Operating Samba connected with macOS

By Patineboot

- 7 minutes read - 1420 words
The shrine is standing at the wide of the road where you are dancing the samba.

The shrine is standing at the wide of the road where you are dancing the samba.

Abstract

  1. Install Samba into Ubuntu Linux OS
  2. Create the user ā€˜patineā€™ on Samba
  3. Mount filesystem with extended attribute
  4. Configure Samba with Basic Parameters
    1. [global] Section
    2. [homes] Section
    3. [storage] Section
  5. Configure Samba connected with macOS
    1. Configure for Time Machine on macOS
  6. Misc
  7. Environment
  8. Reference

Configuring Samba was done with Ubuntu Linux OS and Raspberry Pi OS.

  • The word “Ubuntu” means Ubuntu Linux OS and Raspberry Pi OS in this article.
  • We prepare the user ‘patine’ on Ubuntu before installing Samba.

Install Samba into Ubuntu Linux OS

Install Samba with the apt package manager into Ubuntu.

apt install samba

Create the user ‘patine’ on Samba

Create the user ‘patine’ on the account database of Samba.

pdbedit -a patine

Samba asks for a passphrase when creating a new user.

Mount filesystem with extended attribute

Mount a filesystem on the storage directory with POSIX ACL and extended attributes. Ubuntu stores POSIX ACL in the extended attributes.

  • ZFS filesystem
    Select POSIX ACL, and store extended attributes in the dnode and the SA.

    Linux supports POSIX ACL against NFSv4 ACL, and other platforms mainly support NFSv4 ACL, e.g., Oracle Solaris. The ZFS filesystem store extended attributes in the dnode and the SA (System Attributes), or a hidden directory.

    Set acltype on posixacl and sa on xattr property on the storage ZFS dataset:

    sudo zfs set acltype=posixacl storage.pool/storage
sudo zfs set xattr=sa storage.pool/storage

    Note: storage.pool is the name of a ZFS pool, storage is the name of a ZFS dataset on storage.pool.

  • ext4 filesystem

    Note: Those mount options are enabled in default.

    ext4 filesystem is now supporting POSIX ACL and extended attributes, as known as acl and user_xattr. Mount an ext4 filesystem with the user_xattr mount option with the /etc/fstab file.

    Edit the /etc/fstab file as the following:

    # <file system> <mount point>   <type>  <options>       <dump>  <pass>
/dev/ubuntu-vg/storage /var/storage ext4 defaults,acl,user_xattr 0 2

    Describe the fstab file like the mount command options.

Configure Samba with Basic Parameters

Configure Samba by modifying the config file involved in itself.

The official documentation by samba.org for the config file (smb.conf) is on “smb.conf ā€” The configuration file for the Samba suite.”

The config file format of Samba

Introduce the method of configuring Samba.

Modify the config file, /etc/samba/smb.conf, involved in Samba.

The config file has “Section” with brackets and some “Parameter” couples consisting of a name and a value.

# Begin a section
[Section]
    # Describe a parameter of name and value
    Name = Value

[global] Section

The [global] section is the special section.
The parameters on the global effect other sections as a whole.

Modify and add the following parameters on the [global] section.

Modify the following parameters to avoid the guest account.

Name Value Description
map to guest Never Treatment of the guest account if user login failed.
‘Never’ is not map to the guest.
guest ok no Enable the guest account login without a passphrase. ’no’ means require a passphrase on the guest account.
‘no’ is the default value on Samba Version 4.15.5 due to removing ‘guest ok’ from smb.conf.
usershare allow guests no Enable the users who can create shares that non-authenticated users access.
ā€™noā€™ means disable this.

Add the following parameter to disable anonymous access.

Name Value Description
restrict anonymous 2 The mode of accessing the SAMR and LSA DCERPC services.
‘2’ is to disable anonymous access and restrict access to SAMR, disallow anonymous connections to the IPC$ share.

[homes] Section

Also, the [homes] section is the special section. Samba links the [homes] section with the user’s home directory on Ubuntu.

Modify the following parameters in the ‘homes’ section.

Name Value Description
read only no Only permit the directory to read. ‘yes’ means the users can only read, ’no’ means the users can write and read.
create mask Do to comment out Commented out for using the default value on Samba. A new file with Value permission. The default value is ‘0774’ that an owner and group members can fully access and others can only read.
directory mask Do to comment out Commented out for using the default value on Samba. A new directory with Value permission. The default value is ‘0775’ that an owner and group members can fully access and others can read and move on.
valid users %S Only ‘username’ can connect to \\<server>\<username>.

The modifications mean that a user creates a file and directory with permission similar to it on the bash shell.

