[Samba] Inquiry: Samba and xattr with vfs_fruit on FreeBSD / ZFS (macOS Finder metadata problem)
Perttu Aaltonen
perttu.aaltonen at mac.com
Mon Oct 13 14:57:25 UTC 2025
Hi,
While I’m not a Samba expert or a developer, a few things came to mind.
Do you know if fruit:resource = xattr and large xattr support is actually implemented on FreeBSD? The fruit man page only talks about Solaris derivatives.
With veto_appledouble = yes (the default), I don’t think you should see the ._ files from the client side with fruit:resource = file.
I wonder if this is related to the issues I’ve seen with folder icons on a Linux Samba server:
https://bugzilla.samba.org/show_bug.cgi?id=15013
As a test could you test with:
fruit:resource = file
fruit:encoding = native / private
fruit:veto_appledouble = no
Just to see if it works then. This works for me with Samba 4.22 but on 4.20 I couldn’t get it to work at all IIRC. Also try if copying a file with tags or labels works instead of applying them directly on the server. Would be interesting to know if this is the same issue I’ve seen. I haven’t tested with tags and labels, only with icons.
Regards,
Perttu
> On 13. Oct 2025, at 15.25, Lorenzo Perone via samba <samba at lists.samba.org> wrote:
>
> Hello Samba and FreeBSD Samba Teams (as well as samba admins that might have experiences and/or advice to share) :)
>
> I have an issue that is driving me crazy and really acting as a time grave. Maybe someone can help. I googled, intensively chatted with CGPT, before reaching out, but I'm out of ideas.
>
> I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS (2.2.6), using vfs_fruit in an attempt to provide seamless Apple SMB metadata support (Finder labels, tags, etc.).
>
> My setup is samba420 in a FreeBSD Jail under ZFS and with the use of LDAP/ACLs (passdb backend = ldapsam:...)
>
> I'm trying to produce a setup that will support Mac and Windows clients, in a way that does not produce errors on the clients and does not clutter the server with ._xxx AppleDouble files.
>
> I applied the following procedure during testing of different settings, at each round:
>
> 0) (with samba off)
> 1) Remove all rights and ACLs on the interested dir
> 2) re-set them according to my rules
> 3) Remove all xattrs and ._ files recursively
> 4) Start Samba
> 5) Connect a mac client
> (always with a new name to avoid caching:
> t1.server.tld, t2.server.tld, etc)
> 6) Set a color label on the same folder
> 7) See results / logs / filesystem changes
> 8) Stop Samba + Disconnect mac Client
> 9) Change settings
> 10) goto 1
>
> Mac Finder Labels (e.g. colored tags) are written — I can see the extended attribute, either as DosStream.com.apple.metadata:_kMDItemUserTags or as org.netatalk.Metadata — but Finder seems not read them back, falling back to creating AppleDouble ._ files.
>
> Attempts to use fruit:metadata = netatalk with resource = xattr have lead to crashes (segfaults) in adouble_open_from_base_fsp() under FreeBSD, at least in some cases (can't reproduce this atm).
>
> In summary: no stable, clean operation exists (no ._ files, correct read/write of Finder metadata) on FreeBSD / ZFS in my setup.
>
> I think I tried almost every combination of fruit:metadata, fruit:resource and other settings, as well as cleaning up ACLs/POSIX rights, restarting, remounting at every attempt..
>
> Given this, I’d like to ask:
>
> Is there any working config with FreeBSD/ZFS and Samba that honors Mac clients without making it a horrible experience for Windows / Linux clients (AppleDouble files)?
>
> Are there ongoing or planned upstream efforts to fix the FreeBSD / ZFS + xattr / vfs_fruit story — particularly metadata read-back (stream enumeration) and avoidance of AppleDouble fallback (_if_ that's the real problem)?
>
> I’d be happy to provide traces (SMB logs, or any other requested detail), minimal reproducer configs, or even help apply FreeBSD-specific patches if anyone wishes. If you prefer a particular format or repository for submitting test cases or patches, I’d be glad to follow.
> Some details are provided below.
>
> Thank you for your work on Samba and vfs_fruit, the FreeBSD port, and thank you in advance for any pointers or guidance you can share.
>
> Best regards,
>
> Lorenzo
> seasoned FreeBSD and Samba admin
>
> === Details ===:
>
> This is with:
> fruit:metadata = stream
> fruit:resource = stream
>
> Excerpt of log.smbd
> (with log level = 2 vfs_fruit:5):
>
> Setting a Finder label on the folder Projs/Proj_1/Proj1_Subdir:
>
> testa opened file Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags read=No write=Yes (numopen=7)
> [2025/10/13 12:44:44.110842, 2] ../../source3/smbd/close.c:938(close_normal_file)
> testa closed file Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags (numopen=5) NT_STATUS_OK
> [2025/10/13 12:44:44.111247, 2] ../../source3/smbd/open.c:1608(open_file)
> testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA read=No write=Yes (numopen=7)
> [2025/10/13 12:44:44.111449, 2] ../../source3/smbd/close.c:938(close_normal_file)
> testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA (numopen=5) NT_STATUS_OK
> [2025/10/13 12:44:44.111877, 2] ../../source3/smbd/open.c:1608(open_file)
> testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo read=Yes write=No (numopen=6)
> [2025/10/13 12:44:44.111968, 2] ../../source3/smbd/close.c:938(close_normal_file)
> testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo (numopen=4) NT_STATUS_OK
> [2025/10/13 12:44:44.139762, 2] ../../source3/smbd/open.c:1608(open_file)
> testa opened file Projs/Proj_1/._Proj1_Subdir read=Yes write=No (numopen=3)
>
> Details after this on the filesystem:
>
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir DosStream.com.apple.metadata:_kMDItemUserTags DosStream.AFP_AfpInfo
>
> root# ls -al /Shares/Projs/Proj_1
> -rwxrwx---+ 1 testa prj_00001 368 Oct 13 12:44 ._Proj1_Subdir
>
>
> testparm (the current one..)
