FTP¶
To configure any FTP scenario to use encrypted connections:
- Import or create a certificate authority using the instructions in CAs. Then, import or create the certificate to use for encrypted connections using the instructions in Certificates.
- In ADVANCED, choose the certificate in Certificate, and set the Enable TLS option. , click
- Specify secure FTP when accessing the FreeNAS® system. For example, in Filezilla enter ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects, they will be presented with the certificate of the FreeNAS® system. Click SAVE to accept the certificate and negotiate an encrypted connection.
- To force encrypted connections, select On for the TLS Policy.
13.4.4. Troubleshooting FTP¶
The FTP service will not start if it cannot resolve the system hostname to an IP address with DNS. To see if the FTP service is running, open Shell and issue the command:
sockstat -4p 21
If there is nothing listening on port 21, the FTP service is not running. To see the error message that occurs when FreeNAS® tries to start the FTP service, go to Show console messages, and click SAVE. Go to Services and switch the FTP service off, then back on. Watch the console messages at the bottom of the browser for errors.
, enableIf the error refers to DNS, either create an entry in the local DNS server with the FreeNAS® system hostname and IP address, or add an entry for the IP address of the FreeNAS® system in the Host name database field.
13.5. iSCSI¶
Refer to Block (iSCSI) for instructions on configuring iSCSI. Start the iSCSI service in by clicking the sliding button in the iSCSI row.
Note
A warning message is shown the iSCSI service stops when initiators are connected. Open the Shell and type ctladm islist to determine the names of the connected initiators.
13.6. LLDP¶
The Link Layer Discovery Protocol (LLDP) is used by network devices to advertise their identity, capabilities, and neighbors on an Ethernet network. FreeNAS® uses the ladvd LLDP implementation. If the network contains managed switches, configuring and starting the LLDP service will tell the FreeNAS® system to advertise itself on the network.
Figure 13.6.1 shows the LLDP configuration screen and Table 13.6.1 summarizes the configuration options for the LLDP service.
Setting | Value | Description |
---|---|---|
Interface Description | checkbox | Set to enable receive mode and to save and received peer information in interface descriptions. |
Country Code | string | Required for LLDP location support. Enter a two-letter ISO 3166 country code. |
Location | string | Optional. Specify the physical location of the host. |
13.7. NFS¶
The settings that are configured when creating NFS shares in are specific to each configured NFS share. An NFS share is created by going to ADD. Global settings which apply to all NFS shares are configured in .
and clickingFigure 13.7.1 shows the configuration screen and Table 13.7.1 summarizes the configuration options for the NFS service.
Setting | Value | Description |
---|---|---|
Number of servers | integer | Specify how many servers to create. Increase if NFS client responses are slow. To limit CPU context switching,
keep this number less than or equal to the number of CPUs reported by sysctl -n kern.smp.cpus . |
Serve UDP NFS clients | checkbox | Set if NFS clients need to use UDP. |
Bind IP Addresses | drop-down | Select IP addresses to listen on for NFS requests. When all options are unset, NFS listens on all available addresses. |
Allow non-root mount | checkbox | Set only if required by the NFS client. |
Enable NFSv4 | checkbox | Set to switch from NFSv3 to NFSv4. The default is NFSv3. |
NFSv3 ownership model for NFSv4 | checkbox | Grayed out unless Enable NFSv4 is selected and, in turn, grays out Support>16 groups which is incompatible. Set this option if NFSv4 ACL support is needed without requiring the client and the server to sync users and groups. |
Require Kerberos for NFSv4 | checkbox | Set to force NFS shares to fail if the Kerberos ticket is unavailable. |
mountd(8) bind port | integer | Optional. Specify the port that mountd(8) binds to. |
rpc.statd(8) bind port | integer | Optional. Specify the port that rpc.statd(8) binds to. |
rpc.lockd(8) bind port | integer | Optional. Specify the port that rpc.lockd(8) binds to. |
Support >16 groups | checkbox | Set this option if any users are members of more than 16 groups (useful in AD environments). Note this assumes group membership is configured correctly on the NFS server. |
Log mountd(8) requests | checkbox | Enable logging of mountd(8) requests by syslog. |
Log rpc.statd(8) and rpc.lockd(8) | checkbox | Enable logging of rpc.statd(8) and rpc.lockd(8) requests by syslog. |
Note
NFSv4 sets all ownership to nobody:nobody if user and group do not match on client and server.
13.8. Rsync¶
Rsync Module Mode for a configuration example.
is used to configure an rsync server when using rsync module mode. Refer toThis section describes the configurable options for the rsyncd service and rsync modules.
13.8.1. Configure Rsyncd¶
To configure the rsyncd server, go to EDIT for the Rsync service.
and click Table 13.8.1 summarizes the configuration options for the rsync daemon:
Setting | Value | Description |
---|---|---|
TCP Port | integer | rsyncd listens on this port. The default is 873. |
Auxiliary parameters | string | Enter any additional parameters from rsyncd.conf(5). |
13.8.2. Rsync Modules¶
To add a new Rsync module, go to EDIT for the Rsync service, select the Rsync Module tab, and click ADD.
, click Table 13.8.2 summarizes the configuration options available when creating a rsync module.
Setting | Value | Description |
---|---|---|
Name | string | Module name that matches the name requested by the rsync client. |
Comment | string | Describe this module. |
Path | file browser | Browse to the pool or dataset to store received data. |
Access Mode | drop-down menu | Choose permissions for this rsync module. |
Maximum connections | integer | Maximum connections to this module. 0 is unlimited. |
User | drop-down menu | User to run as during file transfers to and from this module. |
Group | drop-down menu | Group to run as during file transfers to and from this module. |
Hosts Allow | string | From rsyncd.conf(5). A list of patterns to match with the hostname and IP address of a connecting client. The connection is rejected if no patterns match. Separate patterns with whitespace or a comma. |
Hosts Deny | string | From rsyncd.conf(5). A list of patterns to match with the hostname and IP address of a connecting client. The connection is rejected when the patterns match. Separate patterns with whitespace or a comma. |
Auxiliary parameters | string | Enter any additional parameters from rsyncd.conf(5). |
13.9. S3¶
S3 is a distributed or clustered filesystem protocol compatible with Amazon S3 cloud storage. The FreeNAS® S3 service uses Minio to provide S3 storage hosted on the FreeNAS® system itself. Minio also provides features beyond the limits of the basic Amazon S3 specifications.
Figure 13.9.1 shows the S3 service configuration screen and Table 13.9.1 summarizes the configuration options. After configuring the S3 service, start it in .
Setting | Value | Description |
---|---|---|
IP Address | drop-down menu | Enter the IP address to run the S3 service. 0.0.0.0 sets the server to listen on all addresses. |
Port | string | Enter the TCP port on which to provide the S3 service. Default is 9000. |
Access Key | string | Enter the S3 user name. This username must contain only alphanumeric characters and be between 5 and 20 characters long. |
Secret Key | string | Enter the password to be used by connecting S3 systems. The key must contain only alphanumeric characters and be at least 8 but no more than 40 characters long. |
Confirm Secret Key | string | Re-enter the S3 password to confirm. |
Disk | browse | Directory where the S3 filesystem will be mounted. Ownership of this directory and all subdirectories is set to minio:minio. Create a separate dataset for Minio to avoid issues with conflicting directory permissions or ownership. |
Enable Browser | checkbox | Set to enable the web user interface for the S3 service. |
Certificate | drop-down menu | Add the SSL certificate to be used for secure S3 connections. |
13.10. S.M.A.R.T.¶
S.M.A.R.T., or Self-Monitoring, Analysis, and Reporting Technology, is an industry standard for disk monitoring and testing. Drives can be monitored for status and problems, and several types of self-tests can be run to check the drive health.
Tests run internally on the drive. Most tests can run at the same time as normal disk usage. However, a running test can greatly reduce drive performance, so they should be scheduled at times when the system is not busy or in normal use. It is very important to avoid scheduling disk-intensive tests at the same time. For example, do not schedule S.M.A.R.T. tests to run at the same time, or preferably, even on the same days as Scrub Tasks.
