10. Services

Services that ship with TrueNAS® are configured, started, or stopped in Services. TrueNAS® includes these built-in services:

This section demonstrates starting a TrueNAS® service and the available configuration options for each TrueNAS® service.

10.1. Control Services

Services ‣ Control Services, shown in Figure 10.1.1, lists all services. It also shows where to start, stop, or configure the available services. The S.M.A.R.T. service is enabled by default, but only runs if the storage devices support S.M.A.R.T. data Other services default to off until started.

_images/services1f.png

Fig. 10.1.1 Control Services

Stopped services show a red stop symbol and a Start Now button. Running services show a green light with a Stop Now button.

Tip

Using a proxy server can prevent the list of services from being displayed. If a proxy server is used, do not configure it to proxy local network connections or websocket connections. VPN software can also cause problems. If the list of services is displayed when connecting on the local network but not when connecting through the VPN, check the VPN software configuration.

Services are configured by clicking the wrench icon or the name of the service in the Services section of the tree menu.

If a service does not start, go to System ‣ Advanced and enable Show console messages in the footer. Console messages appear at the bottom of the browser. Clicking the console message area makes it into a pop-up window, allowing scrolling through or copying the messages. Watch these messages for errors when stopping or starting the problematic service.

To read the system logs for more information about a service failure, open Shell and type more /var/log/messages.

10.2. AFP

The settings that are configured when creating AFP Shares in Sharing ‣ Apple (AFP) Shares ‣ Add Apple (AFP) Share are specific to each configured AFP Share. In contrast, global settings which apply to all AFP shares are configured in Services ‣ AFP.

Figure 10.2.1 shows the available global AFP configuration options which are described in Table 10.2.1.

_images/tn_services-afp.png

Fig. 10.2.1 Global AFP Configuration

Table 10.2.1 Global AFP Configuration Options
Setting Value Description
Guest Access checkbox Set to disable the password prompt that appears before clients access AFP shares.
Guest account drop-down menu Select an account to use for guest access. The account must have permissions to the volume or dataset being shared.
Max Connections integer Maximum number of simultaneous connections.
Enable home directories checkbox If checked, any user home directories located under Home directories will be available over the share.
Home directories browse button Select the volume or dataset which contains user home directories.
Home share name string Overrides default home folder name with the specified value.
Home Share Time Machine checkbox When checked, enables Time Machine lock stealing. Apple recommends that shares designated for Time Machine backups be used exclusively for Time Machine backups.
Database Path browse button Sets the database information to be stored in the path. Default is the root of the volume. The path must be writable even if the volume is read only.
Global auxiliary parameters string Add any additional afp.conf(5) parameters not covered elsewhere in this screen.
Map ACLs drop-down menu Choose mapping of effective permissions for authenticated users. Choices are: Rights (default, Unix-style permissions), Mode (ACLs), or None
Chmod Request drop-down menu Sets how Access Control Lists are handled. Ignore: ignores requests and gives the parent directory ACL inheritance full control over new items. Preserve: preserves ZFS Access Control Entries for named users and groups or the POSIX ACL group mask. Simple: is set to chmod() as requested without any extra steps.
Bind IP Addresses selection Specify the IP addresses to listen for FTP connections. Highlight the desired IP addresses in the Available list and use the >> button to add to the Selected list.

10.2.1. Troubleshooting AFP

Check for error messages in /var/log/afp.log.

Determine which users are connected to an AFP share by typing afpusers.

If Something wrong with the volume’s CNID DB is shown, run this command from Shell, replacing the path to the problematic AFP share:

dbd -rf /path/to/share

This command can take some time, depending upon the size of the pool or dataset being shared. The CNID database is wiped and rebuilt from the CNIDs stored in the AppleDouble files.

10.3. Asigra DS-System

Asigra Backup allows administrators to back up data from network-connected computers and mobile devices. Asigra leverages standard API calls from a single on-site Asigra service (DS-Client) to reach into these devices and does not require any agent software on the endpoints to access the data.

Licensed Asigra Backup software can use TrueNAS® as the storage backend.

Note

To learn more about Asigra or to enquire about licensing, contact sales@ixsystems.com.

For the initial backend configuration, click Services ‣ Asigra DS-System. When prompted to choose the Base Filesystem, select the dataset to store the Asigra backups, then click OK. Any required database entries are created and the service is started.

Note

Asigra DS-Operator requires a working installation of Java JRE and a security exception for the TrueNAS® system. To add the exception, use Configure Java ‣ Security ‣ Edit Site List ‣ Add and enter the URL to the TrueNAS® system. If the browser prompts for the application to open DSOP.jnlp with, select Java Web Start Launcher (javaws).

While the service is running, the Open DS-Operator Web Interface button appears in Services ‣ Asigra DS-System. Click Open DS-Operator Web Interface to download and launch the Asigra management application.

_images/services-asigra.png

Fig. 10.3.1 Asigra settings

Contact Asigra for further documentation on using DS-Operator.

10.4. Domain Controller

TrueNAS® can be configured to act either as the domain controller for a network or to join an existing Active Directory network as a domain controller.

Note

This section demonstrates how to configure the TrueNAS® system to act as a domain controller. If the goal is to integrate with an existing Active Directory network to access its authentication and authorization services, configure Active Directory instead.

Note that configuring a domain controller is a complex process that requires a good understanding of how Active Directory works. While Services ‣ Domain Controller makes it easy to enter the needed settings into the administrative graphical interface, it is important to understand what those settings should be. Before beginning configuration, read through the Samba AD DC HOWTO. After TrueNAS® is configured, use the RSAT utility from a Windows system to manage the domain controller. The Samba AD DC HOWTO includes instructions for installing and configuring RSAT.

Figure 10.4.1 shows the configuration screen for creating a domain controller and Table 10.4.1 summarizes the available options.

_images/services-domain-controller.png

Fig. 10.4.1 Domain Controller Settings

Table 10.4.1 Domain Controller Configuration Options
Setting Value Description
Realm string Enter a capitalized DNS realm name.
Domain string Enter a capitalized domain name.
Server Role drop-down menu At this time, the only supported role is as the domain controller for a new domain.
DNS Forwarder string Enter the IP address of the DNS forwarder. Required for recursive queries when SAMBA_INTERNAL is selected.
Domain Forest Level drop-down menu Choices are 2000, 2003, 2008, 2008_R2, 2012, or 2012_R2. Refer to Understanding Active Directory Domain Services (AD DS) Functional Levels.
Administrator password string Enter the password to be used for the Active Directory administrator account.
Kerberos Realm drop-down menu Auto-populates with information from the Realm when the settings in this screen are saved.

10.4.1. Samba Domain Controller Backup

A samba_backup script is available to back up Samba4 domain controller settings is available. From the Shell, run /usr/local/bin/samba_backup --usage to show the input options.

10.5. Dynamic DNS

Dynamic DNS (DDNS) is useful if the TrueNAS® system is connected to an ISP that periodically changes the IP address of the system. With dynamic DNS, the system can automatically associate its current IP address with a domain name, allowing access to the TrueNAS® system even if the IP address changes. DDNS requires registration with a DDNS service such as DynDNS.

Figure 10.5.1 shows the DDNS configuration screen and Table 10.5.1 summarizes the configuration options. The values for these fields are provided by the DDNS provider. After configuring DDNS, remember to start the DDNS service in Services ‣ Control Services.

_images/services-ddns.png

Fig. 10.5.1 Configuring DDNS

Table 10.5.1 DDNS Configuration Options
Setting Value Description
Provider drop-down menu Several providers are supported. If a specific provider is not listed, select Custom Provider and enter the information in the Custom Server and Custom Path fields.
CheckIP Server SSL string Set to use HTTPS for the connection to the CheckIP Server.
CheckIP Server string Enter the name and port of the server that reports the external IP address. Example: server.name.org:port.
CheckIP Path string Enter the path that is requested by the CheckIP Server to determine the user IP address.
Use SSL checkbox Set to use HTTPS for the connection to the server that updates the DNS record.
Domain name string Enter a fully qualified domain name. Separate multiple domains with a space, comma (,), or semicolon (;). Example: yourname.dyndns.org;myname.dyndns.org
Username string Enter the username used to log in to the provider and update the record.
Password string Enter the password used to log in to the provider and update the record.
Update period integer How often the IP is checked in seconds.

When using he.net, enter the domain name for Username and enter the DDNS key generated for that domain’s A entry at the he.net website for Password.

10.6. FTP

TrueNAS® uses the proftpd FTP server to provide FTP services. Once the FTP service is configured and started, clients can browse and download data using a web browser or FTP client software. The advantage of FTP is that easy-to-use cross-platform utilities are available to manage uploads to and downloads from the TrueNAS® system. The disadvantage of FTP is that it is considered to be an insecure protocol, meaning that it should not be used to transfer sensitive files. If concerned about sensitive data, see Encrypting FTP.

This section provides an overview of the FTP configuration options. It then provides examples for configuring anonymous FTP, specified user access within a chroot environment, encrypting FTP connections, and troubleshooting tips.

Figure 10.6.1 shows the configuration screen for Services ‣ FTP. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by enabling the Show advanced fields by default setting in System ‣ Advanced.

_images/ftp1.png

Fig. 10.6.1 Configuring FTP

Table 10.6.1 summarizes the available options when configuring the FTP server.

Table 10.6.1 FTP Configuration Options
Setting Value Advanced Mode Description
Port integer   Set the port the FTP service listens on.
Clients integer   Set the maximum number of simultaneous clients.
Connections integer   Set the maximum number of connections per IP address where 0 means unlimited.
Login Attempts integer   Enter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos.
Timeout integer   Enter the maximum client idle time in seconds before client is disconnected.
Allow Root Login checkbox   Enabling this option is discouraged as increases security risk.
Allow Anonymous Login checkbox   Set to enable anonymous FTP logins with access to the directory specified in Path.
Path browse button   Set the root directory for anonymous FTP connections.
Allow Local User Login checkbox   Required if Anonymous Login is disabled.
Display Login string   Specify the message displayed to local login users after authentication. Not displayed to anonymous login users.
File Permission checkboxes Set the default permissions for newly created files.
Directory Permission checkboxes Set the default permissions for newly created directories.
Enable FXP checkbox Set to enable the File eXchange Protocol. This setting makes the server vulnerable to FTP bounce attacks so it is not recommended
Allow Transfer Resumption checkbox   Set to allow FTP clients to resume interrupted transfers.
Always Chroot checkbox   When set, a local user is only allowed access to their home directory unless the user is a member of group wheel.
Require IDENT Authentication checkbox Setting this option results in timeouts if identd is not running on the client.
Perform Reverse DNS Lookups checkbox   Set to perform reverse DNS lookups on client IPs. Can cause long delays if reverse DNS is not configured.
Masquerade address string   Public IP address or hostname. Set if FTP clients cannot connect through a NAT device.
Minimum passive port integer Used by clients in PASV mode, default of 0 means any port above 1023.
Maximum passive port integer Used by clients in PASV mode, default of 0 means any port above 1023.
Local user upload bandwidth integer Defined in KiB/s, default of 0 means unlimited.
Local user download bandwidth integer Defined in KiB/s, default of 0 means unlimited.
Anonymous user upload bandwidth integer Defined in KiB/s, default of 0 means unlimited.
Anonymous user download bandwidth integer Defined in KiB/s, default of 0 means unlimited.
Enable TLS checkbox Set to enable encrypted connections. Requires a certificate to be created or imported using Certificates.
TLS policy drop-down menu The selected policy defines whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.
TLS allow client renegotiations checkbox Enabling this option is not recommended as it breaks several security measures. For this and the rest of the TLS fields, refer to mod_tls for more details.
TLS allow dot login checkbox If set, the user home directory is checked for a .tlslogin file which contains one or more PEM-encoded certificates. If not found, the user is prompted for password authentication.
TLS allow per user checkbox If set, the user password can be sent unencrypted.
TLS common name required checkbox Set to require the certificate common name to match the FQDN of the host.
TLS enable diagnostics checkbox If set when troubleshooting a connection, logs more verbosely.
TLS export certificate data checkbox If set, exports the certificate environment variables.
TLS no certificate request checkbox Try enabling this option if the client cannot connect and it is suspected the client software is not properly handling server certificate requests.
TLS no empty fragments checkbox Enabling this is not recommended as it bypasses a security mechanism.
TLS no session reuse required checkbox Enabling this reduces the security of the connection. Only use this if the client does not understand reused SSL sessions.
TLS export standard vars checkbox If enabled, sets several environment variables.
TLS DNS name required checkbox If set, the client DNS name must resolve to its IP address and the cert must contain the same DNS name.
TLS IP address required checkbox If set, the client certificate must contain the IP address that matches the IP address of the client.
Certificate drop-down menu   The SSL certificate to be used for TLS FTP connections. To create a certificate, use System ‣ Certificates.
Auxiliary parameters string Add any additional proftpd(8) parameters not covered elsewhere in this screen.