>
> [global]
> bind interfaces only = Yes
> disable netbios = Yes
> dns proxy = No
> domain master = Yes
> get quota command = /usr/local/sbin/query_quota
> interfaces = ix0 ix1
> ldap admin dn = uid=samba-admin,ou=System,dc=<redacted>
> ldap group suffix = cn=groups
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap ssl = no
> ldap suffix = dc=<redacted>
> ldap user suffix = cn=users
> local master = No
> netbios name = <redacted>
> obey pam restrictions = Yes
> passdb backend = ldapsam:ldap://<redacted>
> preferred master = Yes
> security = USER
> server string = <redacted>
> smb1 unix extensions = No
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind use default domain = Yes
> workgroup = <redacted>
> idmap config * : ldap_user_dn = samba-admin,ou=System,dc=<redacted>
> idmap config * : range = 500-999999
> streams_xattr:xattr_compat = no # also tried with "yes"
> streams_xattr:store_stream_type = no # also tried with "yes"
> nfs4:chown = true
> fruit:model = MacPro7,1 at ECOLOR=226,226,224
> fruit:posix_rename = yes
> fruit:copyfile = yes
> fruit:encoding = native
> fruit:resource = stream
> fruit:metadata = stream
> idmap config * : backend = tdb
> access based share enum = Yes
> block size = 4096
> create mask = 0660
> directory mask = 02770
> force create mode = 0660
> force directory mode = 02770
> fstype = ZFS
> hide unreadable = Yes
> hosts allow = <redacted>
> include = /usr/local/etc/smb4-shares.test.conf
> store dos attributes = No
> strict sync = No
> use sendfile = Yes
> vfs objects = catia fruit zfsacl streams_xattr
>
>
> ZFS Dataset settings:
>
> root# zfs get all hktank/jails/sambajail | egrep 'xattr|dnodesize|relatime|acl'
> hktank/jails/sambajail aclmode restricted
> hktank/jails/sambajail aclinherit passthrough
> hktank/jails/sambajail xattr sa
> hktank/jails/sambajail dnodesize auto
> hktank/jails/sambajail acltype nfsv4
> hktank/jails/sambajail relatime on
>
> root# zfs get all hktank/content/Shares/ProjekteACLTest | egrep 'xattr|dnodesize|relatime|acl'
> hktank/content/Shares/Projs aclmode restricted
> hktank/content/Shares/Projs aclinherit passthrough
> hktank/content/Shares/Projs xattr sa
> hktank/content/Shares/Projs dnodesize auto
> hktank/content/Shares/Projs acltype nfsv4
> hktank/content/Shares/Projs relatime on
>
> (the latter is mounted as /Shares in the sambajail)
>
> -----
>
> Additional behavioral notes:
>
> With
>
> fruit:metadata = netatalk (default), and
> fruit:resource = stream
>
> We get no errors from the Finder, the label is set; remounting the share does not show any label when previously removing ._Proj1_Subdir appledouble file (and restarting samba_server)
>
> Check on the filesystem shows:
>
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir org.netatalk.Metadata
>
> root# ls -al /Shares/Projs/Proj_1
> -rwxrwx---+ 1 testa prj_00001 368 Oct 13 13:44 ._Proj1_Subdir
>
> (the AppleDouble is just 368 bytes)
>
> -----
>
> With:
>
> fruit:metadata = netatalk (default), and
> fruit:resource = xattr (experimental setting as of manual)
>
> We get Finder error code -8058, the label is set; remounting the share does not show any label when previously removing ._Proj1_Subdir appledouble file (and restarting samba_server)
>
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir org.netatalk.Metadata
>
> root# ls -al /Shares/Projs/Proj_1
> -rwxrwx---+ 1 testa prj_00001 4096 Oct 13 14:00 ._Proj1_Subdir
>
> (the AppleDouble is 4K)
>
> ---
>
> Final detail - my ACLs on /Shares/Projekte/Projs/Proj_1
> (and /Shares/Projekte/Projs/Proj_1/Proj1_Subdir):
> # owner: ceo
> # group: prj_00001
> everyone@:--------------:fd-----:deny
> owner@:rwxpDdaARWcCos:fd-----:allow
> group@:rwxpDdaARWcCos:fd-----:allow
> everyone@:------a-R-c--s:-------:allow
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list