[storage] Section

Samba serves a network directory with the name of the section.

Add the new [storage] section linked with the storage directory on which you mount the filesystem for sharing some files.

Name Value Description
path /storage.pool/storage Set an absolute local path to link the network directory. In this case, Samba links the storage network directory to the /storage.pool/storage local directory.
valid users patine Declare valid users. In this value, ‘patine’ is the only valid user.
access based share enum yes Permit only ‘valid users’ access to the directory or not. ‘yes’ means permit only ‘valid users’, ’no’ means do all users.
browseable yes The network directory can be browsable with an SMB client if the value is ‘yes,’ otherwise ’no’.
writable yes ‘yes’ means the network directory can be writable. Otherwise, ’no.’

The example of the storage section:

[storage]
    path = /storage.pool/storage
    valid users = patine

    access based share enum = yes
    browseable = yes

    writable = yes

Configure Samba connected with macOS

I suggest the configuration of Samba connected with macOS:

  • Important: Choice the fruit:resource:
    • fruit:resource = xattr on the ZFS filesystem
    • fruit:resource = file on the ext4 filesystem
  • Disable weak crypto, MD5 and RC4.
  • Disable ‘print service’ and RPC for Spotlight.
  • Show AppleDouble files.
   # disable crypto crypt
   require strong key = yes
   reject md5 clients = yes
   allow nt4 crypto = no

   # No print service.
   printcap name = /dev/null  
   load printers = no
   printing = bsd

   # No RPC for Spotlight
   rpc_server:mdssvc = disabled
   rpc_daemon:spoolssd = disabled

   # vfs-fruit
   vfs objects = catia fruit streams_xattr

   # vfs-fruit GLOBAL OPTIONS
   fruit:model = MacSamba
   # fruit:copyfile = yes

   # vfs-fruit OPTIONS
   # fruit:resource = file
   fruit:metadata = netatalk
   fruit:locking = netatalk
   fruit:encoding = native

   # fruit:wipe_intentionally_left_blank_rfork = yes
   # fruit:delete_empty_adfiles = yes

   fruit:veto_appledouble = no

For your preferences:

  • Enable fruit:copyfile if you need OS X specific copychunk ioctl.
  • Enable fruit:wipe_intentionally_left_blank_rfork and fruit:delete_empty_adfiles mean that Samba removes unused resource fork.

Details of fruit Parameters are vfs-fruit ā€” Enhanced OS X and Netatalk interoperability.

The Time Machine section

Add the vfs objects and fruit:time machine parameters into the timemachine section.

The details about fruit:time machine are vfs-fruit ā€” Enhanced OS X and Netatalk interoperability.

[timemachine]
    vfs objects = catia fruit streams_xattr

    path = /var/timemachine
    valid users = patine

    access based share enum = yes
    browseable = yes

    writable = yes
    fruit:time machine = yes
    fruit:time machine max size = 500G

Finder and Cyberduck

Apple’s Finder and Cyberduck, which transfers files on macOS:

  • Cyberduck does on sftp most fast.
  • Appleā€™s Finder does fast and succeeds on the other protocols.

I recommend Cyberduck on sftp with many files transfer and Finder on others.

In addition, I investigated the Finder.
I found the Finder transfers files slowly with the standard protocols, confirmed on Netatalk, NFSv4, sshfs, ftps, and sftp.

Misc

Commands on Ubuntu

  • Add a user to Ubuntu 
    adduser patine
  • Restart Samba service 
    systemctl restart smbd.service
  • Show the Samba status 
    smbstatus
  • Comfirm the smb.conf file 
    testparm
    testparm reports “Weak crypto is allowed” in the bug of testparm.
    Samba will release version 4.16 to include a fix, see more:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975882

Hide the /lost+found/ directory

Configure the below Parameter if you hide the /lost+found/ directory at the root directory on the ext4 filesystem.

Name Value Description
veto files /lost+found/ Hide directories and files. In this case, hide the /lost+found/ directory.

Interesting Samba options

Option Description
min receivefile size (G) Kernel writes received data to file buffer directly.
use sendfile (S) Use more efficient sendfile system call.
root preexec (S) Run a command when connected from someone.

Environment List

  • IBM PC compatible

    • Samba Version 4.15.5 on Ubuntu Linux 22.04 LTS Server
    • Samba Version 4.13.3 on Ubuntu Linux 21.04 Server

  • Raspberry Pi 4B Memory 2GB model

    • Samba Version 4.13 on Raspberry Pi OS 64 bits Bullseye
    • Samba Version 4.11 on Raspberry Pi OS 32 bits Buster

Reference