Services that ship with FreeNAS® are configured, started, or stopped with Services. FreeNAS® includes these built-in services:
- Domain Controller
- Dynamic DNS
This section demonstrates starting a FreeNAS® service and the available configuration options for each FreeNAS® service.
11.1. Control Services¶
Figure 11.1.1, lists all services. It also shows where to start, stop, or configure the available services. The S.M.A.R.T. service is enabled by default, but only runs if the storage devices support S.M.A.R.T. data Other services default to off until started., shown in
Stopped services show a red stop symbol and a Start Now button. Running services show a green light with a Stop Now button.
Using a proxy server can prevent the list of services from being displayed. If a proxy server is used, do not configure it to proxy local network connections or websocket connections. VPN software can also cause problems. If the list of services is displayed when connecting on the local network but not when connecting through the VPN, check the VPN software configuration.
Services are configured by clicking the wrench icon or the name of the service in the Services section of the tree menu.
If a service does not start, go to Show console messages in the footer. Console messages appear at the bottom of the browser. Clicking the console message area makes it into a pop-up window, allowing scrolling through or copying the messages. Watch these messages for errors when stopping or starting the problematic service.and enable
To read the system logs for more information about a service failure, open Shell and type more /var/log/messages.
The settings that are configured when creating AFP Shares inare specific to each configured AFP Share. In contrast, global settings which apply to all AFP shares are configured in .
|Guest Access||checkbox||Set to disable the password prompt that appears before clients access AFP shares.|
|Guest account||drop-down menu||Select an account to use for guest access. The account must have permissions to the volume or dataset being shared.|
|Max Connections||integer||Maximum number of simultaneous connections.|
|Database Path||browse button||Sets the database information to be stored in the path. Default is the root of the volume. The path must be writable even if the volume is read-only.|
|Global auxiliary parameters||string||Add any additional afp.conf(5) parameters not covered elsewhere in this screen.|
|Map ACLs||drop-down menu||Choose mapping of effective permissions for authenticated users. Choices are Rights (default, Unix-style permissions), Mode (ACLs), or None.|
|Chmod Request||drop-down menu||Sets how Access Control Lists are handled. Ignore ignores requests and gives the parent directory ACL inheritance full control over new items. Preserve preserves ZFS Access Control Entries for named users and groups or the POSIX ACL group mask. Simple is set to chmod() as requested without any extra steps.|
|Bind IP Addresses||selection||Specify the IP addresses to listen for FTP connections. Highlight the desired IP addresses in the Available list and use the >> button to add to the Selected list.|
11.2.1. Troubleshooting AFP¶
Determine which users are connected to an AFP share by typing afpusers.
If Something wrong with the volume’s CNID DB is shown, run this command from Shell, replacing the path to the problematic AFP share:
dbd -rf /path/to/share
This command can take some time, depending upon the size of the pool or dataset being shared. The CNID database is wiped and rebuilt from the CNIDs stored in the AppleDouble files.
11.3. Domain Controller¶
FreeNAS® can be configured to act either as the domain controller for a network or to join an existing Active Directory network as a domain controller.
This section demonstrates how to configure the FreeNAS® system to act as a domain controller. If the goal is to integrate with an existing Active Directory network to access its authentication and authorization services, configure Active Directory instead.
Note that configuring a domain controller is a complex process that requires a good understanding of how Active Directory works. While makes it easy to enter the needed settings into the administrative graphical interface, it is important to understand what those settings should be. Before beginning configuration, read through the Samba AD DC HOWTO. After FreeNAS® is configured, use the RSAT utility from a Windows system to manage the domain controller. The Samba AD DC HOWTO includes instructions for installing and configuring RSAT.
|Realm||string||Enter a capitalized DNS realm name.|
|Domain||string||Enter a capitalized domain name.|
|Server Role||drop-down menu||At this time, the only supported role is as the domain controller for a new domain.|
|DNS Forwarder||string||Enter the IP address of the DNS forwarder. Required for recursive queries when SAMBA_INTERNAL is selected.|
|Domain Forest Level||drop-down menu||Choices are 2000, 2003, 2008, 2008_R2, 2012, or 2012_R2. Refer to Understanding Active Directory Domain Services (AD DS) Functional Levels.|
|Administrator password||string||Enter the password to be used for the Active Directory administrator account.|
|Kerberos Realm||drop-down menu||Auto-populates with information from the Realm when the settings in this screen are saved.|
11.4. Dynamic DNS¶
Dynamic DNS (DDNS) is useful if the FreeNAS® system is connected to an ISP that periodically changes the IP address of the system. With dynamic DNS, the system can automatically associate its current IP address with a domain name, allowing access to the FreeNAS® system even if the IP address changes. DDNS requires registration with a DDNS service such as DynDNS.