Of particular interest in a NAS environment are the Short and Long S.M.A.R.T. tests. Details vary between drive manufacturers, but a Short test generally does some basic tests of a drive that takes a few minutes. The Long test scans the entire disk surface, and can take several hours on larger drives.
FreeNAS® uses the smartd(8) service to monitor S.M.A.R.T. information, including disk temperature. A complete configuration consists of:
- Scheduling when S.M.A.R.T. tests are run. S.M.A.R.T tests are created by navigating to ADD. , and clicking
- Enabling or disabling S.M.A.R.T. for each disk member of a pool in . This setting is enabled by default for disks that support S.M.A.R.T.
- Checking the configuration of the S.M.A.R.T. service as described in this section.
- Starting the S.M.A.R.T. service in Services.
Figure 13.10.1 shows the configuration screen that appears after going to and clicking (Configure).
Note
smartd wakes up at the configured Check Interval. It checks the times configured in to see if a test must begin. Since the smallest time increment for a test is an hour, it does not make sense to set a Check Interval value higher than 60 minutes. For example, if the Check Interval is set to 120 minutes and the smart test to every hour, the test will only be run every two hours because smartd only activates every two hours.
Table 13.10.1 summarizes the options in the S.M.A.R.T configuration screen.
Setting | Value | Description |
---|---|---|
Check Interval | integer | Define in minutes how often smartd activates to check if any tests are configured to run. |
Power Mode | drop-down menu | Tests are only performed when Never is selected. Choices are: Never, Sleep, Standby, or Idle. |
Difference | integer in degrees Celsius | Enter number of degrees in Celsius. S.M.A.R.T reports if the temperature of a drive has changed by N degrees Celsius since the last report. Default of 0 disables this option. |
Informational | integer in degrees Celsius | Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_INFO if the temperature is higher than the threshold. Default of 0 disables this option. |
Critical | integer in degrees Celsius | Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_CRIT and send an email if the temperature is higher than the threshold. Default of 0 disables this option. |
13.11. SMB¶
Note
After starting the SMB service, it can take several minutes for the master browser election to occur and for the FreeNAS® system to become available in Windows Explorer.
Figure 13.11.1 shows the global configuration options which apply to all SMB shares. This configuration screen displays the configurable options from smb4.conf.
These options are described in Table 13.11.1.
Setting | Value | Description |
---|---|---|
NetBIOS Name | string | Automatically populated with the original hostname of the system. Limited to 15 characters. It must be different from the Workgroup name. |
NetBIOS Alias | string | Enter any aliases, separated by spaces. Each alias cannot be longer than 15 characters. |
Workgroup | string | Must match the Windows workgroup name. This setting is ignored if the Active Directory or LDAP service is running. |
Description | string | Enter a server description. Optional. |
Enable SMB1 support | checkbox | Allow legacy SMB clients to connect to the server. Warning: SMB1 is not secure and has been deprecated by Microsoft. See Do Not Use SMB1. |
UNIX Charset | drop-down menu | Default is UTF-8 which supports all characters in all languages. |
Log Level | drop-down menu | Choices are Minimum, Normal, or Debug. |
Use syslog only | checkbox | Set to log authentication failures in /var/log/messages instead of the default
of /var/log/samba4/log.smbd . |
Local Master | checkbox | Set to determine if the system participates in a browser election. Disable when network contains an AD or LDAP server or Vista or Windows 7 machines are present. |
Guest Account | drop-down menu | Select the account to be used for guest access. Default is nobody. Account must have permission to access the shared pool or dataset. If Guest Account user is deleted, resets to nobody. |
Administrators Group | drop-down menu | Members of this group are local admins and automatically have privileges to take ownership of any file in an SMB share, reset permissions, and administer the SMB server through the Computer Management MMC snap-in. |
Auxiliary Parameters | string | Add any smb.conf options not covered elsewhere in this screen. See
the Samba Guide
for additional settings. |
Zeroconf share discovery | checkbox | Enable if Mac clients will be connecting to the SMB share. |
NTLMv1 Auth | checkbox | Set to allow NTLMv1 authentication. Required by Windows XP clients and sometimes by clients in later versions of Windows. |
Bind IP Addresses | checkboxes | Static IP addresses which SMB listens on for connections. Leaving all unselected defaults to listening on all active interfaces. |
Range Low | integer | Range Low and Range High set the range of UID/GID numbers which this IDMap backend translates. If an external credential like a Windows SID maps to a UID or GID number outside this range, the external credential is ignored. |
Range High | integer |
Changes to SMB settings take effect immediately. Changes to share settings only take effect after the client and server negotiate a new session.