This example demonstrates the auxiliary parameters that prevent all users from performing the FTP DELETE command:

<Limit DELE>
DenyAll
</Limit>

10.6.1. Anonymous FTP

Anonymous FTP may be appropriate for a small network where the TrueNAS® system is not accessible from the Internet and everyone in the internal network needs easy access to the stored data. Anonymous FTP does not require a user account for every user. In addition, passwords are not required so it is not necessary to manage changed passwords on the TrueNAS® system.

To configure anonymous FTP:

  1. Give the built-in ftp user account permissions to the volume/dataset to be shared in Storage ‣ Volumes as follows:

    • Owner(user): select the built-in ftp user from the drop-down menu
    • Owner(group): select the built-in ftp group from the drop-down menu
    • Mode: review that the permissions are appropriate for the share

    Note

    For FTP, the type of client does not matter when it comes to the type of ACL. This means that Unix ACLs are always used, even if Windows clients are accessing TrueNAS® via FTP.

  2. Configure anonymous FTP in Services ‣ FTP by setting these attributes:

    • Allow Anonymous Login: enable this option
    • Path: browse to the volume/dataset/directory to be shared
  3. Start the FTP service in Services ‣ Control Services. Click the Start Now button next to FTP. The FTP service takes a second or so to start. The indicator changes to green when the service is running, and the button changes to Stop Now.

  4. Test the connection from a client using a utility such as Filezilla.

In the example shown in Figure 10.6.2, the user has entered this information into the Filezilla client:

  • IP address of the TrueNAS® server: 192.168.1.113
  • Username: anonymous
  • Password: the email address of the user
_images/filezilla.png

Fig. 10.6.2 Connecting Using Filezilla

The messages within the client indicate the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site. This is the pool or dataset specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the TrueNAS® system).

10.6.2. FTP in chroot

If users are required to authenticate before accessing the data on the TrueNAS® system, either create a user account for each user or import existing user accounts using Active Directory or LDAP. Then create a ZFS dataset for each user. Next, chroot each user so they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of a user home directory is limited to the size of the quota.

To configure this scenario:

  1. Create a ZFS dataset for each user in Storage ‣ Volumes. Click an existing ZFS volume ‣ Create ZFS Dataset and set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that needs access to the FTP service.

  2. When not using AD or LDAP, create a user account for each user in Account ‣ Users ‣ Add User. For each user, browse to the dataset created for that user in the Home Directory field. Repeat this process to create a user account for every user that needs access to the FTP service, making sure to assign each user their own dataset.

  3. Set the permissions for each dataset in Storage ‣ Volumes. Click the Change Permissions button for a dataset to assign a user account as Owner of that dataset and to set the desired permissions for that user. Repeat for each dataset.

    Note

    For FTP, the type of client does not matter when it comes to the type of ACL. This means Unix ACLs are always used, even if Windows clients will be accessing TrueNAS® with FTP.

  4. Configure FTP in Services ‣ FTP with these attributes:

    • Path: browse to the parent volume containing the datasets.
    • Make sure the options for Allow Anonymous Login and Allow Root Login are unselected.
    • Select the Allow Local User Login option to enable it.
    • Enable the Always Chroot option.
  5. Start the FTP service in Services ‣ Control Services. Click the Start Now button next to FTP. The FTP service takes a second or so to start. The indicator changes to green to show that the service is running, and the button changes to Stop Now.

  6. Test the connection from a client using a utility such as Filezilla.

To test this configuration in Filezilla, use the IP address of the TrueNAS® system, the Username of a user that is associated with a dataset, and the Password for that user. The messages will indicate the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site. This time it is not the entire pool but the dataset created for that user. The user can transfer files between the local site (their system) and the remote site (their dataset on the TrueNAS® system).

10.6.3. Encrypting FTP

To configure any FTP scenario to use encrypted connections:

  1. Import or create a certificate authority using the instructions in CAs. Then, import or create the certificate to use for encrypted connections using the instructions in Certificates.
  2. In Services ‣ FTP, choose the certificate in the Certificate, and set the Enable TLS option.
  3. Specify secure FTP when accessing the TrueNAS® system. For example, in Filezilla enter ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects, they will be presented with the certificate of the TrueNAS® system. Click OK to accept the certificate and negotiate an encrypted connection.
  4. To force encrypted connections, select on for the TLS Policy.

10.6.4. Troubleshooting FTP

The FTP service will not start if it cannot resolve the system hostname to an IP address with DNS. To see if the FTP service is running, open Shell and issue the command:

sockstat -4p 21

If there is nothing listening on port 21, the FTP service is not running. To see the error message that occurs when TrueNAS® tries to start the FTP service, go to System ‣ Advanced, check Show console messages in the footer, and click Save. Go to Services ‣ Control Services and switch the FTP service off, then back on. Watch the console messages at the bottom of the browser for errors.