Figure 11.4.1 shows the DDNS configuration screen and Table 11.4.1 summarizes the configuration options. The values for these fields are provided by the DDNS provider. After configuring DDNS, remember to start the DDNS service in .
|Provider||drop-down menu||Several providers are supported. If a specific provider is not listed, select Custom Provider and enter the information in the Custom Server and Custom Path fields.|
|CheckIP Server SSL||string||Set to use HTTPS for the connection to the CheckIP Server.|
|CheckIP Server||string||Enter the name and port of the server that reports the external IP address, in the format server.name.org:port.|
|CheckIP Path||string||Enter the path that is requested by the CheckIP Server to determine the user IP address.|
|Use SSL||checkbox||Set to use HTTPS for the connection to the server that updates the DNS record.|
|Domain name||string||Enter a fully qualified domain name. Example: yourname.dyndns.org.|
|Username||string||Enter the username to log in to the provider and update the record.|
|Password||string||Enter the password used to log in to the provider and update the record.|
|Update period||integer||How often the IP is checked in seconds.|
he.net, enter the domain name for
Username and enter the DDNS key generated for that
domain’s A entry at the he.net website for
FreeNAS® uses the proftpd FTP server to provide FTP services. Once the FTP service is configured and started, clients can browse and download data using a web browser or FTP client software. The advantage of FTP is that easy-to-use cross-platform utilities are available to manage uploads to and downloads from the FreeNAS® system. The disadvantage of FTP is that it is considered to be an insecure protocol, meaning that it should not be used to transfer sensitive files. If concerned about sensitive data, see Encrypting FTP.
This section provides an overview of the FTP configuration options. It then provides examples for configuring anonymous FTP, specified user access within a chroot environment, encrypting FTP connections, and troubleshooting tips.
Figure 11.5.1 shows the configuration screen for . Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by enabling the Show advanced fields by default setting in .
Table 11.5.1 summarizes the available options when configuring the FTP server.
|Port||integer||Set the port the FTP service listens on.|
|Clients||integer||Set the maximum number of simultaneous clients.|
|Connections||integer||Set the maximum number of connections per IP address where 0 means unlimited.|
|Login Attempts||integer||Enter the maximum number of attempts before client is disconnected. Increase this if users are prone to typos.|
|Timeout||integer||Enter the maximum client idle time in seconds before client is disconnected.|
|Allow Root Login||checkbox||Enabling this option is discouraged as increases security risk.|
|Allow Anonymous Login||checkbox||Set to enable anonymous FTP logins with access to the directory specified in Path.|
|Path||browse button||Set the root directory for anonymous FTP connections.|
|Allow Local User Login||checkbox||Required if Anonymous Login is disabled.|
|Display Login||string||Specify the message displayed to local login users after authentication. This message is not displayed to anonymous login users.|
|File Permission||checkboxes||✓||Set the default permissions for newly created files.|
|Directory Permission||checkboxes||✓||Set the default permissions for newly created directories.|
|Enable FXP||checkbox||✓||Set to enable the File eXchange Protocol. This setting makes the server vulnerable to FTP bounce attacks so it is not recommended.|
|Allow Transfer Resumption||checkbox||Set to allow FTP clients to resume interrupted transfers.|
|Always Chroot||checkbox||When set, a local user is only allowed access to their home directory unless the user is a member of group wheel.|
|Require IDENT Authentication||checkbox||✓||Setting this option results in timeouts if identd is not running on the client.|
|Perform Reverse DNS Lookups||checkbox||Set to perform reverse DNS lookups on client IPs. Can cause long delays if reverse DNS is not configured.|
|Masquerade address||string||Public IP address or hostname. Set if FTP clients cannot connect through a NAT device.|
|Minimum passive port||integer||✓||Used by clients in PASV mode, default of 0 means any port above 1023.|
|Maximum passive port||integer||✓||Used by clients in PASV mode, default of 0 means any port above 1023.|
|Local user upload bandwidth||integer||✓||Defined in KB/s, default of 0 means unlimited.|
|Local user download bandwidth||integer||✓||Defined in KB/s, default of 0 means unlimited.|
|Anonymous user upload bandwidth||integer||✓||Defined in KB/s, default of 0 means unlimited.|
|Anonymous user download bandwidth||integer||✓||Defined in KB/s, default of 0 means unlimited.|
|Enable TLS||checkbox||✓||Set to enable encrypted connections. Requires a certificate to be created or imported using Certificates.|
|TLS policy||drop-down menu||✓||The selected policy defines whether the control channel, data channel, both channels, or neither channel of an FTP session must occur over SSL/TLS. The policies are described here.|
|TLS allow client renegotiations||checkbox||✓||Enabling this option is not recommended as it breaks several security measures. For this and the rest of the TLS fields, refer to mod_tls for more details.|
|TLS allow dot login||checkbox||✓||If set, the user home directory is checked for a
|TLS allow per user||checkbox||✓||If set, the user password can be sent unencrypted.|
|TLS common name required||checkbox||✓||If set, the common name in the certificate must match the FQDN of the host.|
|TLS enable diagnostics||checkbox||✓||If set when troubleshooting a connection, logs more verbosely.|
|TLS export certificate data||checkbox||✓||If set, exports the certificate environment variables.|
|TLS no certificate request||checkbox||✓||Try enabling this option if the client cannot connect and it is suspected the client software is not properly handling server certificate requests.|
|TLS no empty fragments||checkbox||✓||Enabling this option is not recommended as it bypasses a security mechanism.|
|TLS no session reuse required||checkbox||✓||Enabling this option reduces the security of the connection, so only use if the client does not understand reused SSL sessions.|
|TLS export standard vars||checkbox||✓||If enabled, sets several environment variables.|
|TLS DNS name required||checkbox||✓||If set, the client DNS name must resolve to its IP address and the cert must contain the same DNS name.|
|TLS IP address required||checkbox||✓||If set, the client certificate must contain the IP address that matches the IP address of the client.|
|Certificate||drop-down menu||The SSL certificate to be used for TLS FTP connections. To create a certificate, use.|
|Auxiliary parameters||string||✓||Add any additional proftpd(8) parameters not covered elsewhere in this screen.|
This example demonstrates the auxiliary parameters that prevent all users from performing the FTP DELETE command:
<Limit DELE> DenyAll </Limit>
11.5.1. Anonymous FTP¶
Anonymous FTP may be appropriate for a small network where the FreeNAS® system is not accessible from the Internet and everyone in the internal network needs easy access to the stored data. Anonymous FTP does not require a user account for every user. In addition, passwords are not required so it is not necessary to manage changed passwords on the FreeNAS® system.
