Time Machine: changing from AFP to SMB trouble

[Glorious1]

I've been using Time Machine on FreeNAS and TrueNAS for 7 years with no big problem. I recently replaced my 10-yr-old Mac with a new one with new macOS. Time Machine continued to work, then it sometimes couldn't find the disk and needed logging out and back in, now it can't find it even then.

I decided I needed to bite the bullet and shift my Time Machine share to SMB. I've never used SMB and boy, is it complicated. After some floundering and reading, I finally got the share so Time Machine recognizes it. Problem is, it's creating a user folder INSIDE my Time Machine dataset and never sees the existing sparsebundle. See photo from the Mac.

I would prefer not to start over and even so, prefer not to have an extra directory layer. How can I get the share to start at the time machine directory rather than internal user directory?

The share uses the preset "Private SMB Datasets and Shares". I don't want a shared time machine share. The dataset uses the ACL preset "Restricted".

 

[Glorious1]

bump

 

[Glorious1]

I found out why the user folder appeared inside the time machine folder. In the share settings, depending on what "Purpose" preset you choose, a %U (representing username) gets added to the path. That suffix can be deleted in some presets.

But that's the least of my problems. The only way the share appears in Time Machine to be selected as backup destination is when I first mount it in Finder using Connect to Server. Then I can select it in Time Machine, but then, all attempts to connect to it from Time Machine (i.e., initiating a backup) result in "Looking for backup disk . . ." forever.

I've tried both AFP and SMB, all the reasonable SMB presets, varied settings within them, monkeying with SMB service settings, all with the same result. Most of the recent posts I've found with similar problems here have gone unanswered. If any reader is backing up a Mac to TrueNAS 12.0, either over AFP or SMB, I would appreciate if you could relay all your settings in excruciating detail: dataset, ACLs, share settings, etc.

 

[anodos]

I have 4 macs (various macos versions) backing up to a single time machine share.

Code:

root@homenas[~]# getfacl /mnt/dozer
# file: /mnt/dozer
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
root@homenas[~]# getfacl /mnt/dozer/tmprotect
# file: /mnt/dozer/tmprotect
# owner: root
# group: wheel
      user:smbuser:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

^^^ permissions.
1) make sure you haven't messed up permissions on /mnt/dozer (thanks to some popular youtube influencers, many users have performed "chmod 770 /mnt/<pool>" from the CLI.
2) create dataset with SMB preset. Verify that the group "builtin users" has full control and inheriting.
3) create user for authenticating to time machine share:

Code:

root@homenas[~]# id minitm
uid=1008(minitm) gid=1015(minitm) groups=1015(minitm),545(builtin_users)

4) create time machine share.

Code:

root@homenas[~]# midclt call sharing.smb.query '[["name", "=", "tmprotect"]]' | jq
[
  {
    "id": 11,
    "purpose": "ENHANCED_TIMEMACHINE",
    "path": "/mnt/dozer/tmprotect",
    "path_suffix": "%U",
    "home": false,
    "name": "tmprotect",
    "comment": "",
    "ro": false,
    "browsable": true,
    "recyclebin": false,
    "guestok": false,
    "hostsallow": [],
    "hostsdeny": [],
    "auxsmbconf": "",
    "aapl_name_mangling": false,
    "abe": false,
    "acl": true,
    "durablehandle": true,
    "streams": true,
    "timemachine": true,
    "vuid": "a264f474-8611-419a-a6b7-57c071a61600",
    "shadowcopy": true,
    "fsrvp": false,
    "enabled": true,
    "locked": false
  }
]

those are my settings.

Once you have made these changes, use dns-sd -B _adisk._tcp. on MacOS to verify that your TrueNAS server is being advertised as a time machine target. If you don't see it, restart the SMB service in the NAS GUI.

Then add time machine backup the normal way in MacOS. When you are prompted for credentials use the account you created in step (3) above.

