Samba Config Options for simple home file server

[laundryboy]

I would like to set up samba fileserver to replace netatalk for my Freebsd Server to be used as a general file server for my home network and as a TimeMachine disk for some of my Macs. I only have Macs and Freebsd on my network and as I am upgrading to Freebsd 13 from 12 I thought it would be a good time to do a migration to samba as Netatalk is pretty much deprecated by Apple, I read the performance is also better with Samba now that they have the fruit extensions.

For the Time Machine aspect I am trying to do what is described in the following tutorials, but that is outside the scope of this questions me thinks.

--- Yes I am aware the tutorial is for Ubuntu but I am competent enough to make this work with FreeBSD

Setup Apple Time Machine network drive with Samba on Ubuntu 22.04

During christmas vacations I added a Time Machine network drive for the backup of my MacBook to my Ubuntu 22.04 based home server. For this you will need samba and avahi-daemon packages. Basically Samba shares the network drive and avahi makes it work with apple devices by implementing Apple’s...

blog.jhnr.ch

Configure Samba to Work Better with Mac OS X - SambaWiki

wiki.samba.org

My one question is if this is going to be only used as a simple fileserver do I need to enable the Active directory options in Samba or can I disable all of them? Will there be any negative impacts?
The options I would like to set to "NO" are ADS and AD_DC

===> The following configuration options are available for samba416-4.16.10_1:
     ADS=on: Active Directory client(implies LDAP)
     AD_DC=on: Active Directory Domain Controller(implies PYTHON3)
     CLUSTER=off: Clustering support
     CUPS=off: CUPS printing system support
     DOCS=on: Build and/or install documentation
     FAM=on: File Alteration Monitor
     GPGME=off: GpgME support
     LDAP=on: LDAP client
     MANDOC=off: Build manpages from DOCBOOK templates
     PROFILE=on: Profiling data
     PYTHON3=on: Python 3.x bindings or support
     QUOTAS=on: Disk quota support
     SPOTLIGHT=off: Spotlight server-side search support
     SYSLOG=on: Syslog logging support
     UTMP=on: UTMP accounting
====> VFS modules
     FRUIT=on: MacOSX and TimeMachine support
     GLUSTERFS=off: GlusterFS support
====> GSSAPI Security API support: you have to select exactly one of them
     GSSAPI_BUILTIN=on: GSSAPI support via bundled Heimdal
     GSSAPI_MIT=off: GSSAPI support via security/krb5
====> Zero configuration networking: you have to select exactly one of them
     ZEROCONF_NONE=off: Zeroconf support is absent
     AVAHI=on: Zeroconf support via Avahi
     MDNSRESPONDER=off: Zeroconf support via mDNSResponder

 

[zirias@]

My one question is if this is going to be only used as a simple fileserver do I need to enable the Active directory options in Samba or can I disable all of them? Will there be any negative impacts?
The options I would like to set to "NO" are ADS and AD_DC

AD_DC is only needed if this samba instance should act as the domain controller.
ADS is needed to join an AD domain and therefore use AD authentication.

Whether you need that is up to you. I personally think AD makes sense in a private network as well, but only if you include all clients and use AD authentication everywhere. If you prefer to use local credentials for shares on your file server, disabling these options won't hurt.

 

[laundryboy]

AD_DC is only needed if this samba instance should act as the domain controller.
ADS is needed to join an AD domain and therefore use AD authentication.

Whether you need that is up to you. I personally think AD makes sense in a private network as well, but only if you include all clients and use AD authentication everywhere. If you prefer to use local credentials for shares on your file server, disabling these options won't hurt.

Thank you for the explanation, I have no other windows machines in my home network so I don't think I want to use AD at all. I think simple local logins would suffice my needs.

 

[sko]

I only have Macs and Freebsd on my network

Then why do you want to fiddle around with SMB that isn't able to deal with unix permissions or even case sensitive filenames?

AFAIK OS X / iOS support NFS properly and out of the box like any other real OS. I wouldn't want to touch SMB or any other sorry MS attempt on solving an already solved problem if I don't have to.

 

[Michael-O]

There is no SMB2/3 kernel driver in FreeBSD. macOS only. Stick to NFSv4 with Kerberos if you want.