To configure anonymous FTP:
Give the built-in ftp user account permissions to the volume/dataset to be shared inas follows:
- Owner(user): select the built-in ftp user from the drop-down menu
- Owner(group): select the built-in ftp group from the drop-down menu
- Mode: review that the permissions are appropriate for the share
For FTP, the type of client does not matter when it comes to the type of ACL. This means that Unix ACLs are always used, even if Windows clients will be accessing FreeNAS® via FTP.
Configure anonymous FTP inby setting the following attributes:
- Allow Anonymous Login: enables this option
- Path: browse to the volume/dataset/directory to be shared
Start the FTP service in Start Now button next to FTP. The FTP service takes a second or so to start. The indicator changes to green when the service is running, and the button changes to Stop Now.. Click the
Test the connection from a client using a utility such as Filezilla.
In the example shown in Figure 11.5.2, the user has entered this information into the Filezilla client:
- IP address of the FreeNAS® server: 192.168.1.113
- Username: anonymous
- Password: the email address of the user
The messages within the client indicate the FTP connection is successful. The user can now navigate the contents of the root folder on the remote site. This is the pool or dataset specified in the FTP service configuration. The user can also transfer files between the local site (their system) and the remote site (the FreeNAS® system).
11.5.2. FTP in chroot¶
If users are required to authenticate before accessing the data on the FreeNAS® system, either create a user account for each user or import existing user accounts using Active Directory or LDAP. Then create a ZFS dataset for each user. Next, chroot each user so they are limited to the contents of their own home directory. Datasets provide the added benefit of configuring a quota so that the size of a user home directory is limited to the size of the quota.
To configure this scenario:
Create a ZFS dataset for each user in. Click an existing and set an appropriate quota for each dataset. Repeat this process to create a dataset for every user that needs access to the FTP service.
When not using AD or LDAP, create a user account for each user in Home Directory field. Repeat this process to create a user account for every user that needs access to the FTP service, making sure to assign each user their own dataset.. For each user, browse to the dataset created for that user in the
Set the permissions for each dataset in Change Permissions button for a dataset to assign a user account as Owner of that dataset and to set the desired permissions for that user. Repeat for each dataset.. Click the
For FTP, the type of client does not matter when it comes to the type of ACL. This means Unix ACLs are always used, even if Windows clients will be accessing FreeNAS® with FTP.
Configure FTP inwith these attributes:
- Path: browse to the parent volume containing the datasets.
- Make sure Allow Anonymous Login and Allow Root Login are unselected.
- Select Allow Local User Login.
- Select Always Chroot.
Start the FTP service in Start Now button next to FTP. The FTP service takes a second or so to start. The indicator changes to green to show that the service is running, and the button changes to Stop Now.. Click the
Test the connection from a client using a utility such as Filezilla.
To test this configuration in Filezilla, use the IP address of the FreeNAS® system, the Username of a user that is associated with a dataset, and the Password for that user. The messages will indicate the authorization and the FTP connection are successful. The user can now navigate the contents of the root folder on the remote site. This time it is not the entire pool but the dataset created for that user. The user can transfer files between the local site (their system) and the remote site (their dataset on the FreeNAS® system).
11.5.3. Encrypting FTP¶
To configure any FTP scenario to use encrypted connections:
- Import or create a certificate authority using the instructions in CAs. Then, import or create the certificate to use for encrypted connections using the instructions in Certificates.
- In Certificate and set the Enable TLS option. , choose the certificate in the
- Specify secure FTP when accessing the FreeNAS® system. For example, in Filezilla enter ftps://IP_address (for an implicit connection) or ftpes://IP_address (for an explicit connection) as the Host when connecting. The first time a user connects, they will be presented with the certificate of the FreeNAS® system. Click OK to accept the certificate and negotiate an encrypted connection.
- To force encrypted connections, select on for the TLS Policy.