 

[anodos]

As the different macs / users in an environment authenticate to the share, new datasets for them will be created:

Code:

root@homenas[~]# zfs list | grep tmprotect
dozer/tmprotect                                                 398G  3.62T      149K  /mnt/dozer/tmprotect
dozer/tmprotect/administrator                                   311G  3.62T      294G  /mnt/dozer/tmprotect/administrator
dozer/tmprotect/alexmac                                        7.15G  3.62T     7.15G  /mnt/dozer/tmprotect/alexmac
dozer/tmprotect/joshuamac                                      7.11G  3.62T     7.11G  /mnt/dozer/tmprotect/joshuamac
dozer/tmprotect/minitm                                         8.34G  3.62T     8.34G  /mnt/dozer/tmprotect/minitm
dozer/tmprotect/smbuser                                        64.7G  3.62T     64.7G  /mnt/dozer/tmprotect/smbuser

This means that each mac will only have access to its own time machine dataset through a single SMB share. Since they are separate datasets, it means that if push comes to shove, you can rollback to the last known-good snapshot without impacting other backups.

 

[Glorious1]

Thank you @anodos for all the detail. I think I managed to match the GUI settings with the command output you showed. I am failing at finding any advertisement of a share, although the command with a bare -B option can see my networked printer.

Code:

JimsMBPro:~ jim$  dns-sd -B _adisk.tcp.
Browsing for _adisk.tcp.
DNSServiceBrowse failed -65540

JimsMBPro:~ jim$  dns-sd -B
Browsing for _http._tcp
DATE: ---Tue 04 Jan 2022---
 9:28:05.182  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
 9:28:05.183  Add        2   8 local.               _http._tcp.          Brother MFC-9840CDW

I enabled another SMB share and enabled AFP and some of its shares, but I couldn't detect them with that command. I verified that the Workgroup is "WORKGROUP" in both TrueNAS SMB settings and the Mac Network > WINS settings. I don't know what might be disabling the advertising.

Full disclosure: I think I followed everything exactly except I didn't create smbuser or minitm. I don't understand what role those users play and was hoping it would work via the built-in-user group and not need extra users. I don't imagine that should prevent the advertising.

Code:

Tabernacle:/mnt/Ark$ getfacl /mnt/Ark
# file: /mnt/Ark
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow
Tabernacle:/mnt/Ark$ getfacl /mnt/Ark/Time
# file: /mnt/Ark/Time
# owner: root
# group: wheel
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
         everyone@:--------------:fd-----:allow

And this hefty command:

Code:

Tabernacle:/mnt/Ark$ sudo midclt call sharing.smb.query '[["name", "=", "Time"]]' | jq
Password:
[
  {
    "id": 2,
    "purpose": "ENHANCED_TIMEMACHINE",
    "path": "/mnt/Ark/Time",
    "path_suffix": "%U",
    "home": false,
    "name": "Time",
    "comment": "Time machine share (multi-user)",
    "ro": false,
    "browsable": true,
    "recyclebin": false,
    "guestok": false,
    "hostsallow": [],
    "hostsdeny": [],
    "auxsmbconf": "",
    "aapl_name_mangling": false,
    "abe": false,
    "acl": true,
    "durablehandle": true,
    "streams": true,
    "timemachine": true,
    "vuid": "e5a165ed-b78d-428d-9635-584188b13cd1",
    "shadowcopy": true,
    "fsrvp": false,
    "enabled": true,
    "locked": false
  }
]

 

[anodos]

I am failing at finding any advertisement of a share

This is significant finding.
Manually stop avahi-daemon and then start with debug switch.

Code:

service avahi-daemon onestop
avahi-daemon --debug

 

[Glorious1]

Looks like avahi is starting fine, but dns-sd still fails on the mac end. And no destination in Time Machine.

