Samba Settings For Os X

Below are suggested parameters to use in smb.conf file of the Samba server to improve operability with Mac OS X clients.Note that some parameters may not work with your version of Samba - read the smb.conf and vfs_fruit man pages (on Linux) for your system.Other than those shown in the [TimeMachineBackup] share below, I recommend you include all parameters in the [Global] section of smb.conf. For ease of copy > paste, a clean smb.conf section is included at the bottom of this page.

  • May 23, 2018  In this guide, we show you the steps to regain access to your network files when connecting to a device that is still using the SMB version 1 protocol.
  • May 24, 2016  The smb.con file dates back to when Apple still used the standard open-source SAMBA software. When Apple released Mac OS X Lion they switched to using their own smbx software instead of SAMBA. This was due to SAMBA switching to GNU 3.0 Licensing which Apple felt unable to comply with. So /etc/smb.conf no longer exists at least on Macs.
  • What is Samba? As the front page at samba.org says:. Samba is the standard Windows interoperability suite of programs for Linux and Unix. Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux.

Apple extensions ('AAPL') run under SMB2/3 protocol, make that the minimum (probably shouldn't be running SMB1 anyway..) - defaults to SMB2_2 in Samba 4.11+:

Samba settings for os x 11

Apple extensions require support for extended attributes(xattr) - defaults to yes in Samba 4.9+:

Load in modules (order is critical!) and enable AAPL extensions:

How to store OS X metadata:

Below are suggested parameters to use in smb.conf file of the Samba server to improve operability with Mac OS X clients. Note that some parameters may not work with your version of Samba - read the smb.conf and vfsfruit man pages (on Linux) for your system. These users and passwords will be used when a user attempts to log onto a Samba share from the Mac OS X machine. To add a Samba user you will run (on the.

For additional setting see the manpage vfs_fruit.

Windows Os Samba File Service

Server icon in Finder (added in Samba 4.5):

File cleanup:

For Time Machine backup share (added in Samba 4.8):

As far as I know, testparm will not validate vfs_fruit parameters. (my server runs an old version of Samba :-), but after you have built your smb.conf, you can check for errors anyway with #: testparm or #: testparm -v (which will give you the defaults as well.

Here is the smb.conf code - NOTE - THIS IS NOT A COMPLETE SMB.CONF!!!

From Finder, connect to your Samba server using 'smb://User@Server'.Note that TM backups over smb may now be possible with your server.Other Mac models can be found in '/System/Library/CoreServices/CoreTypes.bundle/Contents/Info.plist'. Use 'Quick Look', Xcode or plutil to view or convert plist.

Retrieved from 'https://wiki.samba.org/index.php?title=Configure_Samba_to_Work_Better_with_Mac_OS_X&oldid=16429'
-->

Summary

This article describes how to enable and disable Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3) on the SMB client and server components.

Important

We recommend that you do not disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

In Windows 7 and Windows Server 2008 R2, disabling SMBv2 deactivates the following functionality:

  • Request compounding - allows for sending multiple SMB 2 requests as a single network request
  • Larger reads and writes - better use of faster networks
  • Caching of folder and file properties - clients keep local copies of folders and files
  • Durable handles - allow for connection to transparently reconnect to the server if there is a temporary disconnection
  • Improved message signing - HMAC SHA-256 replaces MD5 as hashing algorithm
  • Improved scalability for file sharing - number of users, shares, and open files per server greatly increased
  • Support for symbolic links
  • Client oplock leasing model - limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability
  • Large MTU support - for full use of 10-gigabye (GB) Ethernet
  • Improved energy efficiency - clients that have open files to a server can sleep

In Windows 8, Windows 8.1, Windows 10, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019, disabling SMBv3 deactivates the following functionality (and also the SMBv2 functionality that's described in the previous list):

  • Transparent Failover - clients reconnect without interruption to cluster nodes during maintenance or failover
  • Scale Out – concurrent access to shared data on all file cluster nodes
  • Multichannel - aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server
  • SMB Direct – adds RDMA networking support for very high performance, with low latency and low CPU utilization
  • Encryption – Provides end-to-end encryption and protects from eavesdropping on untrustworthy networks
  • Directory Leasing - Improves application response times in branch offices through caching
  • Performance Optimizations - optimizations for small random read/write I/O

More Information

The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008.

The SMBv3 protocol was introduced in Windows 8 and Windows Server 2012.