If the error refers to DNS, either create an entry in the local DNS server with the TrueNAS® system hostname and IP address, or add an entry for the IP address of the TrueNAS® system in the Network ‣ Global Configuration Host name data base field.

10.7. iSCSI

Refer to Block (iSCSI) for instructions on configuring iSCSI. To start the iSCSI service, click its entry in Services.

Note

A warning message is shown if the iSCSI service is stopped when initiators are connected. Open the Shell and type ctladm islist to determine the names of the connected initiators.

10.8. LLDP

The Link Layer Discovery Protocol (LLDP) is used by network devices to advertise their identity, capabilities, and neighbors on an Ethernet network. TrueNAS® uses the ladvd LLDP implementation. If the network contains managed switches, configuring and starting the LLDP service will tell the TrueNAS® system to advertise itself on the network.

Figure 10.8.1 shows the LLDP configuration screen and Table 10.8.1 summarizes the configuration options for the LLDP service.

_images/lldp.png

Fig. 10.8.1 Configuring LLDP

Table 10.8.1 LLDP Configuration Options
Setting Value Description
Interface Description checkbox Set to enable receive mode and to save received peer information in interface descriptions.
Country Code string Required for LLDP location support. Enter a two-letter ISO 3166 country code.
Location string Optional. Specify the physical location of the host.

10.9. Netdata

Netdata is a real-time performance and monitoring system. It displays data as web dashboards.

Start the Netdata service from the Services screen. Click the wrench icon to display the Netdata settings dialog shown in Figure 10.9.1.

_images/services-netdata-config.png

Fig. 10.9.1 Netdata Settings Dialog

Click the Take me to the Netdata UI button to view the web dashboard as shown in Figure 10.9.2.

_images/services-netdata.png

Fig. 10.9.2 Netdata Web Dashboard

More information on configuring and using Netdata is available at the Netdata website.

10.10. NFS

The settings that are configured when creating NFS Shares in Sharing ‣ Unix (NFS) Shares ‣ Add Unix (NFS) Share are specific to each configured NFS Share. In contrast, global settings which apply to all NFS shares are configured in Services ‣ NFS.

Figure 10.10.1 shows the configuration screen and Table 10.10.1 summarizes the configuration options for the NFS service.

_images/services-nfs.png

Fig. 10.10.1 Configuring NFS

Table 10.10.1 NFS Configuration Options
Setting Value Description
Number of servers integer Specify how many servers to create. Increase if NFS client responses are slow. To limit CPU context switching, keep this number less than or equal to the number of CPUs reported by sysctl -n kern.smp.cpus.
Serve UDP NFS clients checkbox Set if NFS clients need to use UDP.
Bind IP Addresses checkboxes Select the IP addresses to listen on for NFS requests. When unselected, NFS listens on all available addresses.
Allow non-root mount checkbox Set only if the NFS client requires it.
Enable NFSv4 checkbox Set to switch from NFSv3 to NFSv4. The default is NFSv3.
NFSv3 ownership model for NFSv4 checkbox Grayed out unless Enable NFSv4 is checked and, in turn, grays out Support>16 groups which is incompatible. Set this option if NFSv4 ACL support is needed without requiring the client and the server to sync users and groups.
Require Kerberos for NFSv4 checkbox Set to force NFS shares to fail if the Kerberos ticket is unavailable.
mountd(8) bind port integer Optional. Specify the port that mountd(8) binds to.
rpc.statd(8) bind port integer Optional. Specify the port that rpc.statd(8) binds to.
rpc.lockd(8) bind port integer Optional. Specify the port that rpc.lockd(8) binds to.
Support>16 groups checkbox Set this option if any users are members of more than 16 groups (useful in AD environments). Note this assumes group membership is configured correctly on the NFS server.
Log mountd(8) requests checkbox Enable logging of mountd(8) requests by syslog.
Log rpc.statd(8) and rpc.lockd(8) checkbox Enable logging of rpc.statd(8) and rpc.lockd(8) requests by syslog.

Note

NFSv4 sets all ownership to nobody:nobody if user and group do not match on client and server.

10.11. Rsync

Services ‣ Rsync is used to configure an rsync server when using rsync module mode. Refer to Rsync Module Mode for a configuration example.

This section describes the configurable options for the rsyncd service and rsync modules.

10.11.1. Configure Rsyncd

Figure 10.11.1 shows the rsyncd configuration screen which is accessed from Services ‣ Rsync ‣ Configure Rsyncd.

_images/rsyncd.png

Fig. 10.11.1 Rsyncd Configuration

Table 10.11.1 summarizes the configuration options for the rsync daemon:

Table 10.11.1 Rsyncd Configuration Options
Setting Value Description
TCP Port integer Port for rsyncd to listen on. Default is 873.
Auxiliary parameters string Enter any additional parameters from rsyncd.conf(5).

10.11.2. Rsync Modules

Figure 10.11.2 shows the configuration screen that appears after clicking Services ‣ Rsync ‣ Rsync Modules ‣ Add Rsync Module.

Table 10.11.2 summarizes the configuration options available when creating a rsync module.

_images/rsync3.png

Fig. 10.11.2 Adding an Rsync Module

Table 10.11.2 Rsync Module Configuration Options
Setting Value Description
Module name string Mandatory. This is required to match the setting on the rsync client.
Comment string Optional description.
Path browse button Browse to the volume or dataset to hold received data.
Access Mode drop-down menu Choices are Read and Write, Read-only, or Write-only.
Maximum connections integer 0 is unlimited.
User drop-down menu Select the user to control file transfers to and from the module.
Group drop-down menu Select the group to control file transfers to and from the module.
Hosts allow string See rsyncd.conf(5) Enter a list of patterns to match with the hostname and IP address of a connecting client. Separate patterns with whitespace or comma.
Hosts deny string See rsyncd.conf(5) for allowed formats.
Auxiliary parameters string Enter any additional parameters from rsyncd.conf(5).

