Windows (CIFS) Shares
FreeNAS® uses Samba to share volumes using Microsoft's CIFS protocol. CIFS is built into the Windows and Mac OS X operating systems and most Linux and BSD systems pre-install the Samba client which provides support for CIFS. If your distro did not, install the Samba client using your distro's software repository.
Configuring CIFS shares is a multi-step process that requires you to set permissions, create CIFS share(s), configure the CIFS service, then enable the CIFS service in Services → Control Services. If your Windows network has a Windows server running Active Directory, you will also need to configure the Active Directory service. Depending upon your authentication requirements, you may need to create or import users and groups.
This section will demonstrate some common configuration scenarios:
- If you would like an overview of the configurable parameters, see Creating CIFS Shares.
- If you would like an example of how to configure access that does not require authentication, see Configuring Anonymous Access.
- If you would like each user to authenticate before accessing the share, see Configuring Local User Access.
- If you would like to use Shadow Copies, see Configuring Shadow Copies.
Figure 7.3a shows the configuration screen that appears when you click Sharing → Windows (CIFS) Shares → Add Windows (CIFS) Share. Some settings are only available in Advanced Mode. To see these settings, either click the Advanced Mode button or configure the system to always display these settings by checking the box “Show advanced fields by default” in System → Settings → Advanced.
Table 7.3a summarizes the options when creating a CIFS share. smb.conf(5) provides more details for each configurable option.
Once you press the OK button when creating the CIFS share, a pop-up menu will ask "Would you like to enable this service?" Click Yes and Services → Control Services will open and indicate whether or not the CIFS service successfully started.
Figure 7.3a: Adding a CIFS Share
Table 7.3a: Options for a CIFS Share
|Name||string||mandatory; name of share|
|Path||browse button||select volume/dataset/directory to share|
|Export Read Only||checkbox||prohibits write access to the share|
|Browsable to Network Clients||checkbox||enables Windows clients to browse the shared directory using Windows Explorer|
|Inherit Owner||checkbox||if checked, ownership for new files and directories is inherited from parent directory rather than from the user|
|Inherit Permissions||checkbox||if checked, permissions on new files and directories are inherited from parent directory; this can be useful on large systems with many users as it allows a single homes share to be used flexibly by each user; do not check if Type of ACL is set to Windows in the Volume's permissions|
|Export Recycle Bin||checkbox||deleted files are instead moved to a hidden .recycle directory in the root folder of the share|
|Show Hidden Files||checkbox||if enabled, will display filenames that begin with a dot (Unix hidden files)|
|Allow Guest Access||checkbox||if checked, no password is required to connect to the share and all users share the permissions of the guest user defined in Services → CIFS|
|Only Allow Guest Access||checkbox||requires Allow guest access to also be checked; when checked, forces guest access for all connections|
|Hosts Allow||string||only available in Advanced Mode; comma, space, or tab delimited list of allowed hostnames or IP addresses; see NOTE below|
|Hosts Deny||string||only available in Advanced Mode; comma, space, or tab delimited list of denied hostnames or IP addresses; allowed hosts take precedence so can use ALL in this field and specify allowed hosts in Hosts Allow; see NOTE below|
|Auxiliary Parameters||string||only available in Advanced Mode; add additional [share] smb.conf parameters not covered by other option fields|
NOTE: hostname lookups add some time to accessing the CIFS share. If you only use IP addresses, uncheck the "Hostnames lookups" box in Services → CIFS.
If you wish some files on a shared volume to be hidden and inaccessible to users, put a veto files= line in the Auxiliary Parameters field. The syntax for this line and some examples can be found here.
Configuring Anonymous Access
To share a volume without requiring users to input a password, configure anonymous CIFS sharing. This type of share can be configured as follows:
1. Create a guest user account to be used for anonymous access in Account → Users → Add User with the following attributes:
- Username: guest
- Home Directory: browse to the volume to be shared
- check the Disable logins box
2. Associate the guest account with the volume to be shared in Storage → Volumes. Expand the volume's name then click Change Permissions. Select guest as the Owner(user) and Owner(group) and check that the permissions are appropriate for the share. If non-Windows systems will be accessing the CIFS share, leave the type of permissions as Unix. Only change the type of permissions to Windows if the share is only accessed by Windows systems.
