[TrueNAS SCALE 24.04] SMB Shares, SMB Permissions, and Access-Based-Share-Enumeration

Hello,

I’ve been setting up Datasets with the SMB preset, including setting the owner and group on creation. The SMB shares behave exactly as expected, as far as which users have the ability to mount them.

However, even when I enable Access Based Share Enumeration (ABSE) in the share settings, any user that connects to the server via SMB can see all the active shares, even the ones that they don’t have access to that should be hidden via SMB ABSE.

I’ve done some research on this the last two days, and apparently I separately and additionally configure the SMB ACL, and not just the dataset ACL. See: Managing SMB Shares | TrueNAS Documentation Hub

Apparently, the default per-share SMB ACL allows any user to to have full access to any share, including read/write (?!) and enumeration, and depends on the ZFS dataset ACLs to actually impose restrictions?

At least, that’s how I’m interpreting the default settings below:

Intuitively, it feels like enabling ABSE should automatically adjust the SMB ACL (otherwise the checkbox has no effect unless the user manually adjusts the SMB ACL), which makes me think I’m missing something.

I wanted to double-check here that I actually have to do this for every share that I want to use ABSE with.

Thanks!

The default settings are so it’s easier to get things going for most users. You will have to customize and restrict to fit your use case.

1 Like

Thanks! I thought that was the case, but I wanted to make sure I wasn’t missing something obvious elsewhere in the GUI before I started editing the SMB permissions.

I’ll have to research more about how to customize the SMB ACLs before I decide if I want to go down that road. I’m starting to wonder if it might be simpler to just not broadcast share names.

In any case, I’ll need to think about how much complication I want to add just to hide share names from people who don’t need to see them. :slight_smile: