Recommended SAMBA parameters for a macOS client ?

V

vicmarto

Explorer
Joined
Jan 25, 2018
Messages
61
@anodos: Please, which are the currently recommended SAMBA parameters when the client is exclusively a macOS machine? (Time Machine not needed)

Beginning with the default FreeNAS parameters , add the "fruit" VFS object and.....?

THANKS!




Just for the record, these are the current default FreeNAS 11.3 SAMBA parameters + "fruit" VFS object:

# testparm [global] aio max threads = 2 bind interfaces only = Yes disable spoolss = Yes dns proxy = No enable web service discovery = Yes kernel change notify = No load printers = No logging = file max log size = 51200 nsupdate command = /usr/local/bin/samba-nsupdate -g restrict anonymous = 2 server min protocol = SMB2_02 server role = standalone server server string = FreeNAS Server unix extensions = No username map = /usr/local/etc/smbusername.map username map cache time = 60 idmap config *: range = 90000001-100000000 fruit:nfs_aces = No idmap config * : backend = tdb allocation roundup size = 0 directory name cache size = 0 dos filemode = Yes include = /usr/local/etc/smb4_share.conf

And ALL the parameters:

# testparm -v [global] abort shutdown script = add group script = add machine script = addport command = addprinter command = add share command = add user script = add user to group script = ads dns update = Yes afs token lifetime = 604800 afs username map = aio max threads = 2 algorithmic rid base = 1000 allow dcerpc auth level connect = No allow dns updates = secure only allow insecure wide links = No allow nt4 crypto = No allow trusted domains = Yes allow unsafe cluster upgrade = No apply group policies = No async smb echo handler = No auth event notification = No auto services = binddns dir = /var/run/samba4/bind-dns bind interfaces only = Yes browse list = Yes cache directory = /var/run/samba4 change notify = Yes change share command = check password script = cldap port = 389 client ipc max protocol = default client ipc min protocol = default client ipc signing = default client lanman auth = No client ldap sasl wrapping = sign client max protocol = default client min protocol = CORE client NTLMv2 auth = Yes client plaintext auth = No client schannel = Yes client signing = default client use spnego principal = No client use spnego = Yes cluster addresses = clustering = No config backend = file config file = create krb5 conf = Yes ctdbd socket = ctdb locktime warn threshold = 0 ctdb timeout = 0 cups connection timeout = 30 cups encrypt = No cups server = dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver deadtime = 0 debug class = No debug hires timestamp = Yes debug pid = No debug prefix timestamp = No debug uid = No dedicated keytab file = default service = defer sharing violations = Yes delete group script = deleteprinter command = delete share command = delete user from group script = delete user script = dgram port = 138 disable netbios = No disable spoolss = Yes dns forwarder = dns proxy = No dns update command = /usr/local/sbin/samba_dnsupdate dns zone scavenging = No domain logons = No domain master = Auto dos charset = CP850 dsdb event notification = No dsdb group change notification = No dsdb password event notification = No enable asu support = No enable core files = Yes enable privileges = Yes enable web service discovery = Yes encrypt passwords = Yes enhanced browsing = Yes enumports command = eventlog list = get quota command = getwd cache = Yes gpo update command = /usr/local/sbin/samba-gpupdate guest account = nobody homedir map = auto.home host msdfs = Yes hostname lookups = No idmap backend = tdb idmap cache time = 604800 idmap gid = idmap negative cache time = 120 idmap uid = include system krb5 conf = Yes init logon delay = 100 init logon delayed hosts = interfaces = iprint server = keepalive = 300 kerberos encryption types = all kerberos method = default kernel change notify = No kpasswd port = 464 krb5 port = 88 lanman auth = No large readwrite = Yes ldap admin dn = ldap connection timeout = 2 ldap debug level = 0 ldap debug threshold = 10 ldap delete dn = No ldap deref = auto ldap follow referral = Auto ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap page size = 1000 ldap passwd sync = no ldap replication sleep = 1000 ldap server require strong auth = Yes ldap ssl = start tls ldap ssl ads = No ldap suffix = ldap timeout = 15 ldap user suffix = lm announce = Auto lm interval = 60 load printers = No local master = Yes lock directory = /var/run/samba4 lock spin time = 200 log file = logging = file log level = 1 log nt token command = logon drive = logon home = \\%N\%U logon path = \\%N\%U\profile logon script = log writeable files on exit = No lpq cache time = 30 lsa over netlogon = No machine password timeout = 604800 mangle prefix = 1 mangling method = hash2 map to guest = Never max disk size = 0 max log size = 51200 max mux = 50 max open files = 941247 max smbd processes = 0 max stat cache size = 512 max ttl = 259200 max wins ttl = 518400 max xmit = 16644 mdns name = netbios message command = min receivefile size = 0 min wins ttl = 21600 mit kdc command = multicast dns register = Yes name cache timeout = 660 name resolve order = lmhosts wins host bcast nbt client socket address = 0.0.0.0 nbt port = 137 ncalrpc dir = /var/run/samba4/ncalrpc netbios aliases = netbios name = FREENAS netbios scope = neutralize nt4 emulation = No NIS homedir = No nmbd bind explicit broadcast = Yes nsupdate command = /usr/local/bin/samba-nsupdate -g ntlm auth = ntlmv2-only nt pipe support = Yes ntp signd socket directory = /var/run/samba4/ntp_signd nt status support = Yes null passwords = No obey pam restrictions = No old password allowed period = 60 oplock break wait time = 0 os2 driver map = os level = 20 pam password change = No panic action = passdb backend = tdbsam passdb expand explicit = No passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 passwd program = password hash gpg key ids = password hash userPassword schemes = password server = * perfcount module = pid directory = /var/run/samba4 preferred master = Auto prefork backoff increment = 10 prefork children = 4 prefork maximum backoff = 120 preload modules = printcap cache time = 750 printcap name = private dir = /var/db/system/samba4/private raw NTLMv2 auth = No read raw = Yes realm = registry shares = No reject md5 clients = No reject md5 servers = No remote announce = remote browse sync = rename user script = require strong key = Yes reset on zero vc = No restrict anonymous = 2 rndc command = /usr/sbin/rndc root directory = rpc big endian = No rpc server dynamic port range = 49152-65535 rpc server port = 0 samba kcc command = /usr/local/sbin/samba_kcc security = AUTO server max protocol = SMB3 server min protocol = SMB2_02 server multi channel support = No server role = standalone server server schannel = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns server signing = default server string = FreeNAS Server set primary group script = set quota command = share backend = classic show add printer wizard = Yes shutdown script = smb2 leases = Yes smb2 max credits = 8192 smb2 max read = 8388608 smb2 max trans = 8388608 smb2 max write = 8388608 smbd profiling level = off smb passwd file = /var/db/system/samba4/private/smbpasswd smb ports = 445 139 socket options = TCP_NODELAY spn update command = /usr/local/sbin/samba_spnupdate stat cache = Yes state directory = /var/db/system/samba4 svcctl list = syslog = 1 syslog only = No template homedir = /home/%D/%U template shell = /bin/false time server = No timestamp logs = Yes tls cafile = tls/ca.pem tls certfile = tls/cert.pem tls crlfile = tls dh params file = tls enabled = Yes tls keyfile = tls/key.pem tls priority = NORMAL:-VERS-SSL3.0 tls verify peer = as_strict_as_possible truenas passive controller = No unicode = Yes unix charset = UTF-8 unix extensions = No unix password sync = No use mmap = Yes username level = 0 username map = /usr/local/etc/smbusername.map username map cache time = 60 username map script = usershare allow guests = No usershare max shares = 0 usershare owner only = Yes usershare path = /var/db/system/samba4/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = utmp = No utmp directory = web port = 901 winbind cache time = 300 winbindd socket directory = /var/run/samba4/winbindd winbind enum groups = No winbind enum users = No winbind expand groups = 0 winbind max clients = 200 winbind max domain connections = 1 winbind nested groups = Yes winbind netbios alias spn = Yes winbind normalize names = No winbind nss info = template winbind offline logon = No winbind reconnect delay = 30 winbind refresh tickets = No winbind request timeout = 60 winbind rpc only = No winbind scan trusted domains = Yes winbind sealed pipes = Yes winbind separator = \ winbind status fifo = No winbind use default domain = No winbind use krb5 enterprise principals = No wins hook = wins proxy = No wins server = wins support = No workgroup = WORKGROUP write raw = Yes wtmp directory = zeroconf name = idmap config *: range = 90000001-100000000 fruit:nfs_aces = No idmap config * : backend = tdb access based share enum = No acl allow execute always = No acl check permissions = Yes acl group control = No acl map full control = Yes administrative share = No admin users = afs share = No aio read size = 1 aio write behind = aio write size = 1 allocation roundup size = 0 available = Yes blocking locks = Yes block size = 1024 browseable = Yes case sensitive = Auto check parent directory delete on close = No comment = copy = create mask = 0744 csc policy = manual cups options = default case = lower default devmode = Yes delete readonly = No delete veto files = No dfree cache time = 0 dfree command = directory mask = 0755 directory name cache size = 0 dmapi support = No dont descend = dos filemode = Yes dos filetime resolution = No dos filetimes = Yes durable handles = Yes ea support = Yes fake directory create times = No fake oplocks = No follow symlinks = Yes force create mode = 0000 force directory mode = 0000 force group = force printername = No force unknown acl user = No force user = fstype = NTFS guest ok = No guest only = No hide dot files = Yes hide files = hide new files timeout = 0 hide special files = No hide unreadable = No hide unwriteable files = No hosts allow = hosts deny = include = /usr/local/etc/smb4_share.conf inherit acls = No inherit owner = no inherit permissions = No invalid users = kernel oplocks = No kernel share modes = Yes level2 oplocks = Yes locking = Yes lppause command = lpq command = lpq -P'%p' lpresume command = lprm command = lprm -P'%p' %j magic output = magic script = mangled names = yes mangling char = ~ map acl inherit = No map archive = Yes map hidden = No map readonly = no map system = No max connections = 0 max print jobs = 1000 max reported print jobs = 0 min print space = 0 msdfs proxy = msdfs root = No msdfs shuffle referrals = No nt acl support = Yes ntvfs handler = unixuid, default oplocks = Yes path = posix locking = Yes postexec = preexec = preexec close = No preserve case = Yes printable = No print command = lpr -r -P'%p' %s printer name = printing = bsd printjob username = %U print notify backchannel = No queuepause command = queueresume command = read list = read only = Yes root postexec = root preexec = root preexec close = No short preserve case = Yes smbd async dosmode = No smbd getinfo ask sharemode = Yes smbd max async dosmode = 0 smbd search ask sharemode = Yes smb encrypt = default spotlight = No store dos attributes = Yes strict allocate = No strict locking = Auto strict rename = No strict sync = Yes sync always = No use client driver = No use sendfile = No valid users = veto files = veto oplock files = vfs objects = volume = wide links = No write cache size = 0 write list =