3. Create a CIFS share in Sharing → Windows (CIFS) Shares → Add Windows (CIFS) Share with the following attributes:
- Name: freenas
- Path: browse to the volume to be shared
- check the boxes Allow Guest Access and Only Allow Guest Access
- Hosts Allow: add the addresses which are allowed to connect to the share; acceptable formats are the network or subnet address with CIDR mask (e.g. 192.168.2.0/24 or 192.168.2.32/27) or specific host IP addresses, one address per line
4. Configure the CIFS service in Services → CIFS with the following attributes:
- Authentication Model: Anonymous
- Guest Account: guest
- check the boxes boxes Allow Empty Password and Enable Home Directories
- Home Directories: browse to the volume to be shared
5. Start the CIFS service in Services → Control Services. Click the click the red OFF button next to CIFS. After a second or so, it will change to a blue ON, indicating that the service has been enabled.
6. Test the share.
To test the share from a Windows system, open Explorer, click on Network and you should see an icon named FREENAS. Since anonymous access has been configured, you should not be prompted for a username or password in order to see the share. An example is seen in Figure 7.3b:
Figure 7.3b: Accessing the CIFS Share from a Windows Computer
If you click on the FREENAS icon, you can view the contents of the CIFS share.
To prevent Windows Explorer from hanging when accessing the share, map the share as a network drive. To do this, right-click the share and select "Map network drive..." as seen in Figure 7.3c:
Figure 7.3c: Mapping the Share as a Network Drive
Choose a drive letter from the drop-down menu and click the Finish button as shown in Figure 7.3d:
Figure 7.3d: Selecting the Network Drive Letter
Configuring Local User Access
If you would like each user to authenticate before accessing the CIFS share, configure local user access as follows:
1. If you are not using Active Directory or LDAP, create a user account for each user in Account → Users → Add User with the following attributes:
- Username and Password: matches the username and password on the client system
- Home Directory: browse to the volume to be shared
- Repeat this process to create a user account for every user that will need access to the CIFS share
2. If you are not using Active Directory or LDAP, create a group in Account → Groups → Add Group. Once the group is created, click its Members button and add the user accounts that you created in step 1.
3. Give the group permission to the volume in Storage → View Volumes. When setting the permissions:
- set Owner(user) to nobody
- set the Owner(group) to the one you created in Step 2
- Mode: check the write checkbox for the Group as it is unchecked by default
4. Create a CIFS share in Sharing → CIFS Shares → Add CIFS Share with the following attributes:
- Name: input the name of the share
- Path: browse to the volume to be shared
- keep the Browsable to Network Clients box checked
NOTE: be careful about unchecking the Browsable to Network Clients box. When this box is checked (the default), other users will see the names of every share that exists using Windows Explorer, but they will receive a permissions denied error message if they try to access someone else's share. If this box is unchecked, even the owner of the share won't see it or be able to create a drive mapping for the share in Windows Explorer. However, they can still access the share from the command line. Unchecking this option provides limited security and is not a substitute for proper permissions and password control.
5. Configure the CIFS service in Services → CIFS as follows:
- Authentication Model: if you are not using Active Directory or LDAP, select Local User
- Workgroup: if you are not using Active Directory or LDAP, set to the name being used on the Windows network; unless it has been changed, the default Windows workgroup name is WORKGROUP
6. Start the CIFS service in Services → Control Services. Click the click the red OFF button next to CIFS. After a second or so, it will change to a blue ON, indicating that the service has been enabled.
7. Test the share.
To test the share from a Windows system, open Explorer and click on Network. For this configuration example, a system named FREENAS should appear with a share named backups. If you click on backups, a Windows Security pop-up screen should prompt for the user's username and password. Once authenticated, the user can copy data to and from the CIFS share.
NOTE: since the share is group writable, any authenticated user can change the data in the share. If you wish to setup shares where a group of users have access to some folders but only individuals have access to other folders (where all these folders reside on the same volume), create these directories and set their permissions using Shell. Instructions for doing so can be found at the forum post Set Permission to allow users to share a common folder & have private personal folder.
Configuring Shadow Copies
Shadow Copies, also known as the Volume Shadow Copy Service (VSS) or Previous Versions, is a Microsoft service for creating volume snapshots. Shadow copies allow users to easily restore previous versions of files from within Windows Explorer. Shadow Copy support is built into Vista and Windows 7. Windows XP or 2000 users need to install the Shadow Copy client.