11.5.4. Troubleshooting FTP¶
The FTP service will not start if it cannot resolve the system hostname to an IP address with DNS. To see if the FTP service is running, open Shell and issue the command:
sockstat -4p 21
If there is nothing listening on port 21, the FTP service is not running. To see the error message that occurs when FreeNAS® tries to start the FTP service, go to Show console messages in the footer, and click Save. Go to and switch the FTP service off, then back on. Watch the console messages at the bottom of the browser for errors., check
If the error refers to DNS, either create an entry in the local DNS server with the FreeNAS® system hostname and IP address, or add an entry for the IP address of the FreeNAS® system in the Host name database field.
Refer to Block (iSCSI) for instructions on configuring iSCSI. To start the iSCSI service, click its entry in Services.
A warning message is shown if the iSCSI service is stopped when initiators are connected. Open the Shell and type ctladm islist to determine the names of the connected initiators.
The Link Layer Discovery Protocol (LLDP) is used by network devices to advertise their identity, capabilities, and neighbors on an Ethernet network. FreeNAS® uses the ladvd LLDP implementation. If the network contains managed switches, configuring and starting the LLDP service will tell the FreeNAS® system to advertise itself on the network.
|Interface Description||checkbox||Set to enable receive mode and to save received peer information in interface descriptions.|
|Country Code||string||Required for LLDP location support. Enter a two-letter ISO 3166 country code.|
|Location||string||Optional. Specify the physical location of the host.|
Netdata is a real-time performance and monitoring system. It displays data as web dashboards.
Click the Take me to the Netdata UI button to view the web dashboard as shown in Figure 11.8.2.
More information on configuring and using Netdata is available at the Netdata website.
The settings that are configured when creating NFS Shares inare specific to each configured NFS Share. In contrast, global settings which apply to all NFS shares are configured in .
|Number of servers||integer||Specify how many servers to create. Increase if NFS client responses are slow. To limit CPU context switching, keep
this number less than or equal to the number of CPUs reported by
|Serve UDP NFS clients||checkbox||Set if NFS clients need to use UDP.|
|Bind IP Addresses||checkboxes||Select the IP addresses to listen on for NFS requests. When unselected, NFS listens on all available addresses.|
|Allow non-root mount||checkbox||Set only if the NFS client requires it.|
|Enable NFSv4||checkbox||Set to switch from NFSv3 to NFSv4. The default is NFSv3.|
|NFSv3 ownership model for NFSv4||checkbox||Grayed out unless Enable NFSv4 is checked and, in turn, grays out Support>16 groups which is incompatible. Set this option if NFSv4 ACL support is needed without requiring the client and the server to sync users and groups.|
|Require Kerberos for NFSv4||checkbox||Set to force NFS shares to fail if the Kerberos ticket is unavailable.|
|mountd(8) bind port||integer||Optional. Specify the port that mountd(8) binds to.|
|rpc.statd(8) bind port||integer||Optional. Specify the port that rpc.statd(8) binds to.|
|rpc.lockd(8) bind port||integer||Optional. Specify the port that rpc.lockd(8) binds to.|
|Support>16 groups||checkbox||Set this option if any users are members of more than 16 groups (useful in AD environments). Note this assumes group membership is configured correctly on the NFS server.|
|Log mountd(8) requests||checkbox||Enable logging of mountd(8) requests by syslog.|
|Log rpc.statd(8) and rpc.lockd(8)||checkbox||Enable logging of rpc.statd(8) and rpc.lockd(8) requests by syslog.|
NFSv4 sets all ownership to nobody:nobody if user and group do not match on client and server.
Rsync Module Mode for a configuration example.is used to configure an rsync server when using rsync module mode. Refer to
This section describes the configurable options for the rsyncd service and rsync modules.
11.10.1. Configure Rsyncd¶
Figure 11.10.1 shows the rsyncd configuration screen which is accessed from .
Table 11.10.1 summarizes the configuration options for the rsync daemon:
|TCP Port||integer||Port for rsyncd to listen on. Default is 873.|
|Auxiliary parameters||string||Enter any additional parameters from rsyncd.conf(5).|
11.10.2. Rsync Modules¶
Figure 11.10.2 shows the configuration screen that appears after clicking .
Table 11.10.2 summarizes the configuration options when creating a rsync module.
|Module name||string||Mandatory. This is required to match the setting on the rsync client.|
|Path||browse button||Browse to the volume or dataset to hold received data.|
|Access Mode||drop-down menu||Choices are Read and Write, Read-only, or Write-only.|
|Maximum connections||integer||0 is unlimited.|
|User||drop-down menu||Select the user to control file transfers to and from the module.|
|Group||drop-down menu||Select the group to control file transfers to and from the module.|
|Hosts allow||string||Enter a list of patterns to match with the hostname and IP address of a connecting client. Separate patterns with whitespace or comma. See rsyncd.conf(5) for allowed formats.|
|Hosts deny||string||Enter a list of patterns to match with the hostname and IP address of a connecting client. Separate patterns with whitespace or comma. See rsyncd.conf(5) for allowed formats.|
|Auxiliary parameters||string||Enter any additional dditional parameters from rsyncd.conf(5).|
S3 is a distributed or clustered filesystem protocol compatible with Amazon S3 cloud storage. The FreeNAS® S3 service uses Minio to provide S3 storage hosted on the FreeNAS® system itself. Minio also provides features beyond the limits of the basic Amazon S3 specifications.