Note
Do not set the directory name cache size as an Auxiliary Parameter. Due to differences in how Linux and BSD handle file descriptors, directory name caching is disabled on BSD systems to improve performance.
Note
SMB cannot be disabled while Active Directory is enabled.
13.11.1. Troubleshooting SMB¶
Do not connect to SMB shares as root
, and do not add the
root user in the SMB user database. There are security implications in
attempting to do so, and Samba 4 and later take measures to
prevent such actions. This can produce
auth_check_ntlm_password
and
FAILED with error NT_STATUS_WRONG_PASSWORD
errors.
Samba is single threaded, so CPU speed makes a big difference in SMB performance. A typical 2.5Ghz Intel quad core or greater should be capable of handling speeds in excess of Gb LAN while low power CPUs such as Intel Atoms and AMD C-30sE-350E-450 will not be able to achieve more than about 30-40MB/sec typically. Remember that other loads such as ZFS will also require CPU resources and may cause Samba performance to be less than optimal.
Samba’s write cache parameter has been reported to improve write performance in some configurations and can be added to the Auxiliary parameters field. Use an integer value which is a multiple of _SC_PAGESIZE (typically 4096) to avoid memory fragmentation. This will increase Samba’s memory requirements and should not be used on systems with limited RAM.
Windows automatically caches file sharing information. If changes are made to an SMB share or to the permissions of a pool or dataset being shared by SMB and the share becomes inaccessible, log out and back in to the Windows system. Alternately, users can type net use /delete from the command line to clear their SMB sessions.
Windows also automatically caches login information. To require users to log in every time they access the system, reduce the cache settings on the client computers.
Where possible, avoid using a mix of case in filenames as this can cause confusion for Windows users. Representing and resolving filenames with Samba explains in more detail.
If a particular user cannot connect to a SMB share, ensure
their password does not contain the ?
character. If it
does, have the user change the password and try again.
If the SMB service will not start, run this command from Shell to see if there is an error in the configuration:
testparm /usr/local/etc/smb4.conf
If clients have problems connecting to the SMB share, go to
and verify that Server maximum protocol is set to SMB2.Using a dataset for SMB sharing is recommended. When creating the dataset, make sure that the Share type is set to SMB.
Do not use chmod to attempt to fix the permissions on a SMB share as it destroys the Windows ACLs. The correct way to manage permissions on a SMB share is to manage the share security from a Windows system as either the owner of the share or a member of the group that owns the share. To do so, right-click on the share, click Properties and navigate to the Security tab. If the ACLs are already destroyed by using chmod, winacl can be used to fix them. Type winacl from Shell for usage instructions.
The Common Errors section of the Samba documentation contains additional troubleshooting tips.
The Samba Performance Tuning page describes options to improve performance.
Directory listing speed in folders with a large number of files is sometimes a problem. A few specific changes can help improve the performance. However, changing these settings can affect other usage. In general, the defaults are adequate. Do not change these settings unless there is a specific need.
- Log Level can also have a performance penalty. When not needed, it can be disabled or reduced in the global SMB service options.
- Make Samba datasets case insensitive by setting Case Sensitivity to Insensitive when creating them. This ZFS property is only available when creating a dataset. It cannot be changed on an existing dataset. To convert such datasets, back up the data, create a new case-insensitive dataset, create an SMB share on it, set the share level auxiliary parameter case sensitive = true, then copy the data from the old one onto it. After the data has been checked and verified on the new share, the old one can be deleted.
- If present, remove options for extended attributes and DOS attributes in the Auxiliary Parameters for the share.
- Disable as many VFS Objects as possible in the share settings. Many have performance overhead.