And the current default FreeNAS 11.3 GUI parameters:

SMB Share (default 10.3).png


SMB Service (default 10.3).png
 
Last edited:
V

vicmarto

Explorer
Joined
Jan 25, 2018
Messages
61
And these the parameters of a share created with all default, but the "fruit" VFS object:

[test] aio write size = 0 ea support = No mangled names = illegal path = /mnt/zfast/Users/vicmarto read only = No vfs objects = shadow_copy_zfs ixnas fruit streams_xattr nfs4:acedup = merge nfs4:chown = true fruit:resource = stream fruit:metadata = stream

Some parameters that attract my attention:
And, about catia: in the FreeNAS 11.3 help page, says that:
fruit: Enhance macOS support by providing the SMB2 AAPL extension and Netatalk interoperability. Automatically loads catia and streams_xattr.
Click to expand...

But seems this is not the case, according to testparm
 
Last edited:
S

seanm

Guru
Joined
Jun 11, 2018
Messages
570
My office isn't Mac-only, but is mostly Mac. I use the following VFS objects:
catia
fruit
streams_xattr
zfs_space
zfsacl

In Services > SMB I use:
UNIX extensions: on
Zeroconf: on

Aux parameters:
server min protocol = SMB3_02 (disable old protocols to reduce attack surface, see [1])
disable netbios = yes (disable old netbios to reduce attack surface, see [2])
smb ports = 445 (remove netbios port 139, to reduce attack surface, see [2], [3])
smb encrypt = required (this forces encryption to be enabled by Samba, see [9])
fruit:nfs_aces = no (needed to solve various permission issues [4])
case sensitive = yes (this improves performance, see [5])
mangled names = no (to prevent 8.3 name mangling, also improves performance, see [6] [7] [8])
strict sync = no (greatly improves Mac performance, see [5])

[1] https://www.ixsystems.com/community...-removed-from-smb-services.73442/#post-509432
[2] https://www.ixsystems.com/community/threads/freenas-11-2-u3-vulnerabilities.75353/page-2#post-524491
[3] https://jira.ixsystems.com/browse/NAS-101378
[4] https://jira.ixsystems.com/browse/NAS-101685
[5] https://www.ixsystems.com/community...hive-65-000-tiny-files-mac.79823/#post-554300
[6] https://jira.ixsystems.com/browse/NAS-104096
[7] https://www.ixsystems.com/community/resources/smb-tips-and-tricks.15/
[8] https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
[9] https://www.ixsystems.com/community...affic-be-forced-to-encrypt.30250/#post-329785
 
You must log in or register to reply here.

Similar threads

A
  • Locked
Why is shared NFS faster than SMB share?
Replies
1
Views
3K
millst
M
N
SMB/AFP - Poor write performance, decent read
Replies
13
Views
3K
kdragon75
kdragon75
M
  • Locked
Samba CIFS : prevent extented attributes ?
Replies
4
Views
3K
anodos
anodos
H
  • Locked
CIFS permission issue with nested AD domain local groups
Replies
2
Views
3K
Henning Kessler
H
nitromaroder
SOLVED Home shares stopped working after upgrade to 11.2u2 (from 11.1u6)
Replies
2
Views
2K
nitromaroder
nitromaroder
Top