I’d like to be able to SSH into my NAS using key-based authentication. For that to work, I need to be able to upload a public SSH key for my admin user(s).
But … I’m not sure who should own that dataset or how to configure it. It’s a home folder dataset, but from reading the latest TrueNAS SCALE docs, the SMB Home Share feature has been depreciated and is no longer recommended for new setups. I’m also not sure what presets to use. See: Setting Up SMB Home Shares | TrueNAS Documentation Hub
SMB Home Shares are a legacy feature for organizations looking to maintain existing SMB configurations. They are not recommended for new deployments.
Future TrueNAS SCALE releases can introduce instability or require configuration changes affecting this legacy feature.
I had planned to make a single parent HomeFolders dataset using the SMB Home Share preset, with child datasets for each user that actually has a home folder on the server, but without the SMB Home Folder feature, I have no idea how to set that up.
The easy solution would be to make however many top-level datasets I need (e.g., AdminHome, BobHome, etc.), but that feels so disorganized and clumsy.
The “SMB Home Shares” feature was the (now depreciated) share preset the old docs told us to use for setting up a Home Folder share. I’m not really sure why SMB had anything to do with this; TrueNAS must have agreed that it wasn’t the way to go, as they’ve now depreciated that feature (apparently it’s going to be removed from SAMBA?) and told people not to use it.
However, they didn’t tell people what to do instead.
Right now, the only users that have home folders are admin and root, which live on the boot mirror. I’m pretty sure I’m not allowed to put user home folders there, so I was going to create a top level dataset called “UserHomes” or something similar, and do child datasets underneath it for each user that needs a home directory, and that it can access via SSH.
I’m not sure how to set up the ownership/permissions on those at all, as TrueNAS depreciated the old way but hasn’t provided a new tutorial yet.
Mostly, I just wanted to add an system administrator and a sharing administrator user so I could stop using the default “admin” for everything–and I didn’t want to set up SSH using the default “admin” user both because it didn’t seem like a good idea for security reasons and also because I don’t want to tamper with the admin user at all (e.g., by uploading a public SSH key).
So, two users with barely any data stored in them.
Creating your own dataset out in the “normal” part probably makes sense. If there’s already a /home on the root dataset, what you can do is:
zfs create path/to/my/datasets/home ;
zfs set canmount=no path/to/my/datasets/home ;
zfs set mountpoint=/home path/to/my/datasets/home
Now, you zfs create path/to/my/datasets/home/bob and chown bob /home/bob and it will work like gangbusters, with /home/bob automatically mounted in the right place despite /home itself being on the root filesystem, and you not being able to put stuff inside it without much sturm und angst.
I’ll try this if I can’t get someone over on the TrueNAS forum to tell me how it’s supposed to work in TrueNAS.
Based on the big flashing warning every time you open a terminal, you’re not supposed to have to go into the shell to manipulate ZFS directly like this.
Hello, welcome to TrueNAS, please do not the terminal because it is very dangerous and you could mess this complex system that you don’t understand up and also you can do everything you need to without ever leaving the interface.
(Also, that part of the interface is buggy af, so uh… open the terminal… but, you know, don’t tell anybody we told you to, and also you might break your shit so be careful)
If you add a local user in TrueNAS, it will make a home folder for them.
There is a ‘checkbox’ - Credentials → Local Users → Add
scroll down to just above the blue ‘save’ button there’s a ‘create home directory’ checkbox, and an area above that where you pick where it will be.
If you aren’t using an external auth source (like Active Directory, or Kerberos etc) then just make the users on TrueNAS and assign a home folder as you go.
You could upload the keys at the same time I think - I haven’t used that option but it’s there.
My issue is trying to figure out where to put the home directory. I have to give it a location in the file system (on a Dataset). My intuition says that the cleanest way to do this should be a parent HomeDirectories dataset with child datasets that are the actual user home directories.
But I’m flailing on how to set up dataset owner/group/permissions to get this to work, aside from using the generic dataset preset since I want to use these directories with Linux/SSH.
I did try to just click the checkbox without specifying a location in the file system.
it created the user with a home directory in /var/empty/. Which I’m pretty sure doesn’t actually exist, and isn’t where I want to store a user, in any case.
OK - and again I feel like I’m missing what you are saying, but
Why not create a Home dataset, mark it root:root 0700 like a typical Debian system.
Then create the user and assign them a ~ in the Home data set, permissions 700, again like a typical Debian system.
Upload the key somewhere on the filesystem.
Sign in as the user, ssh localhost to create the folder structure, then sudo cp path/to/key ~/.ssh/authorized_keys and chmod 600 authorized_keys
If you’re trying to get that one key automatically set up for every user that is ever created, then you’re mucking with /etc/skel or some kinda fancy service I guess.
So, you’d create a single parent dataset (e.g., HomesData) and put all the users’ home folders in it?
I’d thought about doing it that way, and it would indeed be simpler, but I decided I wanted each home directory to be a child of HomesData, so I could, e.g, manage snapshots separately for reach of them. I was wary of only being able to manage the entire set of home folders as a single dataset.
Is that not really an issue I should be worried about?
I’m not sure why you’d do snapshots differently between them - too many snapshots isn’t much of an issue as they don’t really take space.
Now if you wanted differing compression, or send/receive options I guess…
Then i guess I’d make the Homes dataset, and then make a dataset for each user under that, before I set that user up, so it’s there to pick when you make the user.
I don’t know if there’s a cute way to make Debian make a dataset instead of making a folder on user creation (I’m guessing the BSDs might? do that, since they have done zfs longer…) but if there was, I’m not sure the web gui of TrueNAS would use it anyway.
/home as a dataset, then each user as it’s own dataset under that seems to most flexible, but requires two steps.
Note I suppose you could migrate from one to the other easily enough - if you decide user X needs her own dataset, then mv /home/X /home/xtemp; zfs create 1G /home/X ; rsync -avz /home/xtemp/* /home/X ; test stuff ; rm -rf /home/xtemp
If one would really want to create a separete dataset for each user then they could follow (copy paste) the docs from Root on ZFS. Specifically this part on creating users manually. Ubuntu 22.04 Root on ZFS — OpenZFS documentation
Nothing is an issue if you want to do it and if you have time to maintain it later. So creating separate datasets for each user is fine on a Linux system. You could copy paste this command from here and it would work Ubuntu 22.04 Root on ZFS — OpenZFS documentation
I personally don’t see a reason why you would do that especially on a NAS.
A NAS is meant to share files/storage via NFS, SMB etc. and not to give users SSH access and home directories.
If you set up a Samba share then add a new user without a home directory that user will have automatic access to that samba share. The logic to this is that you create users to share files on the NAS and so when you add users they have access otherwise don’t add users. Then later if you need to remove some users from some shares you can do that also.