|IP Address||drop-down menu||Enter the IP address on which to run the S3 service. 0.0.0.0 sets the server to listen on all addresses.|
|Port||string||Enter the TCP port on which to provide the S3 service. Default is 9000.|
|Access Key||string||Enter the S3 user name. Must be between 5 to 20 characters long.|
|Secret Key||string||Enter the password to be used by connecting S3 systems. Must be at least 8 but no more than 40 characters long.|
|Confirm S3 Key||string||Re-enter the S3 password to confirm.|
|Disks||string||The directory for S3 filesystem directory.|
|Certificate||drop-down menu||The SSL certificate to be used for secure S3 connections. To create a certificate, use.|
|Enable Browser||checkbox||Set to enable the web user interface for the S3 service.|
S.M.A.R.T., or Self-Monitoring, Analysis, and Reporting Technology, is an industry standard for disk monitoring and testing. Drives can be monitored for status and problems, and several types of self-tests can be run to check the drive health.
Tests run internally on the drive. Most tests can run at the same time as normal disk usage. However, a running test can greatly reduce drive performance, so they should be scheduled at times when the system is not busy or in normal use. It is very important to avoid scheduling disk-intensive tests at the same time. For example, do not schedule S.M.A.R.T. tests to run at the same time, or preferably, even on the same days as Scrubs.
Of particular interest in a NAS environment are the Short and Long S.M.A.R.T. tests. Details vary between drive manufacturers, but a Short test generally does some basic tests of a drive that takes a few minutes. The Long test scans the entire disk surface, and can take several hours on larger drives.
FreeNAS® uses the smartd(8) service to monitor S.M.A.R.T. information. A complete configuration consists of:
- Scheduling when S.M.A.R.T. tests are run in .
- Enabling or disabling S.M.A.R.T. for each disk member of a volume in . This setting is enabled by default for disks that support S.M.A.R.T.
- Checking the configuration of the S.M.A.R.T. service as described in this section.
- Starting the S.M.A.R.T. service with .
Figure 11.12.1 shows the configuration screen that appears after clicking
smartd wakes up at the configured Check Interval. It checks the times configured in to see if a test must begin. Since the smallest time increment for a test is an hour, it does not make sense to set a Check Interval value higher than 60 minutes. For example, if the Check Interval is set to 120 minutes and the smart test to every hour, the test will only be run every two hours because smartd only activates every two hours.
Table 11.12.1 summarizes the options in the S.M.A.R.T configuration screen.
|Check interval||integer||Define in minutes how often smartd activates to check if any tests are configured to run.|
|Power mode||drop-down menu||Tests are not performed if the system enters the specified power mode: Never, Sleep, Standby, or Idle.|
|Difference||integer in degrees Celsius||Enter number of degrees in Celsius. S.M.A.R.T reports if the temperature of a drive has changed by N degrees Celsius since the last report. Default of 0 disables this option.|
|Informational||integer in degrees Celsius||Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_INFO if the temperature is higher than specified degrees in Celsius. Default of 0 disables this option.|
|Critical||integer in degrees Celsius||Enter a threshold temperature in Celsius. S.M.A.R.T will message with a log level of LOG_CRIT and send an email if the temperature is higher than specified degrees in Celsius. Default of 0 disables this option.|
|Email to report||string||Email address to receive S.M.A.R.T. alerts. Use a space to separate multiple email addresses.|
The settings configured when creating SMB Shares inare specific to each configured SMB Share. In contrast, global settings which apply to all SMB shares are configured in .
After starting the SMB service, it can take several minutes for the master browser election to occur and for the FreeNAS® system to become available in Windows Explorer.
|NetBIOS Name||string||Automatically populated with the original hostname of the system. Limited to 15 characters. It must be different from the Workgroup name.|
|NetBIOS Alias||string||Enter an alias. Limited to 15 characters|
|Workgroup||string||Must match Windows workgroup name. This setting is ignored if the Active Directory or LDAP service is running.|
|Description||string||Enter an optional server description.|
|DOS charset||drop-down menu||The character set Samba uses when communicating with DOS and Windows 9x/ME clients. Default is CP437.|
|UNIX charset||drop-down menu||Default is UTF-8 which supports all characters in all languages.|
|Log level||drop-down menu||Choices are Minimum, Normal, or Debug.|
|Use syslog only||checkbox||Set to log authentication failures to
|Local Master||checkbox||Set to determine if the system will participate in a browser election. Disable when network contains an AD or LDAP server or Vista or Windows 7 machines are present.|
|Domain logons||checkbox||Set if it is necessary to provide the netlogin service for older Windows clients.|
|Time Server for Domain||checkbox||Determines if the system advertises itself as a time server to Windows clients. Disable when network contains an AD or LDAP server.|
|Guest Account||drop-down menu||Select the account to be used for guest access. Default is nobody. Account must have permission to access the shared volume/dataset. If Guest Account user is deleted, resets to nobody.|
|File mask||integer||Overrides default file creation mask of 0666 which creates files with read and write access for everybody.|
|Directory mask||integer||Overrides default directory creation mask of 0777 which grants directory read, write and execute access for everybody.|
|Allow Empty Password||checkbox||Set to allow users to press
|Auxiliary parameters||string||Add any
|Unix Extensions||checkbox||Set to allow non-Windows SMB clients to access symbolic links and hard links, has no effect on Windows clients.|
|Zeroconf share discovery||checkbox||Enable if Mac clients will be connecting to the SMB share.|
|Hostname lookups||checkbox||Set to allow using hostnames rather than IP addresses in the Hosts Allow or Hosts Deny fields of a SMB share. Unset if IP addresses are used to avoid the delay of a host lookup.|
|Allow execute always||checkbox||If set, Samba will allow the user to execute a file, even if that user’s permissions are not set to execute.|
|Obey pam restrictions||checkbox||Unset this option to allow cross-domain authentication, users and groups to be managed on another forest, and for permissions to be delegated from Active Directory users and groups to domain admins on another forest.|
|NTLMv1 auth||checkbox||Set to allow NTLMv1 authentication. Required by Windows XP clients and sometimes by clients in later versions of Windows.|
|Bind IP Addresses||checkboxes||Select the IP addresses SMB will listen on.|
|Idmap Range Low||integer||The beginning UID/GID for which this system is authoritative. Any UID/GID lower than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.|
|Idmap Range High||integer||The ending UID/GID for which this system is authoritative. Any UID/GID higher than this value is ignored, providing a way to avoid accidental UID/GID overlaps between local and remotely defined IDs.|
Changes to SMB settings take effect immediately. Changes to share settings only take effect after the client and server negotiate a new session.