13.12. SNMP¶
SNMP (Simple Network Management Protocol) is used to monitor network-attached devices for conditions that warrant administrative attention. FreeNAS® uses Net-SNMP to provide SNMP. When starting the SNMP service, this port will be enabled on the FreeNAS® system:
- UDP 161 (listens here for SNMP requests)
Available MIBS are located in /usr/local/share/snmp/mibs
.
Figure 13.12.1 shows the screen. Table 13.12.1 summarizes the configuration options.
Setting | Value | Description |
---|---|---|
Location | string | Enter the location of the system. |
Contact | string | Enter an email address to receive messages from the SNMP service. |
Community | string | Change from public to increase system security. Can only contain alphanumeric characters, underscores, dashes, periods, and spaces. This can be left empty for SNMPv3 networks. |
SNMP v3 Support | checkbox | Set to enable support for SNMP version 3. See snmpd.conf(5) for more information about configuring this and the Authentication Type, Password, Privacy Protocol, and Privacy Passphrase fields. |
Username | string | Only applies if SNMP v3 Support is set. Enter a username to register with this service. |
Authentication Type | drop-down menu | Only applies if SNMP v3 Support is enabled. Choices are MD5 or SHA. |
Password | string | Only applies if SNMP v3 Support is enabled. Enter and confirm a password of at least eight characters. |
Privacy Protocol | drop-down menu | Only applies if SNMP v3 Support is enabled. Choices are AES or DES. |
Privacy Passphrase | string | Enter a separate privacy passphrase. Password is used when this is left empty. |
Auxiliary Parameters | string | Enter additional snmpd.conf(5) options. Add one option for each line. |
Expose zilstat via SNMP | checkbox | Enabling this option may have pool performance implications. |
Log Level | drop-down menu | Choose how many log entries to create. Choices range from the least log entries (Emergency) to the most (Debug). |
Zenoss provides a seamless monitoring service through SNMP for FreeNAS® called TrueNAS ZenPack.
13.13. SSH¶
Secure Shell (SSH) is used to transfer files securely over an encrypted network. When a FreeNAS® system is used as an SSH server, the users in the network must use SSH client software to transfer files with SSH.
This section shows the FreeNAS® SSH configuration options, demonstrates an example configuration that restricts users to their home directory, and provides some troubleshooting tips.
Figure 13.13.1 shows the screen.
Note
After configuring SSH, remember to start it in Services by clicking the sliding button in the SSH row. The sliding button moves to the right when the service is running.
Table 13.13.1 summarizes the configuration options. Some settings are only available in Advanced Mode. To see these settings, either click the ADVANCED MODE button, or configure the system to always display these settings by enabling the Show advanced fields by default option in .
Setting | Value | Advanced Mode | Description |
---|---|---|---|
Bind interfaces | selection | ✓ | By default, SSH listens on all interfaces unless specific interfaces are selected in this drop-down menu. |
TCP port | integer | Port to open for SSH connection requests. 22 by default. | |
Log in as root with password | checkbox | As a security precaution, root logins are discouraged and disabled by default. If enabled, password must be set for the root user in Users. | |
Allow password authentication | checkbox | Unset to require key-based authentication for all users. This requires additional setup on both the SSH client and server. | |
Allow kerberos authentication | checkbox | ✓ | Ensure Kerberos Realms and Kerberos Keytabs are configured and FreeNAS® can communicate with the Kerberos Domain Controller (KDC) before enabling this option. |
Allow TCP port forwarding | checkbox | Set to allow users to bypass firewall restrictions using the SSH port forwarding feature. | |
Compress connections | checkbox | Set to attempt to reduce latency over slow networks. | |
SFTP log level | drop-down menu | ✓ | Select the syslog(3) level of the SFTP server. |
SFTP log facility | drop-down menu | ✓ | Select the syslog(3) facility of the SFTP server. |
Extra options | string | ✓ | Add any additional sshd_config(5) options not covered in this screen, one per line. These options are case-sensitive and misspellings can prevent the SSH service from starting. |
Here are some recommendations for the Extra options:
- Add
NoneEnabled no
to disable the insecurenone
cipher. - Increase the
ClientAliveInterval
if SSH connections tend to drop. ClientMaxStartup
defaults to 10. Increase this value when more concurrent SSH connections are required.