10.12. S3

S3 is a distributed or clustered filesystem protocol compatible with Amazon S3 cloud storage. The TrueNAS® S3 service uses Minio to provide S3 storage hosted on the TrueNAS® system itself. Minio also provides features beyond the limits of the basic Amazon S3 specifications.

Figure 10.12.1 shows the S3 service configuration screen and Table 10.12.1 summarizes the configuration options. After configuring the S3 service, start it in Services ‣ Control Services.

_images/services-s3.png

Fig. 10.12.1 Configuring S3

Table 10.12.1 S3 Configuration Options
Setting Value Description
IP Address drop-down menu Enter the IP address to run the S3 service. 0.0.0.0 sets the server to listen on all addresses.
Port string Enter the TCP port on which to provide the S3 service. Default is 9000.
Access Key string Enter the S3 user name. This username must contain only alphanumeric characters and be between 5 and 20 characters long.
Secret Key string Enter the password to be used by connecting S3 systems. The key must contain only alphanumeric characters and be at least 8 but no more than 40 characters long.
Confirm S3 Key string Re-enter the S3 password to confirm.
Disks string Required. Directory where the S3 filesystem will be mounted. Ownership of this directory and all subdirectories is set to minio:minio. Create a separate dataset for Minio to avoid issues with conflicting directory permissions or ownership.
Certificate drop-down menu The SSL certificate to be used for secure S3 connections. To create a certificate, use System ‣ Certificates.
Enable Browser checkbox Set to enable the web user interface for the S3 service.

10.13. S.M.A.R.T.

S.M.A.R.T., or Self-Monitoring, Analysis, and Reporting Technology, is an industry standard for disk monitoring and testing. Drives can be monitored for status and problems, and several types of self-tests can be run to check the drive health.

Tests run internally on the drive. Most tests can run at the same time as normal disk usage. However, a running test can greatly reduce drive performance, so they should be scheduled at times when the system is not busy or in normal use. It is very important to avoid scheduling disk-intensive tests at the same time. For example, do not schedule S.M.A.R.T. tests to run at the same time, or preferably, even on the same days as Scrubs.

Of particular interest in a NAS environment are the Short and Long S.M.A.R.T. tests. Details vary between drive manufacturers, but a Short test generally does some basic tests of a drive that takes a few minutes. The Long test scans the entire disk surface, and can take several hours on larger drives.

TrueNAS® uses the smartd(8) service to monitor S.M.A.R.T. information. A complete configuration consists of:

  1. Scheduling when S.M.A.R.T. tests are run in Tasks ‣ S.M.A.R.T. Tests ‣ Add S.M.A.R.T. Test.
  2. Enabling or disabling S.M.A.R.T. for each disk member of a volume in Volumes ‣ View Disks. This setting is enabled by default for disks that support S.M.A.R.T.
  3. Checking the configuration of the S.M.A.R.T. service as described in this section.
  4. Starting the S.M.A.R.T. service with Services ‣ Control Services.

Figure 10.13.1 shows the configuration screen that appears after clicking Services ‣ S.M.A.R.T.

_images/smart2.png

Fig. 10.13.1 S.M.A.R.T Configuration Options

Note

smartd wakes up at the configured Check Interval. It checks the times configured in Tasks ‣ S.M.A.R.T. Tests to see if a test must begin. Since the smallest time increment for a test is an hour, it does not make sense to set a Check Interval value higher than 60 minutes. For example, if the Check Interval is set to 120 minutes and the smart test to every hour, the test will only be run every two hours because smartd only activates every two hours.

Table 10.13.1 summarizes the options in the S.M.A.R.T configuration screen.

Table 10.13.1 S.M.A.R.T Configuration Options
Setting Value Description
Check interval integer Define in minutes how often smartd activates to check if any tests are configured to run.
Power mode drop-down menu Tests are not performed if the system enters the specified power mode: Never, Sleep, Standby, or Idle.
Difference integer in degrees Celsius Enter number of degrees in Celsius. S.M.A.R.T reports if the temperature of a drive has changed by N degrees Celsius since the last report. Default of 0 disables this option.
Informational integer in degrees Celsius Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_INFO if the temperature is higher than specified degrees in Celsius. Default of 0 disables this option.
Critical integer in degrees Celsius Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_CRIT and send an email if the temperature is higher than specified degrees in Celsius. Default of 0 disables this option.
Email to report string Email address to receive S.M.A.R.T. alerts. Use a space to separate multiple email addresses.

10.14. SMB

The settings configured when creating SMB Shares in Sharing ‣ Windows (SMB) Shares ‣ Add Windows (SMB) Share are specific to each configured SMB Share. In contrast, global settings which apply to all SMB shares are configured in Services ‣ SMB.

Note

After starting the SMB service, it can take several minutes for the master browser election to occur and for the TrueNAS® system to become available in Windows Explorer.

Figure 10.14.1 shows the global SMB configuration options which are described in Table 10.14.1. This configuration screen is really a front-end to smb4.conf.

