I would like to see an easy, supported method for enabling crossmnt on shares as well.
Perhaps it would help to explain the use case I’m thinking of? We have a software repository mirror and want to present different systems with different versions of the mirror. Some test systems should get bleeding edge software, most get a version which has undergone testing on those test systems, a few get a very well tested version of the software.
It seems like the easy way to do this is to use symlinks to the old repo snapshots. Bleeding-edge is the raw mirror, Stable is a link to the snapshot from a few days ago, Safe is a symlink to a snapshot from two weeks ago. All we need is a script to rotate the symlinks each day and we’re good.
In this scenario the crossmnt shares are only exported to the web servers which provide the mirrors to client systems and the data is just a copy of publicly-available code so the security implications of crossmnt are minor. Obviously there are other ways to make versions of mirrors but this seems like a simple and elegant solution to me.
1 Like
Another important use case is allowing users to access snapshots of their data over NFS without support intervention. For instance, users can recover accidentally deleted files from their home directories which are shared from TrueNAS over NFS.
Please reach out to your support representative, this should be possible today.
1 Like
Is there documentation for this somewhere? I’d prefer not to bother support with the question if instructions to enable this feature are available.
Thanks for that info Mark, but it doesn’t pertain to the original feature request. What was being requested is the ability for end users to have access to the .zfs/snapshot directory via an NFS mount so they can perform recovery actions without the need of a TrueNAS administrator’s intervention.
1 Like
25.04 with enterprise license.
1 Like
Thanks! I didn’t realize this was a 25.04 feature. We’ve been advised to hold off on upgrading our system to Fangtooth as it isn’t on the supported versions list yet (Software Status - TrueNAS Roadmap - Open Source NAS Software), but it’s good to know we’ll have that functionality available once we upgrade.
@kwt5152 I’m happy to help here. If you open up a ticket and ask about this topic, include the link to this post so it finds it’s way to me and we can have a conversation about this or I can help you set it up.
Is there a timeline for 25.04 to become a supported enterprise release? The timeline page right now only recommends 24.10.2.2
Other reasons to allow crossmnt:
-
On a file server where home directories are exported and each home is a dataset, crossmnt enables a single clean export and not one per user, which is an unnecessary administrative burden and if you are using e.g. network restrictions has higher risk of mistakes.
-
This is the standard behaviour on SMB and is not comparable to insecure wide links. Wide links are links outside of the SMB share. This is automating access to child datasets within a NFS share. If anything this is a “do what I mean” setting.
-
crossmnt is not the security problem. sec=sys is fundamentally insecure, and sec=sys and mapall are only required because of inadequate infrastructure availability and excessive complexity for normal people to setup themselves unless their environment already has a KDC (e.g. AD). If we are going to gatekeep on NFS security then maybe making it easier to run Kerberos should be the priority. Equally this could enable deprecation of NTLMv2 for SMB shares, as Microsoft has started with Windows 2025 enabling a local KDC for local accounts. In the meantime unavailability of crossmnt just makes it harder to make do with what we have.
Also, exporting zfs snapdir should not be an Enterprise-only feature. 
1 Like
@awalkerix or anybody else from iX… is there a timeline for when 25.04 will be the recommended enterprise release?
Guidance will be updated shortly, but we expect 25.04.1 will be for Tester/Early Adopter categories.
Expect 25.04.2 to land on General.
Throwing my two cents in to request crossmnt support as a general feature. I was dishearted an hour ago, as of this post, to find out my plan of just sharing one dataset via nfs won’t allow me access to it’s “grandchildren”. This means I’ve got to restructure how I’m doing all of my datasets.
My plan is to “expose” my parent app/docker dataset /mnt/syn/docker via NFS and then get access to /mnt/syn/docker/databases and it’s child /mnt/syn/docker/databases/postgres (among other datasets) via the one share as that’s all I’d need to mount on my hosts, only to found out I can’t see that and the most i can get access to via the share is /mnt/syn/docker/database so I’m going to have to redo my entire dataset tree and undo my neat and tidy tree.
My home directory alone is 10 datasets. crossmnt is essential.
For those who are really stuck by this and do not have a TrueNAS Enterprise account team to advocate on your behalf for the needed checkbox, you can learn how the exports file is created by reviewing /usr/lib/python3/dist-packages/middlewared/etc_files/exports.mako, around line 205.
For home users wanting Kerberos for NFSv4 on minimal infrastructure, I posted how I setup my home environment: NFSv4 and Kerberos for home/lab environments
