[Samba] Inquiry: Samba and xattr with vfs_fruit on FreeBSD / ZFS (macOS Finder metadata problem)

Lorenzo Perone lopez.on.the.lists at yellowspace.net
Mon Oct 13 12:25:49 UTC 2025 

Hello Samba and FreeBSD Samba Teams (as well as samba admins that might 
have experiences and/or advice to share) :)

I have an issue that is driving me crazy and really acting as a time 
grave. Maybe someone can help. I googled, intensively chatted with CGPT, 
before reaching out, but I'm out of ideas.

I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS 
(2.2.6), using vfs_fruit in an attempt to provide seamless Apple SMB 
metadata support (Finder labels, tags, etc.).

My setup is samba420 in a FreeBSD Jail under ZFS and with the use of 
LDAP/ACLs (passdb backend = ldapsam:...)

I'm trying to produce a setup that will support Mac and Windows clients, 
in a way that does not produce errors on the clients and does not 
clutter the server with ._xxx AppleDouble files.

I applied the following procedure during testing of different settings, 
at each round:

0) (with samba off)
1) Remove all rights and ACLs on the interested dir
2) re-set them according to my rules
3) Remove all xattrs and ._ files recursively
4) Start Samba
5) Connect a mac client
   (always with a new name to avoid caching:
   t1.server.tld, t2.server.tld, etc)
6) Set a color label on the same folder
7) See results / logs / filesystem changes
8) Stop Samba + Disconnect mac Client
9) Change settings
10) goto 1

Mac Finder Labels (e.g. colored tags) are written — I can see the 
extended attribute, either as 
DosStream.com.apple.metadata:_kMDItemUserTags or as 
org.netatalk.Metadata — but Finder seems not read them back, falling 
back to creating AppleDouble ._ files.

Attempts to use fruit:metadata = netatalk with resource = xattr have 
lead to crashes (segfaults) in adouble_open_from_base_fsp() under 
FreeBSD, at least in some cases (can't reproduce this atm).

In summary: no stable, clean operation exists (no ._ files, correct 
read/write of Finder metadata) on FreeBSD / ZFS in my setup.

I think I tried almost every combination of fruit:metadata, 
fruit:resource and other settings, as well as cleaning up ACLs/POSIX 
rights, restarting, remounting at every attempt..

Given this, I’d like to ask:

Is there any working config with FreeBSD/ZFS and Samba that honors Mac 
clients without making it a horrible experience for Windows / Linux 
clients (AppleDouble files)?

Are there ongoing or planned upstream efforts to fix the FreeBSD / ZFS + 
xattr / vfs_fruit story — particularly metadata read-back (stream 
enumeration) and avoidance of AppleDouble fallback (_if_ that's the real 
problem)?

I’d be happy to provide traces (SMB logs, or any other requested 
detail), minimal reproducer configs, or even help apply FreeBSD-specific 
patches if anyone wishes. If you prefer a particular format or 
repository for submitting test cases or patches, I’d be glad to follow.
Some details are provided below.

Thank you for your work on Samba and vfs_fruit, the FreeBSD port, and 
thank you in advance for any pointers or guidance you can share.

Best regards,

Lorenzo
seasoned FreeBSD and Samba admin

=== Details ===:

This is with:
fruit:metadata = stream
fruit:resource = stream

Excerpt of log.smbd
(with log level = 2 vfs_fruit:5):

Setting a Finder label on the folder Projs/Proj_1/Proj1_Subdir:

   testa opened file 
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags 
read=No write=Yes (numopen=7)
[2025/10/13 12:44:44.110842,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file 
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags 
(numopen=5) NT_STATUS_OK
[2025/10/13 12:44:44.111247,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA read=No 
write=Yes (numopen=7)
[2025/10/13 12:44:44.111449,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA 
(numopen=5) NT_STATUS_OK
[2025/10/13 12:44:44.111877,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo read=Yes 
write=No (numopen=6)
[2025/10/13 12:44:44.111968,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo (numopen=4) 
NT_STATUS_OK
[2025/10/13 12:44:44.139762,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/._Proj1_Subdir read=Yes write=No 
(numopen=3)

Details after this on the filesystem:

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
DosStream.com.apple.metadata:_kMDItemUserTags   DosStream.AFP_AfpInfo

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       368 Oct 13 12:44 
._Proj1_Subdir


testparm (the current one..)