_images/tn_cifs1b.png

Fig. 10.14.1 Global SMB Configuration

Table 10.14.1 Global SMB Configuration Options
Setting Value Description
NetBIOS Name (This Node) string Automatically populated with the original hostname of the system. Limited to 15 characters. It must be different from the Workgroup name.
NetBIOS Name (Node B) string Limited to 15 characters. When using Failover, set a unique NetBIOS name for the standby node
NetBIOS Alias string Limited to 15 characters. When using Failover, this is the NetBIOS name that resolves to either node.
Workgroup string Must match Windows workgroup name. This setting is ignored if the Active Directory or LDAP service is running.
Description string Enter an optional server description.
Enable SMB1 support checkbox Allow legacy SMB clients to connect to the server. Warning: SMB1 is not secure and has been deprecated by Microsoft. See Do Not Use SMB1.
DOS charset drop-down menu The character set Samba uses when communicating with DOS and Windows 9x/ME clients. Default is CP437.
UNIX charset drop-down menu Default is UTF-8 which supports all characters in all languages.
Log level drop-down menu Choices are Minimum, Normal, or Debug.
Use syslog only checkbox Set to log authentication failures to /var/log/messages instead of the default of /var/log/samba4/log.smbd.
Local Master checkbox Set to determine if the system will participate in a browser election. Disable when network contains an AD or LDAP server or Vista or Windows 7 machines are present.
Domain logons checkbox Set if it is necessary to provide the netlogin service for older Windows clients.
Time Server for Domain checkbox Determines if the system advertises itself as a time server to Windows clients. Disable when network contains an AD or LDAP server.
Guest Account drop-down menu Select the account to be used for guest access. Default is nobody. Account must have permission to access the shared volume/dataset. If Guest Account user is deleted, resets to nobody.
File mask integer Overrides default file creation mask of 0666 which creates files with read and write access for everybody.
Directory mask integer Overrides default directory creation mask of 0777 which grants directory read, write and execute access for everybody.
Allow Empty Password checkbox Set to allow users to press Enter when prompted for a password. Requires the username/password to be the same as the Windows user account.
Auxiliary parameters string Add any smb.conf options not covered elsewhere in this screen. See the Samba Guide for additional settings.
Unix Extensions checkbox Set to allow non-Windows SMB clients to access symbolic links and hard links, has no effect on Windows clients.
Zeroconf share discovery checkbox Enable if Mac clients will be connecting to the SMB share.
Hostname lookups checkbox Set to allow using hostnames rather than IP addresses in the Hosts Allow or Hosts Deny fields of a SMB share. Unset if IP addresses are used to avoid the delay of a host lookup.
Allow execute always checkbox If set, Samba will allow the user to execute a file, even if that user’s permissions are not set to execute.
Obey pam restrictions checkbox Unset this option to allow: Cross-domain authentication. Users and groups to be managed on another forest. Permissions to be delegated from Active Directory users and groups to domain admins on another forest.
NTLMv1 auth checkbox Set to allow NTLMv1 authentication. Required by Windows XP clients and sometimes by clients in later versions of Windows.
Bind IP Addresses checkboxes Select the IPv4 and IPv6 addresses SMB will listen on. Always add the loopback interface 127.0.0.1 as Samba utilities connect to the loopback IP if no host name is provided.
Idmap Range Low integer The beginning UID/GID for which this system is authoritative. Any UID/GID lower than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.
Idmap Range High integer The ending UID/GID for which this system is authoritative. Any UID/GID higher than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.

Changes to SMB settings take effect immediately. Changes to share settings only take effect after the client and server negotiate a new session.

Note

Do not set the directory name cache size as an Auxiliary parameter. Due to differences in how Linux and BSD handle file descriptors, directory name caching is disabled on BSD systems to improve performance.

Note

SMB cannot be disabled while Active Directory is enabled.

10.14.1. Troubleshooting SMB

Windows automatically caches file sharing information. If changes are made to an SMB share or to the permissions of a volume/dataset being shared by SMB and the share becomes inaccessible, try logging out and back in to the Windows system. Alternately, users can type net use /delete from the command line to clear their SMB sessions.

Windows also automatically caches login information. To require users to log in every time they access they system, reduce the cache settings on the client computers.

Where possible, avoid using a mix of case in filenames as this can cause confusion for Windows users. Representing and resolving filenames with Samba explains in more detail.

If a particular user cannot connect to a SMB share, ensure their password does not contain the ? character. If it does, have the user change the password and try again.

If permissions work for Windows users but not for macOS users, try disabling Unix Extensions and restarting the SMB service.

If the SMB service will not start, run this command from Shell to see if there is an error in the configuration:

testparm /usr/local/etc/smb4.conf

If clients have problems connecting to the SMB share, go to Services ‣ SMB and verify that Server maximum protocol is set to SMB2.

Using a dataset for SMB sharing is recommended. When creating the dataset, make sure that the Share type is set to Windows.

Do not use chmod to attempt to fix the permissions on a SMB share as it destroys the Windows ACLs. The correct way to manage permissions on a SMB share is to manage the share security from a Windows system as either the owner of the share or a member of the group that owns the share. To do so, right-click on the share, click Properties and navigate to the Security tab. If the ACLs are already destroyed by using chmod, winacl can be used to fix them. Type winacl from Shell for usage instructions.

The Common Errors section of the Samba documentation contains additional troubleshooting tips.

The Samba Performance Tuning page describes options to improve performance.

Directory listing speed in folders with a large number of files is sometimes a problem. A few specific changes can help improve the performance. However, changing these settings can affect other usage. In general, the defaults are adequate. Do not change these settings unless there is a specific need.

  • Hostname Lookups and Log Level can also have a performance penalty. When not needed, they can be disabled or reduced in the global SMB service options.
  • Make Samba datasets case insensitive by setting Case Sensitivity to Insensitive when creating them. This ZFS property is only available when creating a dataset. It cannot be changed on an existing dataset. To convert such datasets, back up the data, create a new case-insensitive dataset, create an SMB share on it, set the share level auxiliary parameter case sensitive = true, then copy the data from the old one onto it. After the data has been checked and verified on the new share, the old one can be deleted.
  • If present, remove options for extended attributes and DOS attributes in Auxiliary Parameters for the share.
  • Disable as many VFS Objects as possible in the share settings. Many have performance overhead.

The SMB1 protocol is deprecated and vulnerable. Before enabling it, see Do Not Use SMB1.

10.15. SNMP

SNMP (Simple Network Management Protocol) is used to monitor network-attached devices for conditions that warrant administrative attention. TrueNAS® uses Net-SNMP to provide SNMP. When starting the SNMP service, this port will be enabled on the TrueNAS® system:

  • UDP 161 (listens here for SNMP requests)

Available MIBS are located in /usr/local/share/snmp/mibs.

