TrueNAS Scale & the Myth of Access-Based Enumeration

Joshua Martin

5 min read
TrueNAS Scale & the Myth of Access-Based Enumeration
Photo by benjamin lehman / Unsplash

Let's imagine a world...

...where I had a Windows file share called Share with several hundred folders in it, each of which should only be accessible to one security group.

To a new staff member just trying to find the files shared with their building, this could be pretty daunting to look at.

What if instead, when they clicked on their V:\ Drive (That we've mapped to the share using group policy) they could only see the folders that are actually relevant to them? If you were a guy working in the Technology office, that might look more like this:

Six folders is better than six-hundred, arguably.

Those of you who have ever dealt with on-site SMB/CIFS shares for your Windows users are also likely familiar with the term Access-Based Enumeration.

This setting can be found under Server Manager > File & Storage Services

When this setting is enabled on a Windows share, any folders a user doesn't have at least read access to will be completely hidden. Since you are no doubt, much like myself, on a warpath to migrate as many things as is logically feasible to free open-source alternatives, you'll be delighted to know that the incredible TrueNAS Scale has this setting built-in as well!

This can be found under Shares > SMB> Edit > Advanced Options

You will be disappointed to know that it does not work the same way, but there is a reason for that. Access-based share enumeration officially does not operate based on filesystem permissions, only share permissions. Since share permissions can only be set at the share level (and not separately on subfolders) what this means is, if Windows followed spec, this would potentially change which shares you can see when you navigate directly to the root of the server...

...but would NOT change which of the folders you can see inside those shares. Couple this with the fact that most of the time, in order to avoid any weird headaches with users being able to traverse shares, the Share permissions are set to give everyone full control...

...and then filesystem permissions are set to lock things down properly...

...so even with Access-Based enumeration enabled, all the shares would be visible to everyone anyway.

So what exactly is going on? What is Windows doing?

Well, there is a second, seldom spoken of setting called "hide unreadable". On Windows, when you enable Access-Based Enumeration, you also silently enable hide unreadable. That setting is what actually does the work here.

So how do I enable "hide unreadable" in TrueNAS?

That is the million-dollar question isn't it? It is possible, but it is, to be blunt, far more complicated than it needs to be.

Here I've created a mockup of what it should look like, in a world where the United States uses the metric system, daylight savings time is abolished, and circumcision is illegal:

This is not a real setting. Don't @ me.

Unfortunately that world does not exist. In another-other world, you could simply scroll down to the Additional Parameters String section, and add the hide unreadable option there, since that's literally what it is for.

That is a world that did exist, until quite recently, when ixSystems/TrueNAS support & devs were so fed up with people breaking their own shares and whining about it they blocked the use of the field entirely, but left it in the UI, disabled, presumably to spite us. (Actually it's because parameters added before the change will stick around for compatibility reasons.)

I am not a fan of mandatory training wheels like this

...especially considering the setting is (was) already buried within the advanced options section. It makes far more sense to me to place a universal setting to enable the additional parameters field buried somewhere in system settings with a strongly worded warning about how fire is hot and sharp things are sharp.

Another, indisputably better option that requires very little development effort would be to remove the Additional Parameters field entirely and replace it with checkboxes & input fields for the half-dozen-or-so very-commonly-used-but-not-common-enough-for-the-regular-UI SMB parameters... like hide unreadable.

Anyway, back in the world we (unfortunately) live in, the dev-gods have graciously permitted us a path to enabling this option, albeit a convoluted one.

First, go to System > Shell (or SSH into your TrueNAS machine.)

Run the command cli to get into the TrueNAS CLI.

Run the command sharing smb query to get a list of your SMB shares. If you happen to have an absurdly large browser window you might get a readable table:

Otherwise you will get this barely legible pile of garbage:

Anyhow, the first field in each row is an ID number associated with a share. Figure out which share you'd like to enable Access-Based... er... I mean "hide unreadable" on.
Then run the command sharing smb update 16 (or whatever the ID# is)

This will open a nano-like editor in the terminal. Scroll all the way to the bottom, hit tab to indent (so the line is within the sharingsmb_update: section) and add a line that says:

auxsmbconf: 'hide unreadable = yes'

Press F2, then Enter to Save:

Then Press F10 to quit.

Back in the terminal, there should be no new output at all. As is the unofficial Unix philosophy, No output is good... output... or something like that.

I didn't need to restart the SMB service for this to apply, but just in case I am the odd one out, that can be accomplished by clicking System > Services:

...then toggling SMB off and back on:

It was an odd journey for me

...piecing all of this together, but I managed to do it, and I managed to limit myself to just a handful of oddly acute sociopolitical jabs. I hope you've learned something.

Read more