 

[msplsh]

You don't need to disable them when you're building them, you can just not setup AD. But, if you're not using binaries, I guess turning them off will reduce compile times from having to bring in OpenLDAP.

I have a very similar setup, here's my config

[global]
    security = user
    map to guest = Bad User
    netbios name = Oxide
    log file = /var/log/samba4/log-%m
    log level = 1

    mangled names = illegal
    preserve case = yes

    # --- Time Machine requirements
    # You will need to "touch .com.apple.timemachine.supported"
    # in the Time Machine directory otherwise it will throw
    # a fit with "does not support the required capabilities"
    
    # Note zfsacl which is additional
# Although, got these errors enabling it, didn't want to fix
# "zfsacl_get_nt_acl: No stat info for"   
# I read some stuff about "zfs set alcmode=" and aclinherit= to passthrough for zfs
    vfs objects = catia fruit streams_xattr zfsacl
    fruit:aapl = yes
    fruit:time machine = yes
    server min protocol = SMB2

    # Required for TM, but samba defaults to these
    # durable handles = yes
    # kernel oplocks = no

    kernel share modes = no
    posix locking = no
    fruit:advertise_fullsync = true

    # This apparently enables a bunch of the above
    fruit:time machine = yes   

    # Dumps a bunch of errors into the log at startup if not set
    load printers = no
    printcap name = /dev/null
    disable spoolss = yes

[guest]
    # This share allows anonymous (guest) access
    # without authentication!
    path = /media/internal_drive/smb/shared
    read only = yes
    guest ok = yes

[TimeMachine_for_Computer]
    path = /media/Time_Machine/Computer
    read only = no
    valid users = timemachinesmb

 

[zirias@]

Then why do you want to fiddle around with SMB that isn't able to deal with unix permissions

SMB has NTFS-style ACLs which are a lot more capable and flexible than unix permissions and can of course be used to map unix permissions to.

or even case sensitive filenames?

I wouldn't even be sure about that? BTW, filenames in Windows are case sensitive, but the search for a filename is not, therefore Windows doesn't allow you to create two files with names differing only in casing. The interesting thing is: Not even NTFS has such a restriction, therefore, not really sure about SMB. You just can't do it when you ever want to use a Windows client.

I wouldn't want to touch SMB or any other sorry MS attempt on solving an already solved problem if I don't have to.

SMB nowadays is a pretty capable and reliable network filesystem, offering other features than NFS.

But:

There is no SMB2/3 kernel driver in FreeBSD.

This is unfortunately true, making SMB a bad choice if you want to use a FreeBSD client. You'd be limited to use the ancient (and completely insecure) SMB1 or use some fuse-based (userspace) implementation which is cumbersome and slow...

I have no other windows machines in my home network so I don't think I want to use AD at all.

AD isn't only useful for Windows. It's one way to have a central directory (containing e.g. all your users and groups). There are alternatives of course. It simplifies management, e.g. when you want to restrict access to one of your file shares to a specific user, and this user is just "the same" on the file server and the client, because both are "joined" to the AD domain and use the domain controller for authentication.

 

[SirDice]

filenames in Windows are case sensitive

It's case preserving, not case sensitive.

Anyway, if the share is on a ZFS dataset, you can configure ZFS to be case-preserving and case-insensitive. That will prevent some weird constructs from happening.

     casesensitivity=sensitive|insensitive|mixed
       Indicates whether the file name matching algorithm used by the file
       system should be case-sensitive, case-insensitive, or allow a
       combination of both styles of matching.  The default value for the
       casesensitivity property is sensitive.  Traditionally, UNIX and POSIX
       file systems have case-sensitive file names.

       The mixed value for the casesensitivity property indicates that the
       file system can support requests for both case-sensitive and case-
       insensitive matching behavior.  Currently, case-insensitive matching
       behavior on a file system that supports mixed behavior is limited to
       the SMB server product.  For more information about the mixed value
       behavior, see the "ZFS Administration Guide".

 

[msplsh]

OS X / iOS support NFS properly

iOS does not.

NFS is a giant pain in the rear because you have to set up Kerberos and that affects your entire system unlike Samba.