Do not set the directory name cache size as an Auxiliary parameter. Due to differences in how Linux and BSD handle file descriptors, directory name caching is disabled on BSD systems to improve performance.
11.13.1. Troubleshooting SMB¶
Do not connect to SMB shares as
root, and do not add the
root user in the SMB user database. There are security implications in
attempting to do so, and Samba 4 and later take measures to
prevent such actions. This can produce
FAILED with error NT_STATUS_WRONG_PASSWORD errors.
Samba is single threaded, so CPU speed makes a big difference in SMB performance. A typical 2.5Ghz Intel quad core or greater should be capable of handling speeds in excess of Gb LAN while low power CPUs such as Intel Atoms and AMD C-30sE-350E-450 will not be able to achieve more than about 30-40MB/sec typically. Remember that other loads such as ZFS will also require CPU resources and may cause Samba performance to be less than optimal.
Samba’s write cache parameter has been reported to improve write performance in some configurations and can be added to the Auxiliary parameters field. Use an integer value which is a multiple of _SC_PAGESIZE (typically 4096) to avoid memory fragmentation. This will increase Samba’s memory requirements and should not be used on systems with limited RAM.
Windows automatically caches file sharing information. If changes are made to an SMB share or to the permissions of a volume/dataset being shared by SMB and the share becomes inaccessible, try logging out and back in to the Windows system. Alternately, users can type net use /delete from the command line to clear their SMB sessions.
Windows also automatically caches login information. To require users to log in every time they access the system, reduce the cache settings on the client computers.
Where possible, avoid using a mix of case in filenames as this can cause confusion for Windows users. Representing and resolving filenames with Samba explains in more detail.
If a particular user cannot connect to a SMB share, ensure
their password does not contain the
? character. If it
does, have the user change the password and try again.
If permissions work for Windows users but not for macOS users, try disabling Unix Extensions and restarting the SMB service.
If the SMB service will not start, run this command from Shell to see if there is an error in the configuration:
If clients have problems connecting to the SMB share, go to Server maximum protocol is set to SMB2.and verify that
Using a dataset for SMB sharing is recommended. When creating the dataset, make sure that the Share type is set to Windows.
Do not use chmod to attempt to fix the permissions on a SMB share as it destroys the Windows ACLs. The correct way to manage permissions on a SMB share is to manage the share security from a Windows system as either the owner of the share or a member of the group that owns the share. To do so, right-click on the share, click Properties and navigate to the Security tab. If the ACLs are already destroyed by using chmod, winacl can be used to fix them. Type winacl from Shell for usage instructions.
The Common Errors section of the Samba documentation contains additional troubleshooting tips.
The Samba Performance Tuning page describes options to improve performance.
Directory listing speed in folders with a large number of files is sometimes a problem. A few specific changes can help improve the performance. However, changing these settings can affect other usage. In general, the defaults are adequate. Do not change these settings unless there is a specific need.
- Hostname Lookups and Log Level can also have a performance penalty. When not needed, they can be disabled or reduced in the global SMB service options.
- Make Samba datasets case insensitive by setting Case Sensitivity to Insensitive when creating them. This ZFS property is only available when creating a dataset. It cannot be changed on an existing dataset. To convert such datasets, back up the data, create a new case-insensitive dataset, create an SMB share on it, set the share level auxiliary parameter case sensitive = true, then copy the data from the old one onto it. After the data has been checked and verified on the new share, the old one can be deleted.
- If present, remove options for extended attributes and DOS attributes in Auxiliary Parameters.
- Disable as many VFS Objects as possible in the share settings. Many have performance overhead.