13.13.1. SCP Only¶
When SSH is configured, authenticated users with a user account can use ssh to log into the FreeNAS® system over the network. User accounts are created by navigating to ADD. The user home directory is the pool or dataset specified in the Home Directory field of the FreeNAS® account for that user. While the SSH login defaults to the user home directory, users are able to navigate outside their home directory, which can pose a security risk.
, and clickingIt is possible to allow users to use scp and sftp to transfer files between their local computer and their home directory on the FreeNAS® system, while restricting them from logging into the system using ssh. To configure this scenario, go to Edit. Change the Shell to scponly. Repeat for each user that needs restricted SSH access.
, click (Options) for the user, and thenTest the configuration from another system by running the sftp, ssh, and scp commands as the user. sftp and scp will work but ssh will fail.
Note
Some utilities like WinSCP and Filezilla can bypass the scponly shell. This section assumes users are accessing the system using the command line versions of scp and sftp.
13.13.2. Troubleshooting SSH¶
Keywords listed in sshd_config(5) are case sensitive. This is important to remember when adding any Extra options. The configuration will not function as intended if the upper and lowercase letters of the keyword are not an exact match.
If clients are receiving “reverse DNS” or timeout errors, add an entry for the IP address of the FreeNAS® system in the Host name database field of .
When configuring SSH, always test the configuration as an SSH user account to ensure the user is limited by the configuration and they have permission to transfer files within the intended directories. If the user account is experiencing problems, the SSH error messages are specific in describing the problem. Type this command within Shell to read these messages as they occur:
tail -f /var/log/messages
Additional messages regarding authentication errors are found in
/var/log/auth.log
.
13.14. TFTP¶
Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.
If the FreeNAS® system will be used to store images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.
Figure 13.14.1 shows the TFTP configuration screen and Table 13.14.1 summarizes the available options.
Setting | Value | Description |
---|---|---|
Directory | Browse button | Browse to an existing directory to be used for storage. Some devices require a specific directory name, refer to the device documentation for details. |
Allow New Files | checkbox | Set when network devices need to send files to the system. For example, to back up their configuration. |
Host | IP address | The default host to use for TFTP transfers. Enter an IP address. Example: 192.0.2.1. |
Port | integer | The UDP port number that listens for TFTP requests. Example: 8050. |
Username | drop-down menu | Select the account to use for TFTP requests. This account must have permission to the Directory. |
File Permissions | checkboxes | Set permissions for newly created files. The default is everyone can read and only the owner can write. Some devices require less strict permissions. |
Extra options | string | Add more options from tftpd(8) Add one option on each line. |
13.15. UPS¶
FreeNAS® uses NUT (Network UPS Tools) to provide UPS support. If the FreeNAS® system is connected to a UPS device, configure the UPS service in .
Figure 13.15.1 shows the UPS configuration screen:
Table 13.15.1 summarizes the options in the UPS Configuration screen.
Setting | Value | Description |
---|---|---|
UPS Mode | drop-down menu | Select Master if the UPS is plugged directly into the system serial port. The UPS will remain the last item to shut down. Select Slave to have the system shut down before Master. |
Identifier | string | Required. Describe the UPS device. Can contain alphanumeric, period, comma, hyphen, and underscore characters. |
Driver / Remote Host | combo-box | Required. For a list of supported devices, see the Network UPS Tools compatibility list. The field suggests drivers based on the text entered. To search for a specific driver, begin typing the name of the driver. The search is case sensitive. The Driver field changes to Remote Host when UPS Mode is set to Slave. Enter the IP address of the system configured as the UPS Master system. See this post for more details about configuring multiple systems with a single UPS. |
Port or Hostname | drop-down menu | Serial or USB port connected to the UPS. To automatically detect and manage the USB port settings, open the drop-down menu and select auto. If the specific USB port must be chosen, see this note about identifing the USB port used by the UPS. When an SNMP driver is selected, enter the IP address or hostname of the SNMP UPS device. Port or Hostname becomes Remote Port when the UPS Mode is set to Slave. Enter the open network port number of the UPS Master system. The default port is 3493. |
Auxiliary Parameters (ups.conf) | string | Enter any additional options from ups.conf(5). |
Auxiliary Parameters (upsd.conf) | string | Enter any additional options from upsd.conf(5). |
Description | string | Optional. Describe the UPS service. |
Shutdown Mode | drop-down menu | Choose when the UPS initiates shutdown. Choices are UPS goes on battery and UPS reaches low battery. |
Shutdown Timer | integer | Select a value in seconds for the UPS to wait before initiating shutdown. Shutdown will not occur if the power is restored while the timer is counting down. This value only applies when Shutdown Mode is set to UPS goes on battery. |
Shutdown Command | string | Enter the command to run to shut down the computer when battery power is low or shutdown timer runs out. |
No Communication Warning Time | string | Enter a value in seconds to wait before alerting that the service cannot reach any UPS. Warnings continue until the situation is fixed. |
Monitor User | string | Required. Enter a user to associate with this service. The recommended default user is upsmon. |
Monitor Password | string | Required. Default is the known value fixmepass. Change this to enhance system security.
