Operating Samba connected with macOS
By Patineboot

The shrine is standing at the wide of the road where you are dancing the samba.
Abstract
- Install Samba into Ubuntu Linux OS
- Create the user āpatineā on Samba
- Mount filesystem with extended attribute
- Configure Samba with Basic Parameters
- [global] Section
- [homes] Section
- [storage] Section
- Configure Samba connected with macOS
- Configure for Time Machine on macOS
- Misc
- Environment
- Reference
Configuring Samba was done with Ubuntu Linux OS and Raspberry Pi OS.
- The word “Ubuntu” means Ubuntu Linux OS and Raspberry Pi OS in this article.
- We prepare the user ‘patine’ on Ubuntu before installing Samba.
Install Samba into Ubuntu Linux OS
Install Samba with the apt package manager into Ubuntu.
apt install samba
Create the user ‘patine’ on Samba
Create the user ‘patine’ on the account database of Samba.
pdbedit -a patine
Samba asks for a passphrase when creating a new user.
Mount filesystem with extended attribute
Mount a filesystem on the storage directory with POSIX ACL and extended attributes. Ubuntu stores POSIX ACL in the extended attributes.
-
ZFS filesystem
Select POSIX ACL, and store extended attributes in the dnode and the SA.Linux supports POSIX ACL against NFSv4 ACL, and other platforms mainly support NFSv4 ACL, e.g., Oracle Solaris. The ZFS filesystem store extended attributes in the dnode and the SA (System Attributes), or a hidden directory.
Set
acltype
onposixacl
andsa
onxattr
property on the storage ZFS dataset:sudo zfs set acltype=posixacl storage.pool/storage sudo zfs set xattr=sa storage.pool/storage
Note: storage.pool is the name of a ZFS pool, storage is the name of a ZFS dataset on storage.pool.
-
ext4 filesystem
Note: Those mount options are enabled in default.
ext4 filesystem is now supporting POSIX ACL and extended attributes, as known as
acl
anduser_xattr
. Mount an ext4 filesystem with theuser_xattr
mount option with the /etc/fstab file.Edit the /etc/fstab file as the following:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/ubuntu-vg/storage /var/storage ext4 defaults,acl,user_xattr 0 2
Describe the fstab file like the
mount
command options.
Configure Samba with Basic Parameters
Configure Samba by modifying the config file involved in itself.
The official documentation by samba.org for the config file (smb.conf) is on “smb.conf ā The configuration file for the Samba suite.”
The config file format of Samba
Introduce the method of configuring Samba.
Modify the config file, /etc/samba/smb.conf, involved in Samba.
The config file has “Section” with brackets and some “Parameter” couples consisting of a name and a value.
# Begin a section
[Section]
# Describe a parameter of name and value
Name = Value
[global] Section
The [global] section is the special section.
The parameters on the global effect other sections as a whole.
Modify and add the following parameters on the [global] section.
Modify the following parameters to avoid the guest account.
Name | Value | Description |
---|---|---|
map to guest | Never | Treatment of the guest account if user login failed. ‘Never’ is not map to the guest. |
guest ok | no | Enable the guest account login without a passphrase. ’no’ means require a passphrase on the guest account. ‘no’ is the default value on Samba Version 4.15.5 due to removing ‘guest ok’ from smb.conf. |
usershare allow guests | no | Enable the users who can create shares that non-authenticated users access. ānoā means disable this. |
Add the following parameter to disable anonymous access.
Name | Value | Description |
---|---|---|
restrict anonymous | 2 | The mode of accessing the SAMR and LSA DCERPC services. ‘2’ is to disable anonymous access and restrict access to SAMR, disallow anonymous connections to the IPC$ share. |
[homes] Section
Also, the [homes] section is the special section. Samba links the [homes] section with the user’s home directory on Ubuntu.
Modify the following parameters in the ‘homes’ section.
Name | Value | Description |
---|---|---|
read only | no | Only permit the directory to read. ‘yes’ means the users can only read, ’no’ means the users can write and read. |
create mask | Do to comment out | Commented out for using the default value on Samba. A new file with Value permission. The default value is ‘0774’ that an owner and group members can fully access and others can only read. |
directory mask | Do to comment out | Commented out for using the default value on Samba. A new directory with Value permission. The default value is ‘0775’ that an owner and group members can fully access and others can read and move on. |
valid users | %S | Only ‘username’ can connect to \\<server>\<username>. |
The modifications mean that a user creates a file and directory with permission similar to it on the bash shell.
[storage] Section
Samba serves a network directory with the name of the section.
Add the new [storage] section linked with the storage directory on which you mount the filesystem for sharing some files.