Figure 10.15.1 shows the SNMP configuration screen. Table 10.15.1 summarizes the configuration options.

_images/services-snmp.png

Fig. 10.15.1 Configuring SNMP

Table 10.15.1 SNMP Configuration Options
Setting Value Description
Location string Optional description of the system location.
Contact string Optional. Enter the administrator email address.
SNMP v3 Support checkbox Set to enable support for SNMP version 3.
Community string Default is public. Change this for security reasons! The value can only contain alphanumeric characters, underscores, dashes, periods, and spaces. This value can be empty for SNMPv3 networks.
Username string Only applies if SNMP v3 Support is set. Specify the username to register with this service. Refer to snmpd.conf(5) for more information about configuring this and the Authentication Type, Password, Privacy Protocol, and Privacy Passphrase fields.
Authentication Type drop-down menu Only applies if SNMP v3 Support is enabled. Choices are: MD5 or SHA.
Password string Only applies if SNMP v3 Support is enabled. Specify and confirm a password of at least eight characters.
Privacy Protocol drop-down menu Only applies if SNMP v3 Support is enabled. Choices are: AES or DES.
Privacy Passphrase string If not specified, Password is used.
Log Level drop-down menu Choices range from fewest log entries (Emergency) to the most (Debug).
Auxiliary Parameters string Enter additional snmpd.conf(5) options not covered in this screen. One option per line.

10.16. SSH

Secure Shell (SSH) is used to transfer files securely over an encrypted network. When a TrueNAS® system is used as an SSH server, the users in the network must use SSH client software to transfer files with SSH.

This section shows the TrueNAS® SSH configuration options, demonstrates an example configuration that restricts users to their home directory, and provides some troubleshooting tips.

Figure 10.16.1 shows the Services ‣ SSH configuration screen. After configuring SSH, remember to start it in Services ‣ Control Services.

_images/ssh1.png

Fig. 10.16.1 SSH Configuration

Table 10.16.1 summarizes the configuration options. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button, or configure the system to always display these settings by enabling the Show advanced fields by default option in System ‣ Advanced.

Table 10.16.1 SSH Configuration Options
Setting Value Advanced Mode Description
Bind Interfaces selection By default, SSH listens on all interfaces unless specific interfaces are highlighted in the Available field and added to the Selected field.
TCP Port integer   Port to open for SSH connection requests. 22 by default.
Login as Root with password checkbox   As a security precaution, root logins are discouraged and disabled by default. If enabled, a password must be set for the root user in View Users.
Allow Password Authentication checkbox   Unset to require key-based authentication for all users. Requires additional setup on both the SSH client and server.
Allow Kerberos Authentication checkbox Before setting this option, ensure Kerberos Realms and Kerberos Keytabs are configured and TrueNAS® can communicate with the Kerberos Domain Controller (KDC).
Allow TCP Port Forwarding checkbox   Set to allow users to bypass firewall restrictions using the SSH port forwarding feature.
Compress Connections checkbox   Set to attempt to reduce latency over slow networks.
SFTP Log Level drop-down menu Select the syslog(3) level of the SFTP server.
SFTP Log Facility drop-down menu Select the syslog(3) facility of the SFTP server.
Extra Options string Add any additional sshd_config(5) options not covered in this screen, one per line. These options are case-sensitive and misspellings can prevent the SSH service from starting.

A few sshd_config(5) options that are useful to enter in the Extra Options field include:

  • increase the ClientAliveInterval if SSH connections tend to drop
  • ClientMaxStartup defaults to 10. Increase this value if more concurrent SSH connections are required.

10.16.1. SCP Only

When SSH is configured, authenticated users with a user account created using Account ‣ Users ‣ Add User can use ssh to log into the TrueNAS® system over the network. The user home directory is the pool or dataset specified in the Home Directory field of the TrueNAS® account for that user. While the SSH login defaults to the user home directory, users are able to navigate outside their home directory, which can pose a security risk.

It is possible to allow users to use scp and sftp to transfer files between their local computer and their home directory on the TrueNAS® system, while restricting them from logging into the system using ssh. To configure this scenario, go to Account ‣ Users ‣ View Users, select the user, and click Modify User. Change the Shell to scponly. Repeat for each user that needs restricted SSH access.

Test the configuration from another system by running the sftp, ssh, and scp commands as the user. sftp and scp will work but ssh will fail.

Note

Some utilities like WinSCP and Filezilla can bypass the scponly shell. This section assumes that users are accessing the system using the command line versions of scp and sftp.

10.16.2. Troubleshooting SSH

Keywords listed in sshd_config(5) are case sensitive. This is important to remember when adding any Extra options. The configuration will not function as intended if the upper and lowercase letters of the keyword are not an exact match.

If clients are receiving “reverse DNS” or timeout errors, add an entry for the IP address of the TrueNAS® system in the Host name database field of Network ‣ Global Configuration.

When configuring SSH, always test the configuration as an SSH user account to ensure the user is limited by the configuration and they have permission to transfer files within the intended directories. If the user account is experiencing problems, the SSH error messages are specific in describing the problem. Type this command within Shell to read these messages as they occur:

tail -f /var/log/messages

Additional messages regarding authentication errors are found in /var/log/auth.log.

10.17. TFTP

Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.

If the TrueNAS® system will be used to store images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.

Figure 10.17.1 shows the TFTP configuration screen and Table 10.17.1 summarizes the available options.

_images/tn_tftp.png

Fig. 10.17.1 TFTP Configuration

Table 10.17.1 TFTP Configuration Options
Setting Value Description
Directory browse button Browse to an existing directory to be used for storage. Some devices require a specific directory name. Refer to the device documentation for details.
Allow New Files checkbox Enable if network devices need to send files to the system (for example, to back up their configuration).
Port integer Enter the UDP port to listen for TFTP requests. Default is 69.
Username drop-down menu Select the account to be used for TFTP requests. The account must have permission to access the Directory.
Umask checkboxes Set permissions for newly created files. The default is everyone can read and only the owner can write. Some devices require less strict permissions.
Extra options string Add any additional tftpd(8) options not shown in this screen. Add one option on each line.