Cannot contain a space or # . |
Extra Users | string | Enter accounts that have administrative access. See upsd.users(5) for examples. |
Remote Monitor | checkbox | Set for the default configuration to listen on all interfaces using the known values of user: upsmon and password: fixmepass. |
Send Email Status Updates | checkbox | Set to enables the FreeNAS® system to send email updates to the configured Email field. |
email address | Enter any email addresses to receive status updates. Separate multiple addresses with a semicolon (; ). |
|
Email Subject | string | Enter a subject line for email status updates. |
Power Off UPS | checkbox | Set for the UPS to power off after shutting down the FreeNAS® system. |
Host Sync | integer | Enter a time in seconds for UPSMON(8) to wait in master mode for the slaves to disconnect during a shutdown. |
Note
For USB devices, the easiest way to determine the correct device name is to enable the Show console messages option in . Plug in the USB device and look for a /dev/ugen or /dev/uhid device name in the console messages.
Some UPS models might be unresponsive with the default polling frequency.
This can show in FreeNAS® logs as a recurring error like:
libusb_get_interrupt: Unknown error
.
If this error occurs, decrease the polling frequency by adding an entry
to Auxiliary Parameters (ups.conf):
pollinterval = 10
. The default polling frequency is two
seconds.
upsc(8) can be used to get status variables from the UPS daemon such as the current charge and input voltage. It can be run from Shell using this syntax:
upsc ups@localhost
The upsc(8) man page gives some other usage examples.
upscmd(8) can be used to send commands directly to the UPS, assuming the hardware supports the command being sent. Only users with administrative rights can use this command. These users are created in the Extra users field.
13.15.1. Multiple Computers with One UPS¶
A UPS with adequate capacity can power multiple computers. One computer is connected to the UPS data port with a serial or USB cable. This master makes UPS status available on the network for other computers. These slave computers are powered by the UPS, but receive UPS status data from the master computer. See the NUT User Manual and NUT User Manual Pages.
13.16. WebDAV¶
The WebDAV service can be configured to provide a file browser over a web connection. Before starting this service, at least one WebDAV share must be created by navigating to ADD. Refer to WebDAV Shares for instructions on how to create a share and connect to it after the service is configured and started.
, and clickingThe settings in the WebDAV service apply to all WebDAV shares. Figure 13.16.1 shows the WebDAV configuration screen. Table 13.16.1 summarizes the available options.
Setting | Value | Description |
---|---|---|
Protocol | drop-down menu | HTTP keeps the connection unencrypted. HTTPS encrypts the connection. HTTP+HTTPS allows both types of connections. |
HTTP Port | string | Specify a port for unencrypted connections. The default port 8080 is recommended. Do not use a port number already being used by another service. |
HTTPS Port | string | Specify a port for encrypted connections. The default port 8081 is recommended. Do not use a port number already being used by another service. |
Webdav SSL Certificate | drop-down menu | Select the SSL certificate to be used for encrypted connections. To create a certificate, use | .
HTTP Authentication | drop-down menu | Choices are No Authentication, Basic Authentication (unencrypted) or Digest Authentication (encrypted). |
Webdav Password | string | Default is davtest. Change this password as it is a known value. |