Name | Value | Description |
---|---|---|
path | /storage.pool/storage | Set an absolute local path to link the network directory. In this case, Samba links the storage network directory to the /storage.pool/storage local directory. |
valid users | patine | Declare valid users. In this value, ‘patine’ is the only valid user. |
access based share enum | yes | Permit only ‘valid users’ access to the directory or not. ‘yes’ means permit only ‘valid users’, ’no’ means do all users. |
browseable | yes | The network directory can be browsable with an SMB client if the value is ‘yes,’ otherwise ’no’. |
writable | yes | ‘yes’ means the network directory can be writable. Otherwise, ’no.’ |
The example of the storage section:
[storage]
path = /storage.pool/storage
valid users = patine
access based share enum = yes
browseable = yes
writable = yes
Configure Samba connected with macOS
I suggest the configuration of Samba connected with macOS:
- Important: Choice the
fruit:resource
:fruit:resource = xattr
on the ZFS filesystemfruit:resource = file
on the ext4 filesystem
- Disable weak crypto, MD5 and RC4.
- Disable ‘print service’ and RPC for Spotlight.
- Show AppleDouble files.
# disable crypto crypt
require strong key = yes
reject md5 clients = yes
allow nt4 crypto = no
# No print service.
printcap name = /dev/null
load printers = no
printing = bsd
# No RPC for Spotlight
rpc_server:mdssvc = disabled
rpc_daemon:spoolssd = disabled
# vfs-fruit
vfs objects = catia fruit streams_xattr
# vfs-fruit GLOBAL OPTIONS
fruit:model = MacSamba
# fruit:copyfile = yes
# vfs-fruit OPTIONS
# fruit:resource = file
fruit:metadata = netatalk
fruit:locking = netatalk
fruit:encoding = native
# fruit:wipe_intentionally_left_blank_rfork = yes
# fruit:delete_empty_adfiles = yes
fruit:veto_appledouble = no
For your preferences:
- Enable
fruit:copyfile
if you need OS X specific copychunk ioctl. - Enable
fruit:wipe_intentionally_left_blank_rfork
andfruit:delete_empty_adfiles
mean that Samba removes unused resource fork.
Details of fruit Parameters are vfs-fruit ā Enhanced OS X and Netatalk interoperability.
The Time Machine section
Add the vfs objects
and fruit:time machine
parameters into the timemachine section.
The details about fruit:time machine
are vfs-fruit ā Enhanced OS X and Netatalk interoperability.
[timemachine]
vfs objects = catia fruit streams_xattr
path = /var/timemachine
valid users = patine
access based share enum = yes
browseable = yes
writable = yes
fruit:time machine = yes
fruit:time machine max size = 500G
Finder and Cyberduck
Apple’s Finder and Cyberduck, which transfers files on macOS:
- Cyberduck does on sftp most fast.
- Appleās Finder does fast and succeeds on the other protocols.
I recommend Cyberduck on sftp with many files transfer and Finder on others.
In addition, I investigated the Finder.
I found the Finder transfers files slowly with the standard protocols, confirmed on Netatalk, NFSv4, sshfs, ftps, and sftp.
Misc
Commands on Ubuntu
- Add a user to Ubuntu
adduser patine
- Restart Samba service
systemctl restart smbd.service
- Show the Samba status
smbstatus
- Comfirm the smb.conf file
testparm
testparm
reports “Weak crypto is allowed” in the bug oftestparm
.
Samba will release version 4.16 to include a fix, see more:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975882
Hide the /lost+found/ directory
Configure the below Parameter if you hide the /lost+found/ directory at the root directory on the ext4 filesystem.
Name | Value | Description |
---|---|---|
veto files | /lost+found/ | Hide directories and files. In this case, hide the /lost+found/ directory. |
Interesting Samba options
Option | Description |
---|---|
min receivefile size (G) | Kernel writes received data to file buffer directly. |
use sendfile (S) | Use more efficient sendfile system call. |
root preexec (S) | Run a command when connected from someone. |
Environment List
-
IBM PC compatible
- Samba Version 4.15.5 on Ubuntu Linux 22.04 LTS Server
- Samba Version 4.13.3 on Ubuntu Linux 21.04 Server
-
Raspberry Pi 4B Memory 2GB model
- Samba Version 4.13 on Raspberry Pi OS 64 bits Bullseye
- Samba Version 4.11 on Raspberry Pi OS 32 bits Buster
Reference
- smb.conf ā The configuration file for the Samba suite
- vfs-fruit ā Enhanced OS X and Netatalk interoperability
- Sambaćµć¼ćć®ē°å¢ę§ēÆęé