10.18. UPS

TrueNAS® uses NUT (Network UPS Tools) to provide UPS support. If the TrueNAS® system is connected to a UPS device, configure the UPS service then start it in Services ‣ Control Services.

Figure 10.18.1 shows the UPS configuration screen:

_images/services-ups.png

Fig. 10.18.1 UPS Configuration Screen

Table 10.18.1 summarizes the options in the UPS Configuration screen.

Table 10.18.1 UPS Configuration Options
Setting Value Description
UPS Mode drop-down menu Select Master if the UPS is plugged directly into the system serial port. The UPS will remain the last item to shut down. Select Slave to have the system shut down before Master.
Identifier string Describe the UPS device. Can contain alphanumeric, period, comma, hyphen, and underscore characters.
Driver / Remote Host drop-down menu

For a list of supported devices, see the Network UPS Tools compatibility list.

The Driver field changes to Remote Host when UPS Mode is set to Slave. Enter the IP address of the system configured as the UPS Master system. See this post for more details about configuring multiple systems with a single UPS.

Port / Remote Port drop-down menu

Port: Enter the serial or USB port the UPS is connected to (see NOTE). When an snmp driver is selected, enter the IP address or hostname of the SNMP UPS device.

The name of the field changes to Remote Port when the UPS Mode is set to Slave. Enter the open network port number of the UPS Master system. The default port is 3493.

Auxiliary Parameters (ups.conf) string Enter any additional options from ups.conf(5).
Auxiliary Parameters (upsd.conf) string Enter any additional options from upsd.conf(5).
Description string Optional. Enter any notes about the UPS service.
Shutdown mode drop-down menu Choose when the UPS initiates shutdown. Choices are UPS goes on battery and UPS reaches low battery.
Shutdown timer integer Select a value in seconds for the UPS to wait before initiating shutdown. Shutdown will not occur if the power is restored while the timer is counting down. The value only applies when Shutdown Mode is set to UPS goes on battery.
Shutdown Command string Enter the command to run to shut down the computer when battery power is low or shutdown timer runs out.
No Communication Warning Time string Enter a value in seconds to wait before alerting that the service cannot reach any UPS. Warnings continue until the situation is fixed.
Monitor User string Enter a user to associate with this service. The recommended default user is upsmon.
Monitor Password string Default is the known value fixmepass. Change this to enhance system security. Cannot contain a space or #.
Extra users string Enter the accounts with administrative access. See upsd.users(5) for examples.
Remote monitor checkbox Set for the default configuration to listen on all interfaces using the known values of user upsmon and password fixmepass.
Send Email Status Updates checkbox Set to enable the TrueNAS® system to send email updates to the configured To email address.
To email email address Enter the email address to receive status updates. Separate multiple email addresses with a semicolon (;).
Email Subject string Enter a subject line to be used in email status updates.
Power Off UPS checkbox Set to power off the UPS after shutting down the FreeNAS system.

Note

For USB devices, the easiest way to determine the correct device name is to enable the Show console messages option in System ‣ Advanced. Plug in the USB device and look for a /dev/ugen or /dev/uhid device name in the console messages.

Tip

Some UPS models might be unresponsive with the default polling frequency. This can show in TrueNAS® logs as a recurring error like: libusb_get_interrupt: Unknown error.

If this error occurs, increase the polling frequency by adding an entry to Auxiliary Parameters (ups.conf): pollinterval = 10. The default polling frequency is two seconds.

upsc(8) can be used to get status variables from the UPS daemon such as the current charge and input voltage. It can be run from Shell using this syntax:

upsc ups@localhost

The upsc(8) man page gives some other usage examples.

upscmd(8) can be used to send commands directly to the UPS, assuming the hardware supports the command being sent. Only users with administrative rights can use this command. These users are created in the Extra users field.

10.18.1. Multiple Computers with One UPS

A UPS with adequate capacity can power multiple computers. One computer is connected to the UPS data port with a serial or USB cable. This master makes UPS status available on the network for other computers. These slave computers are powered by the UPS, but receive UPS status data from the master computer. See the NUT User Manual and NUT User Manual Pages.

10.19. WebDAV

The WebDAV service can be configured to provide a file browser over a web connection. Before starting this service, at least one WebDAV share must be created using Sharing ‣ WebDAV Shares ‣ Add WebDAV Share. Refer to WebDAV Shares for instructions on how to create a share and connect to it when the service is configured and started.

Figure 10.19.1 shows the WebDAV configuration screen. Table 10.19.1 summarizes the available options.

_images/webdav2.png

Fig. 10.19.1 WebDAV Configuration Screen

Table 10.19.1 WebDAV Configuration Options
Setting Value Description
Protocol drop-down menu HTTP keeps the connection always unencrypted. HTTPS always encrypts the connection. HTTP+HTTPS allows both types of connections.
HTTP Port string Specify a port for unencrypted connections. Only appears if the selected Protocol is HTTP or HTTP+HTTPS. The default of 8080 is recommended. Do not reuse a port number.
HTTPS Port string Specify a port for encrypted connections. Only appears if the selected Protocol is HTTPS or HTTP+HTTPS. The default of 8081 is recommended. Do not reuse a port number.
Webdav SSL Certificate drop-down menu Select the SSL certificate to use for encrypted connections. Only appears if the selected Protocol is HTTPS or HTTP+HTTPS. To create a certificate, use System ‣ Certificates.
HTTP Authentication drop-down menu Choices are No Authentication, Basic Authentication (unencrypted), or Digest Authentication (encrypted).
Webdav Password string Default is davtest. This is a known value and is recommended to be changed.