Code:

Tabernacle:/mnt/Ark$ sudo avahi-daemon --debug
Found user 'avahi' (UID 200) and group 'avahi' (GID 200).
Successfully dropped root privileges.
avahi-daemon 0.7 starting up.
Loading service file /usr/local/etc/avahi/services/ADISK.service.
Loading service file /usr/local/etc/avahi/services/AFPOVERTCP.service.
Loading service file /usr/local/etc/avahi/services/DEV_INFO.service.
Loading service file /usr/local/etc/avahi/services/HTTP.service.
Loading service file /usr/local/etc/avahi/services/HTTPS.service.
Loading service file /usr/local/etc/avahi/services/MIDDLEWARE.service.
Loading service file /usr/local/etc/avahi/services/MIDDLEWARE_SSL.service.
Loading service file /usr/local/etc/avahi/services/NFS.service.
Loading service file /usr/local/etc/avahi/services/SFTP_SSH.service.
Loading service file /usr/local/etc/avahi/services/SMB.service.
Loading service file /usr/local/etc/avahi/services/SSH.service.
Joining mDNS multicast group on interface igb0.IPv4 with address 192.168.0.105.
New relevant interface igb0.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 192.168.0.105 on igb0.IPv4.
Registering new address record for 192.168.0.102 on igb0.IPv4.
Server startup complete. Host name is Tabernacle.local. Local service cookie is 2446542334.
Service "Tabernacle" (/usr/local/etc/avahi/services/SSH.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/SMB.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/SFTP_SSH.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/NFS.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/MIDDLEWARE_SSL.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/MIDDLEWARE.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/HTTPS.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/HTTP.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/DEV_INFO.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/AFPOVERTCP.service) successfully established.
Service "Tabernacle" (/usr/local/etc/avahi/services/ADISK.service) successfully established.

192.168.0.102 is the main TrueNAS ip, .105 is one of the jails.

 

[anodos]

Sorry. Saw a typo. `_adisk._tcp.`.

 

[Glorious1]

That's better. It shows the server. Is it supposed to show individual shares?

Code:

JimsMBPro:~ jim$  dns-sd -B _adisk._tcp.
Browsing for _adisk._tcp.
DATE: ---Tue 04 Jan 2022---
10:41:21.713  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
10:41:21.714  Add        2   8 local.               _adisk._tcp.         Tabernacle

 

[anodos]

That's better. It shows the server. Is it supposed to show individual shares?

Code:

JimsMBPro:~ jim$  dns-sd -B _adisk._tcp.
Browsing for _adisk._tcp.
DATE: ---Tue 04 Jan 2022---
10:41:21.713  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
10:41:21.714  Add        2   8 local.               _adisk._tcp.         Tabernacle

No. You need to parse the mDNS txt record to see that.

Code:

Andrews-MacBook-Pro:~ awalker$ dns-sd -L homenas _adisk._tcp.
Lookup homenas._adisk._tcp..local
DATE: ---Tue 04 Jan 2022---
13:48:47.691  ...STARTING...
13:48:47.692  homenas._adisk._tcp.local. can be reached at homenas.local.:9 (interface 13) Flags: 1
 sys=waMa=0,adVF=0x100 dk0=adVN=tmprotect,adVF=0x82,adVU=a264f474-8611-419a-a6b7-57c071a61600 dk1=adVN=TM_SMB,adVF=0x82,adVU=c398844e-5eb1-495c-8502-16566d867f1f
13:48:47.692  homenas._adisk._tcp.local. can be reached at homenas.local.:9 (interface 4) Flags: 1
 sys=waMa=0,adVF=0x100 dk0=adVN=tmprotect,adVF=0x82,adVU=a264f474-8611-419a-a6b7-57c071a61600 dk1=adVN=TM_SMB,adVF=0x82,adVU=c398844e-5eb1-495c-8502-16566d867f1f
13:48:47.692  homenas._adisk._tcp.local. can be reached at homenas.local.:9 (interface 18)
 sys=waMa=0,adVF=0x100 dk0=adVN=tmprotect,adVF=0x82,adVU=a264f474-8611-419a-a6b7-57c071a61600 dk1=adVN=TM_SMB,adVF=0x82,adVU=c398844e-5eb1-495c-8502-16566d867f1f

Above output shows three separate interfaces. and server has two separate time machine shares (dk0, dk1). adVF=0x82 == SMB time machine share.

 

[Glorious1]

<sigh>
Assuming homenas is the hostname, (or share names I tried), I'm finding nothing.

Code:

JimsMBPro:~ jim$ dns-sd -L Tabernacle _adisk._tcp.
Lookup Tabernacle._adisk._tcp..local
DATE: ---Tue 04 Jan 2022---
11:18:56.021  ...STARTING...