For more information about the capabilities of SMBv2 and SMBv3 capabilities, see the following articles:

Samba Settings For Os X 12

How to gracefully remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, Windows Server 2016, and Windows Server 2019

PowerShell methods

SMB v1 (client and server)
  • Detect:

  • Disable:

  • Enable:

Windows Server 2012 R2, Windows Server 2016, Windows Server 2019: Server Manager method for disabling SMB

SMB v1

Windows 8.1 and Windows 10: PowerShell method

SMB v1 Protocol
  • Detect:

  • Disable:

  • Enable:

SMB v2/v3 Protocol (only disables SMB v2/v3 Server)
  • Detect:

  • Disable:

  • Enable:

Windows 8.1 and Windows 10: Add or Remove Programs method

How to detect status, enable, and disable SMB protocols on the SMB Server

For Windows 8 and Windows Server 2012

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

Note

Settings

When you enable or disable SMBv2 in Windows 8 or Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

Samba Os Level

SMB v1 on SMB Server
  • Detect:

  • Disable:

  • Enable:

For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server
  • Detect:

  • Disable:

  • Enable:

For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

PowerShell methods

Note

This method requires PowerShell 2.0 or later version of PowerShell.

SMB v1 on SMB Server

Detect:

Default configuration = Enabled (No registry key is created), so no SMB1 value will be returned

Disable:

Enable:

Note You must restart the computer after you make these changes.For more information, see Server storage at Microsoft.

SMB v2/v3 on SMB Server

Detect:

Disable:

Enable:

Note

You must restart the computer after you make these changes.

Registry Editor

Important

Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

To enable or disable SMBv1 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

To enable or disable SMBv2 on the SMB server, configure the following registry key:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

Note

You must restart the computer after you make these changes.

How to detect status, enable, and disable SMB protocols on the SMB Client

For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note

When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

SMB v1 on SMB Client
  • Detect

  • Disable:

  • Enable:

For more information, see Server storage at Microsoft

SMB v2/v3 on SMB Client
  • Detect:

  • Disable:

  • Enable:

Note

  • You must run these commands at an elevated command prompt.
  • You must restart the computer after you make these changes.

Disable SMBv1 Server with Group Policy

This procedure configures the following new item in the registry:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters

  • Registry entry: SMB1
  • REG_DWORD: 0 = Disabled

To configure this by using Group Policy, follow these steps:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Registry node, point to New, and select Registry Item.

In the New Registry Propertiesdialog box, select the following:

  • Action: Create
  • Hive: HKEY_LOCAL_MACHINE
  • Key Path: SYSTEMCurrentControlSetServicesLanmanServerParameters
  • Value name: SMB1
  • Value type: REG_DWORD
  • Value data: 0

This disables the SMBv1 Server components. This Group Policy must be applied to all necessary workstations, servers, and domain controllers in the domain.

Note

WMI filters can also be set to exclude unsupported operating systems or selected exclusions, such as Windows XP.

Important

Be careful when you make these changes on domain controllers on which legacy Windows XP or older Linux and third-party systems (that do not support SMBv2 or SMBv3) require access to SYSVOL or other file shares where SMB v1 is being disabled.

Disable SMBv1 Client with Group Policy

To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.

This will update and replace the default values in the following 2 items in the registry:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesmrxsmb10

Registry entry: Start REG_DWORD: 4= Disabled

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanWorkstation

Registry entry: DependOnService REG_MULTI_SZ: 'Bowser','MRxSmb20″,'NSI'

Users who have archived documents in PaperPort software may be left without options for retrieving their documents. Given the relative lack of support over the past year, this is not surprising, however this is the first time we have heard anything 'official.' Steve Jamieson writes:'As a longtime user and fan of the PaperPort Vx scanner (with some 30,000 important documents stored in this format) I was concerned that Scansoft might not be planning to port the software and drivers to Mac OS X. Paperport for mac os x.

Note

The default included MRxSMB10 which is now removed as dependency.

To configure this by using Group Policy, follow these steps:

  1. Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Registry node, point to New, and select Registry Item.

  4. In the New Registry Properties dialog box, select the following:

    • Action: Update
    • Hive: HKEY_LOCAL_MACHINE
    • Key Path: SYSTEMCurrentControlSetservicesmrxsmb10
    • Value name: Start
    • Value type: REG_DWORD
    • Value data: 4
  5. Then remove the dependency on the MRxSMB10 that was just disabled.

    In the New Registry Properties dialog box, select the following:

    • Action: Replace
    • Hive: HKEY_LOCAL_MACHINE
    • Key Path: SYSTEMCurrentControlSetServicesLanmanWorkstation
    • Value name: DependOnService
    • Value type: REG_MULTI_SZ
    • Value data:
      • Bowser
      • MRxSmb20
      • NSI

    Note

    These three strings will not have bullets (see the following screen shot).

    The default value includes MRxSMB10 in many versions of Windows, so by replacing them with this multi-value string, it is in effect removing MRxSMB10 as a dependency for LanmanServer and going from four default values down to just these three values above.

    Note

    When you use Group Policy Management Console, you don't have to use quotation marks or commas. Just type the each entry on individual lines.

  6. Restart the targeted systems to finish disabling SMB v1.

Summary

If all the settings are in the same Group Policy Object (GPO), Group Policy Management displays the following settings.

Testing and validation

After these are configured, allow the policy to replicate and update. As necessary for testing, run gpupdate /force at a command prompt, and then review the target computers to make sure that the registry settings are applied correctly. Make sure SMB v2 and SMB v3 is functioning for all other systems in the environment.