 

[sko]

NFS is a giant pain in the rear because you have to set up Kerberos and that affects your entire system unlike Samba.

in a home network?

 

[msplsh]

AUTH_SYS is so bad I would never use it anywhere. Do we use telnet locally instead of SSH because it "isn't necessary?" No.

 

[yuripv79]

Do we use telnet locally instead of SSH

I'm pretty sure almost everyone would if setting up ssh would be that much "harder" as AUTH_SYS vs Kerberos auth for NFS.

 

[cmoerz]

that much "harder" as AUTH_SYS vs Kerberos auth for NFS

and if it were lacking any troubleshooting mechanisms and would give you absolutely no helpful logging at all, and would break if you're running a multi-homed server (with multiple IP addresses and subnets). Kerberized NFS turns into serious trouble unless you have a simple setup, at least in my experience. Maybe I've been doing something wrong :\

It's as if it was meant for the home network - you got only one subnet, one NIC? Go right ahead, it's a breeze! Use NFS, have a few laughs...
(don't take this serious - it's meant as a pop culture reference - last time I too felt like stuck in a ventilation shaft )

View: https://www.youtube.com/watch?v=I-NiRBdtdS4

PS. I should probably add - this by no means an endorsement for running NFS without additional security; msplsh is making a good point about still wanting better security.

 

[facedebouc]

For enhanced security there is now NFS-over-TLS which uses the KERNEL_TLS on FreeBSD 13.2-RELEASE.
Please see Rick Macklem tutorial: NFS over TLS setup

 

[facedebouc]

Also in FreeBSD Journal: FreeBSD Journal May/June 2021

 

[msplsh]

I welcome NFS over TLS however I don't understand why they can't add something like SASL. Almost as stubborn as the OpenLDAP crowd.

 

[cmoerz]

why they can't add something like SASL

I'm guessing here: I assume it's got to do with with base/ports. NFS is part of base while any SASL code is - at least to my knowledge (?) - in ports. You'd first have to bring that code into base, with the right license, and so on. And then it's very much about what works with other OS; at the end of the day, NFSv3 and NFSv4 is kind of universal and - at least in principle - even works for Windows et al.

Modernizing this kind of stack is like turning an aircraft carrier...

 

[msplsh]

Hey, they got TLS in there, that's something. Even if that's the easiest possible upgrade, it's not backwards compatible.

 

[cmoerz]

Yup, we've got Rick Macklem to thank for that, as far as I know. Even got in touch with him directly, last time I had issues with NFS and he was more than willing to help - though I imagine he's getting those NFS questions on the daily.

I imagine you gotta have nerves of steel and the patience of a thousand zen masters if you actually understand and work on NFS code. He's got my utmost respect for that.

 

[yuripv79]

NFS is part of base while any SASL code is - at least to my knowledge (?) - in ports.

(I have no idea how SASL applies to NFS, but...) We still have sendmail that can link against SASL from ports, see make.conf(5) for related flags.

 

[facedebouc]

I am running NFSv4 on my local network with AUTH_SYS and I don't use TLS for now. I will have to if a day or another I will supply those NFS shares over the Internet. Since my local network is also accessed by WiFi , I am using another security option for one of my share which contains some sensitive data. This share is named Vault ;-) and is encrypted with sysutils/pefs-kmod. Users who wants to access to this encrypted content have to use their own key to mount this PEFS share under their own private Vault directory. This results to have only encrypted data over the network for this NFS share.

 

[laundryboy]

Yea.... so my experiment with Samba wasn't that great I had more problems with it than I did with netatalk. I originally wanted to switch since Apple depracated it, but it seems that netatalk on freshports is still being developed and worked seemlessly with my Macs. I had a bunch of permission problems as well as unmounting disk images that were mounted from the shares because they were locked and would never release. I tried samba because I read it was much faster but I think my disks on my little freebsd server are the limiting factor and not my network or netatalk. I think it will just be easier to switch back over to netatalk.

I reviewed this thread about NFS and seems intriquining but it also seems like it works like a real drive and you have to mount and unmount it in the CLI or fstab. I don't have an issue with using those methods but I would rather not have the drives always mounted for Time Machine and if I needed some random other drive I like just going the connect to server method. Does NFS support Bonjour/Avahi?