But now, when I go back to the -B command that found Tabernacle, it finds nothing either, even after restarting avahi again.

Code:

JimsMBPro:~ jim$ dns-sd -B _adisk._tcp.
Browsing for _adisk._tcp.
DATE: ---Tue 04 Jan 2022---
11:17:55.203  ...STARTING...
^C

</sigh>

 

[Glorious1]

I've got Macs advertising both SMB and AFP services, but can't get anything out of the TrueNAS server, which has both AFP and SMB shares turned on. I can connect to those shares directly with Connect to Server . . . . I've rebooted the server, stopped and started avahi, and logged out and back into the Mac. No change.

Code:

JimsMBPro:~ jim$ dns-sd -t 5 -B _smb._tcp.
Browsing for _smb._tcp.
DATE: ---Wed 05 Jan 2022---
11:35:57.963  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
11:35:57.964  Add        2   8 local.               _smb._tcp.           MiniMac

JimsMBPro:~ jim$ dns-sd -t 5 -B _afpovertcp._tcp.
Browsing for _afpovertcp._tcp.
DATE: ---Wed 05 Jan 2022---
11:36:22.538  ...STARTING...
Timestamp     A/R    Flags  if Domain               Service Type         Instance Name
11:36:22.539  Add        2   8 local.               _afpovertcp._tcp.    ShulingsMBA

JimsMBPro:~ jim$ dns-sd -t 5 -B _adisk._tcp.
Browsing for _adisk._tcp.
DATE: ---Wed 05 Jan 2022---
11:37:30.470  ...STARTING...
JimsMBPro:~ jim$

 

[awasb]

Please check the GUI ...

Is

Network -> Global Configuration -> mDNS

enabled?

 

[Glorious1]

Thanks @awasb, I was unaware of that setting. It was enabled. Just for good measure I toggled and saved, but still nothing.

I'm wondering if avahi is not working right in my environment. Their github page shows a lot of unaddressed issues.

EDIT:
This is strange but an improvement. After toggling that setting, although the dns-sd commands on the Mac still find nothing, the server appeared in the Finder window sidebar and contains the two SMB shares (but strangely still not the AFP shares). The time machine directory appears in Time Machine for selection. After doing so, it still is saying "Looking for backup disk . . ." ad infinitum.

I tried ejecting the time machine share, lo and behold the AFP shares appeared. I remounted it and they disappeared. Anyway, still can't back up.

 

[Glorious1]

Getting puzzleder and puzzleder. I now have two SMB shares named Ark.Test and Time (the supposed time machine target).

On the mac, I have two terminal sessions running dns-sd -B _adisk._tcp. and dns-sd -B _smb._tcp., leaving them running to detect any advertisements. At first they find nothing.

At first finder does not see the shares at all. I mount Ark.Test via Connect to Server. Finder then shows this:

Nothing has changed in terminal (except MiniMac was detected under dns-sd -B _smb._tcp. about the time it appeared in the Finder). Time is obviously detected but dns-sd doesn't know. And Time Machine doesn't offer Time as a target.

 

[awasb]

With BigSur (and early minor revisions, that is) problems of that sort arose over here as well. Please open the terminal on your mac and check:

Code:

mount

There should be exactly two volumes per machine: one for the actual time machine network share mount, and one for the sparse bundle within that share. If you see more than two, u(n)mount _all_ of them, remove the time machine config from the machine via -> time machine pref pane -> "choose volume" -> "$yourvolume" -> "remove volume", reboot the mac and start over with adding the volume with the machine credentials. (It will resume already existing backups, if they were sane.)

As a general hint in case your running more than one mac: Define one smb-user per machine on the backup server. (I'm using the machine names of the macs, just for convenience. The datasets as the logs will be more "readable"/clear.)

 

[Glorious1]

Well duh. I guess all that was needed was rebooting the mac. I've been logging out and back in, thinking that would reset anything that went awry. Thanks for triggering a reboot. It's making a first new backup now.

I don't follow why you need a separate smb-user account for backups. Why not just use the user whose mac it is?

 

[awasb]

privilege separation

(And since machines get backuped, not user accounts ...)