SNMP (Simple Network Management Protocol) is used to monitor network-attached devices for conditions that warrant administrative attention. FreeNAS® uses Net-SNMP to provide SNMP. When starting the SNMP service, this port will be enabled on the FreeNAS® system:
- UDP 161 (listens here for SNMP requests)
Available MIBS are located in
|Location||string||Optional description of the system location.|
|Contact||string||Optional. Enter the administrator email address.|
|SNMP v3 Support||checkbox||Set to enable support for SNMP version 3.|
|Community||string||Default is public. Change this for security reasons! The value can only contain alphanumeric characters, underscores, dashes, periods, and spaces. This value can be empty for SNMPv3 networks.|
|Username||string||Only applies if SNMP v3 Support is set. Specify the username to register with this service. Refer to snmpd.conf(5) for more information about configuring this and the Authentication Type, Password, Privacy Protocol, and Privacy Passphrase fields.|
|Authentication Type||drop-down menu||Only applies if SNMP v3 Support is enabled. Choices are MD5 or SHA.|
|Password||string||Only applies if SNMP v3 Support is enabled. Specify and confirm a password of at least eight characters.|
|Privacy Protocol||drop-down menu||Only applies if SNMP v3 Support is enabled. Choices are AES or DES.|
|Privacy Passphrase||string||If not specified, Password is used.|
|Log Level||drop-down menu||Choices range from fewest log entries (Emergency) to the most (Debug).|
|Auxiliary Parameters||string||Enter additional snmpd.conf(5) options not covered in this screen, one option per line.|
Secure Shell (SSH) is used to transfer files securely over an encrypted network. When a FreeNAS® system is used as an SSH server, the users in the network must use SSH client software to transfer files with SSH.
This section shows the FreeNAS® SSH configuration options, demonstrates an example configuration that restricts users to their home directory, and provides some troubleshooting tips.
Figure 11.15.1 shows the configuration screen. After configuring SSH, remember to start it in .
Table 11.15.1 summarizes the configuration options. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button, or configure the system to always display these settings by enabling the Show advanced fields by default option in .
|Bind Interfaces||selection||✓||By default, SSH listens on all interfaces unless specific interfaces are highlighted in the Available field and added to the Selected field.|
|TCP Port||integer||Port to open for SSH connection requests. 22 by default.|
|Login as Root with password||checkbox||As a security precaution, root logins are discouraged and disabled by default. If enabled, a password must be set for the root user in View Users.|
|Allow Password Authentication||checkbox||Unset to require key-based authentication for all users. Requires additional setup on both the SSH client and server.|
|Allow Kerberos Authentication||checkbox||✓||Before setting this option, ensure Kerberos Realms and Kerberos Keytabs are configured and FreeNAS® can communicate with the Kerberos Domain Controller (KDC).|
|Allow TCP Port Forwarding||checkbox||Set to allow users to bypass firewall restrictions using the SSH port forwarding feature.|
|Compress Connections||checkbox||Set to attempt to reduce latency over slow networks.|
|SFTP Log Level||drop-down menu||✓||Select the syslog(3) level of the SFTP server.|
|SFTP Log Facility||drop-down menu||✓||Select the syslog(3) facility of the SFTP server.|
|Extra Options||string||✓||Add any additional sshd_config(5) options not covered in this screen, one per line. These options are case-sensitive and misspellings can prevent the SSH service from starting.|
A few sshd_config(5) options that are useful to enter in the Extra Options field include:
- increase the ClientAliveInterval if SSH connections tend to drop
- ClientMaxStartup defaults to 10. Increase this value if more concurrent SSH connections are required.
11.15.1. SCP Only¶
When SSH is configured, authenticated users with a user account created using Home Directory field of the FreeNAS® account for that user. While the SSH login defaults to the user home directory, users are able to navigate outside their home directory, which can pose a security risk.can use ssh to log into the FreeNAS® system over the network. The user home directory is the pool or dataset specified in the
It is possible to allow users to use scp and sftp to transfer files between their local computer and their home directory on the FreeNAS® system, while restricting them from logging into the system using ssh. To configure this scenario, go to Modify User. Change the Shell to scponly. Repeat for each user that needs restricted SSH access., select the user, and click
Test the configuration from another system by running the sftp, ssh, and scp commands as the user. sftp and scp will work but ssh will fail.
Some utilities like WinSCP and Filezilla can bypass the scponly shell. This section assumes that users are accessing the system using the command line versions of scp and sftp.
11.15.2. Troubleshooting SSH¶
Keywords listed in sshd_config(5) are case sensitive. This is important to remember when adding any Extra options. The configuration will not function as intended if the upper and lowercase letters of the keyword are not an exact match.
If clients are receiving “reverse DNS” or timeout errors, add an entry for the IP address of the FreeNAS® system in the Host name database field of .
When configuring SSH, always test the configuration as an SSH user account to ensure the user is limited by the configuration and they have permission to transfer files within the intended directories. If the user account is experiencing problems, the SSH error messages are specific in describing the problem. Type this command within Shell to read these messages as they occur:
tail -f /var/log/messages
Additional messages regarding authentication errors are found in
Trivial File Transfer Protocol (TFTP) is a light-weight version of FTP typically used to transfer configuration or boot files between machines, such as routers, in a local environment. TFTP provides an extremely limited set of commands and provides no authentication.