When you create a periodic snapshot task on a ZFS volume that is configured as a CIFS share in FreeNAS®, it is automatically configured to support shadow copies.
Before using shadow copies with FreeNAS®, be aware of the following caveats:
- if the Windows system is not fully patched to the latest service pack, Shadow Copies may not work. If you are unable to see any previous versions of files to restore, use Windows Update to make sure that the system is fully up-to-date.
- at this time, shadow copy support only works for ZFS pools or datasets. This means that the CIFS share must be configured on a volume or dataset, not on a directory. Directory support will be added in a future version of FreeNAS®.
- at this time, there must be a one-to-one mapping between the periodic snapshot task and the CIFS share. In practical terms, this means that you can either share a ZFS volume to be shared by all users, or you can create a dataset plus an associated CIFS share for each user. Since directories can not be shadow copied at this time, if you configure "Enable home directories" on the CIFS service, any data stored in the user's home directory will not be shadow copied.
- shadow copies will not work with a manual snapshot, you must create a periodic snapshot task for the pool or dataset being shared by CIFS. At this time, if multiple snapshot tasks are created for the same pool/dataset being shared by CIFS, shadow copies will only work on the last executed task at the time the CIFS service started. A future version of FreeNAS® will address this limitation.
- the periodic snapshot task should be created and at least one snapshot should exist before creating the CIFS share. If you created the CIFS share first, restart the CIFS service in Services → Control Services.
- Windows ACLs and appropriate permissions must be configured on the volume/dataset being shared by CIFS.
- users can not delete shadow copies from their Windows systems due to the way that Samba works. Instead, the administrator can remove snapshots from the FreeNAS® administrative GUI. The only way to disable shadow copies completely is to remove the periodic snapshot task and delete all snapshots associated with the CIFS share.
In this example, a Windows 7 computer has two users: user1 and user2. To configure FreeNAS® to provide shadow copy support:
1. For the ZFS volume named /mnt/data, create two ZFS datasets in Storage → Volumes → /mnt/data → Create ZFS Dataset. The first dataset is named /mnt/data/user1 and the second dataset is named /mnt/data/user2.
2. If you are not using Active Directory or LDAP, create two users, user1 and user2 in Account → Users → Add User. Each user has the following attributes:
- Username and Password: matches that user's username and password on the Windows system
- Home Directory: browse to the dataset created for that user
3. Set the permissions on /mnt/data/user1 so that the Owner(user) and Owner(group) is user1. Set the permissions on /mnt/data/user2 so that the Owner(user) and Owner(group) is user2. For each dataset's permissions, enable Windows ACLs and tighten the Mode so that Other can not read or execute the information on the dataset.
4. Create two periodic snapshot tasks in Storage → Periodic Snapshot Tasks → Add Periodic Snapshot, one for each dataset. Before continuing to the next step, confirm that at least one snapshot for each dataset is displayed in the ZFS Snapshots tab. When creating your snapshots, keep in mind how often your users need to access modified files and during which days and time of day they are likely to make changes.
5. Create two CIFS shares in Sharing → Windows (CIFS) Shares → Add Windows (CIFS) Share. The first CIFS share is named user1 and has a Path of /mnt/data/user1; the second CIFS whare is named user2 and has a Path of /mnt/data/user2. When creating the first share, click the No button when the pop-up button asks if the CIFS service should be started. When the last share is created, click the Yes button when the pop-up button prompts to start the CIFS service. Verify that the CIFS service is set to ON in Services → Control Services.
6. From the Windows system, login as user1 and open Windows Explorer → Network → FREENAS. Two shares should appear, named user1 and user2. Due to the permissions on the datasets, user1 should receive an error if they click on the user2 share. Due to the permissions on the datasets, user1 should be able to create, add, and delete files and folders from the user1 share.
Figure 7.3e provides an example of using shadow copies while logged in as user1. In this example, the user right-clicked modified file and selected "Restore previous versions" from the menu. This particular file has three versions: the current version displayed in Explorer, plus two previous versions stored on the FreeNAS® system. The user can choose to open one of the previous versions, copy a previous version to the current folder, or restore one of the previous versions, which will overwrite the existing file stored on the Windows system.
Figure 7.3e: Viewing Previous Versions within Explorer