I need help properly configuring SMB in TrueNAS SCALE (version 24.10.2.1).
I want to achieve the following setup:
User antoni should have full access (read/write) to their own share/folder Antoni.
User antoni should have read-only access to the share/folder zdjecia_red.
User antoni should not see any other shares (e.g., Testowy, Dane_2TB_SSD, etc.).
Other users should have full access to zdjecia_red and possibly their own shares.
The goal is that when antoni accesses the server via Windows (\\TRUENAS), they should only see the Antoni and zdjecia_red shares — and not even see the names of the other shares.
I have enabled Access Based Share Enumeration (ABSE), but it doesn’t seem to be enough — antoni still sees the list of all shares.
What exactly should I configure (ACL? SMB options? Auxiliary Parameters?) in the latest TrueNAS SCALE to make this work correctly?
in 23.10.x and 24.10.x I’ve found you need to use the CLI to configure hide unreadable = yes on the share you want this behaviour on.
I can’t find the TrueNAS SCALE community page that give me the clue at the time, but here’s a reddit TrueNAS thread that goes on about the same thing.
Feel free to vote for this Feature Request if you feel it should be default in TN or at least a UI option.
I have a feeling this issue won’t impact smaller environments as much as having a set of permissions per dataset/share will be sufficient and if you need a different set of permissions you will most likely just create an new dataset and share. However in larger more complex environments it’s too unwieldy to create a dataset and share every time you need a new permission group as you would end up with hundreds if not thousands of datasets (and intern even more snapshots) and I can tell you from experience that doesn’t end well.
In the end, I managed to solve the issue using ACL settings directly on the dataset. Now users without permissions no longer see the SMB share at all. Works exactly as intended.
(Copying note from another thread, with modifications…)
From my personal experience after moving from CORE 13.0-U6.1 to TrueNAS SCALE 24.04, SCALE has Access Based Share Enumeration (ABSE) in the GUI, but not Access Based Enumeration (ABE). I didn’t realize the signficance of ABE being missing at first.
CORE had them both, and enabling both was sufficient to hide Share X from User A in the available share list when connecting to the server if User A didn’t have access to Share X.
I would really like this behavior back. Having to manually adjust the dataset ACL and the SMB share ACL adds an extra layer of complexity (and opportunity for error) that didn’t exist in CORE. It also loses the convenience of the default settings, which just pass whatever the dataset ACL settings are through to SMB; that’s much more user-friendly for people just getting started, too.