If the FreeNAS® system will be used to store images and configuration files for network devices, configure and start the TFTP service. Starting the TFTP service opens UDP port 69.
|Directory||browse button||Browse to an existing directory to be used for storage. Some devices require a specific directory name, refer to the device documentation for details.|
|Allow New Files||checkbox||Enable if network devices need to send files to the system (for example, to back up their configuration).|
|Port||integer||Enter the UDP port to listen for TFTP requests. Default is 69.|
|Username||drop-down menu||Select the account to be used for TFTP requests. The account must have permission to the Directory.|
|File Permissions||checkboxes||Set permissions for newly created files. The default is everyone can read and only the owner can write. Some devices require less strict permissions.|
|Extra options||string||Add any additional tftpd(8) options not shown in this screen, one option per line.|
FreeNAS® uses NUT (Network UPS Tools) to provide UPS support. If the FreeNAS® system is connected to a UPS device, configure the UPS service then start it in .
Figure 11.17.1 shows the UPS configuration screen:
Table 11.17.1 summarizes the options in the UPS Configuration screen.
|UPS Mode||drop-down menu||Select Master if the UPS is plugged directly into the system serial port. The UPS will remain the last item to shut down. Select Slave to have the system shut down before Master.|
|Identifier||string||Describe the UPS device. Can contain alphanumeric, period, comma, hyphen, and underscore characters.|
|Driver||drop-down menu||Supported UPS devices are listed at http://networkupstools.org/stable-hcl.html.|
|Port||drop-down menu||Select the serial or USB port the UPS is plugged into (see NOTE).|
|Auxiliary Parameters (ups.conf)||string||Enter any additional options from ups.conf(5).|
|Auxiliary Parameters (upsd.conf)||string||Enter any additional options from upsd.conf(5).|
|Description||string||Optional. Enter any notes about the UPS service.|
|Shutdown mode||drop-down menu||Choose when the UPS initiates shutdown. Choices are UPS goes on battery and UPS reaches low battery.|
|Shutdown timer||integer||Select a value in seconds for the UPS to wait before initiating shutdown. Shutdown will not occur if the power is restored while the timer is counting down. The value only applies when Shutdown Mode is set to UPS goes on battery.|
|Shutdown Command||string||Enter the command to run to shut down the computer when battery power is low or shutdown timer runs out.|
|No Communication Warning Time||string||Enter a value in seconds to wait before alerting that the service cannot reach any UPS. Warnings continue until the situation is fixed.|
|Monitor User||string||Enter a user to associate with this service. Default is upsmon.|
|Monitor Password||string||Default is the known value fixmepass. Change this to enhance system security. Cannot contain a
|Extra users||string||Enter the accounts with administrative access. See upsd.users(5) for examples.|
|Remote monitor||checkbox||If set, be aware the default is to listen on all interfaces and use the known values user upsmon and password fixmepass.|
|Send Email Status Updates||checkbox||Set to enable the system to send email updates to the configured To email address.|
|To email||email address||Enter the email address to receive status updates.
Separate multiple email addresses with a semicolon (
|Email Subject||string||Enter a subject line to be used in email status updates.|
|Power Off UPS||checkbox||Set to power off the UPS after shutting down the FreeNAS system.|
For USB devices, the easiest way to determine the correct device name is to enable the Show console messages option in . Plug in the USB device and look for a /dev/ugen or /dev/uhid device name in the console messages.
The upsc(8) man page gives some other usage examples.
upscmd(8) can be used to send commands directly to the UPS, assuming the hardware supports the command being sent. Only users with administrative rights can use this command. These users are created in the Extra users field.
11.17.1. Multiple Computers with One UPS¶
A UPS with adequate capacity can power multiple computers. One computer is connected to the UPS data port with a serial or USB cable. This master makes UPS status available on the network for other computers. These slave computers are powered by the UPS, but receive UPS status data from the master computer. See the NUT User Manual and NUT User Manual Pages.
The WebDAV service can be configured to provide a file browser over a web connection. Before starting this service, at least one WebDAV share must be created using WebDAV Shares for instructions on how to create a share and connect to it when the service is configured and started.. Refer to
|Protocol||drop-down menu||HTTP* keeps the connection always unencrypted. HTTPS always encrypts the connection. HTTP+HTTPS allows both types of connections.|
|HTTP Port||string||Specify a port for unencrypted connections. Only appears if the selected Protocol is HTTP or HTTP+HTTPS. The default of 8080 is recommended. Do not use a port number already being used by another service.|
|HTTPS Port||string||Specify a port for encrypted connections. Only appears if the selected Protocol is HTTPS or HTTP+HTTPS. The default of 8081 is recommended. Do not reuse a port number.|
|Webdav SSL Certificate||drop-down menu||Select the SSL certificate to use for encrypted connections. Only appears if the selected Protocol is HTTPS or HTTP+HTTPS. To create a certificate, use .|
|HTTP Authentication||drop-down menu||Choices are No Authentication, Basic Authentication (unencrypted), or Digest Authentication (encrypted).|
|Webdav Password||string||Default is davtest. This is a known value and is recommended to be changed.|