[global]
         bind interfaces only = Yes
         disable netbios = Yes
         dns proxy = No
         domain master = Yes
         get quota command = /usr/local/sbin/query_quota
         interfaces = ix0 ix1
         ldap admin dn = uid=samba-admin,ou=System,dc=<redacted>
         ldap group suffix = cn=groups
         ldap machine suffix = ou=Computers
         ldap passwd sync = yes
         ldap ssl = no
         ldap suffix = dc=<redacted>
         ldap user suffix = cn=users
         local master = No
         netbios name = <redacted>
         obey pam restrictions = Yes
         passdb backend = ldapsam:ldap://<redacted>
         preferred master = Yes
         security = USER
         server string = <redacted>
         smb1 unix extensions = No
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind nss info = rfc2307
         winbind use default domain = Yes
         workgroup = <redacted>
         idmap config * : ldap_user_dn = samba-admin,ou=System,dc=<redacted>
         idmap config * : range = 500-999999
         streams_xattr:xattr_compat = no  # also tried with "yes"
         streams_xattr:store_stream_type = no # also tried with "yes"
         nfs4:chown = true
         fruit:model = MacPro7,1 at ECOLOR=226,226,224
         fruit:posix_rename = yes
         fruit:copyfile = yes
         fruit:encoding = native
         fruit:resource = stream
         fruit:metadata = stream
         idmap config * : backend = tdb
         access based share enum = Yes
         block size = 4096
         create mask = 0660
         directory mask = 02770
         force create mode = 0660
         force directory mode = 02770
         fstype = ZFS
         hide unreadable = Yes
         hosts allow = <redacted>
         include = /usr/local/etc/smb4-shares.test.conf
         store dos attributes = No
         strict sync = No
         use sendfile = Yes
         vfs objects = catia fruit zfsacl streams_xattr


ZFS Dataset settings:

root# zfs get all hktank/jails/sambajail | egrep 
'xattr|dnodesize|relatime|acl'
hktank/jails/sambajail  aclmode               restricted
hktank/jails/sambajail  aclinherit            passthrough
hktank/jails/sambajail  xattr                 sa
hktank/jails/sambajail  dnodesize             auto
hktank/jails/sambajail  acltype               nfsv4
hktank/jails/sambajail  relatime              on

root# zfs get all hktank/content/Shares/ProjekteACLTest | egrep 
'xattr|dnodesize|relatime|acl'
hktank/content/Shares/Projs  aclmode               restricted
hktank/content/Shares/Projs  aclinherit            passthrough
hktank/content/Shares/Projs  xattr                 sa
hktank/content/Shares/Projs  dnodesize             auto
hktank/content/Shares/Projs  acltype               nfsv4
hktank/content/Shares/Projs  relatime              on

(the latter is mounted as /Shares in the sambajail)

-----

Additional behavioral notes:

With

fruit:metadata = netatalk (default), and
fruit:resource = stream

We get no errors from the Finder, the label is set; remounting the share 
does not show any label when previously removing ._Proj1_Subdir 
appledouble file (and restarting samba_server)

Check on the filesystem shows:

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
org.netatalk.Metadata

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       368 Oct 13 13:44 
._Proj1_Subdir

(the AppleDouble is just 368 bytes)

-----

With:

fruit:metadata = netatalk (default), and
fruit:resource = xattr (experimental setting as of manual)

We get Finder error code -8058, the label is set; remounting the share 
does not show any label when previously removing ._Proj1_Subdir 
appledouble file (and restarting samba_server)

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
org.netatalk.Metadata

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       4096 Oct 13 14:00 
._Proj1_Subdir

(the AppleDouble is 4K)

---

Final detail - my ACLs on /Shares/Projekte/Projs/Proj_1
(and /Shares/Projekte/Projs/Proj_1/Proj1_Subdir):
# owner: ceo
# group: prj_00001
          everyone@:--------------:fd-----:deny
             owner@:rwxpDdaARWcCos:fd-----:allow
             group@:rwxpDdaARWcCos:fd-----:allow
          everyone@:------a-R-c--s:-------:allow

More information about the samba mailing list