samba - Oct 2025 - Inquiry: Samba and xattr with vfs_fruit on FreeBSD / ZFS (macOS Finder metadata problem)

Hello Samba and FreeBSD Samba Teams (as well as samba admins that might 
have experiences and/or advice to share) :)

I have an issue that is driving me crazy and really acting as a time 
grave. Maybe someone can help. I googled, intensively chatted with CGPT, 
before reaching out, but I'm out of ideas.

I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS 
(2.2.6), using vfs_fruit in an attempt to provide seamless Apple SMB 
metadata support (Finder labels, tags, etc.).

My setup is samba420 in a FreeBSD Jail under ZFS and with the use of 
LDAP/ACLs (passdb backend = ldapsam:...)

I'm trying to produce a setup that will support Mac and Windows clients, 
in a way that does not produce errors on the clients and does not 
clutter the server with ._xxx AppleDouble files.

I applied the following procedure during testing of different settings, 
at each round:

0) (with samba off)
1) Remove all rights and ACLs on the interested dir
2) re-set them according to my rules
3) Remove all xattrs and ._ files recursively
4) Start Samba
5) Connect a mac client
   (always with a new name to avoid caching:
   t1.server.tld, t2.server.tld, etc)
6) Set a color label on the same folder
7) See results / logs / filesystem changes
8) Stop Samba + Disconnect mac Client
9) Change settings
10) goto 1

Mac Finder Labels (e.g. colored tags) are written ? I can see the 
extended attribute, either as 
DosStream.com.apple.metadata:_kMDItemUserTags or as 
org.netatalk.Metadata ? but Finder seems not read them back, falling 
back to creating AppleDouble ._ files.

Attempts to use fruit:metadata = netatalk with resource = xattr have 
lead to crashes (segfaults) in adouble_open_from_base_fsp() under 
FreeBSD, at least in some cases (can't reproduce this atm).

In summary: no stable, clean operation exists (no ._ files, correct 
read/write of Finder metadata) on FreeBSD / ZFS in my setup.

I think I tried almost every combination of fruit:metadata, 
fruit:resource and other settings, as well as cleaning up ACLs/POSIX 
rights, restarting, remounting at every attempt..

Given this, I?d like to ask:

Is there any working config with FreeBSD/ZFS and Samba that honors Mac 
clients without making it a horrible experience for Windows / Linux 
clients (AppleDouble files)?

Are there ongoing or planned upstream efforts to fix the FreeBSD / ZFS + 
xattr / vfs_fruit story ? particularly metadata read-back (stream 
enumeration) and avoidance of AppleDouble fallback (_if_ that's the real 
problem)?

I?d be happy to provide traces (SMB logs, or any other requested 
detail), minimal reproducer configs, or even help apply FreeBSD-specific 
patches if anyone wishes. If you prefer a particular format or 
repository for submitting test cases or patches, I?d be glad to follow.
Some details are provided below.

Thank you for your work on Samba and vfs_fruit, the FreeBSD port, and 
thank you in advance for any pointers or guidance you can share.

Best regards,

Lorenzo
seasoned FreeBSD and Samba admin

=== Details ===:

This is with:
fruit:metadata = stream
fruit:resource = stream

Excerpt of log.smbd
(with log level = 2 vfs_fruit:5):

Setting a Finder label on the folder Projs/Proj_1/Proj1_Subdir:

   testa opened file 
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags 
read=No write=Yes (numopen=7)
[2025/10/13 12:44:44.110842,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file 
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags 
(numopen=5) NT_STATUS_OK
[2025/10/13 12:44:44.111247,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA read=No 
write=Yes (numopen=7)
[2025/10/13 12:44:44.111449,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA 
(numopen=5) NT_STATUS_OK
[2025/10/13 12:44:44.111877,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo read=Yes 
write=No (numopen=6)
[2025/10/13 12:44:44.111968,  2] 
../../source3/smbd/close.c:938(close_normal_file)
   testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo (numopen=4) 
NT_STATUS_OK
[2025/10/13 12:44:44.139762,  2] ../../source3/smbd/open.c:1608(open_file)
   testa opened file Projs/Proj_1/._Proj1_Subdir read=Yes write=No 
(numopen=3)

Details after this on the filesystem:

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
DosStream.com.apple.metadata:_kMDItemUserTags   DosStream.AFP_AfpInfo

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       368 Oct 13 12:44 
._Proj1_Subdir


testparm (the current one..)

[global]
         bind interfaces only = Yes
         disable netbios = Yes
         dns proxy = No
         domain master = Yes
         get quota command = /usr/local/sbin/query_quota
         interfaces = ix0 ix1
         ldap admin dn = uid=samba-admin,ou=System,dc=<redacted>
         ldap group suffix = cn=groups
         ldap machine suffix = ou=Computers
         ldap passwd sync = yes
         ldap ssl = no
         ldap suffix = dc=<redacted>
         ldap user suffix = cn=users
         local master = No
         netbios name = <redacted>
         obey pam restrictions = Yes
         passdb backend = ldapsam:ldap://<redacted>
         preferred master = Yes
         security = USER
         server string = <redacted>
         smb1 unix extensions = No
         winbind enum groups = Yes
         winbind enum users = Yes
         winbind nss info = rfc2307
         winbind use default domain = Yes
         workgroup = <redacted>
         idmap config * : ldap_user_dn =
samba-admin,ou=System,dc=<redacted>
         idmap config * : range = 500-999999
         streams_xattr:xattr_compat = no  # also tried with "yes"
         streams_xattr:store_stream_type = no # also tried with "yes"
         nfs4:chown = true
         fruit:model = MacPro7,1 at ECOLOR=226,226,224
         fruit:posix_rename = yes
         fruit:copyfile = yes
         fruit:encoding = native
         fruit:resource = stream
         fruit:metadata = stream
         idmap config * : backend = tdb
         access based share enum = Yes
         block size = 4096
         create mask = 0660
         directory mask = 02770
         force create mode = 0660
         force directory mode = 02770
         fstype = ZFS
         hide unreadable = Yes
         hosts allow = <redacted>
         include = /usr/local/etc/smb4-shares.test.conf
         store dos attributes = No
         strict sync = No
         use sendfile = Yes
         vfs objects = catia fruit zfsacl streams_xattr


ZFS Dataset settings:

root# zfs get all hktank/jails/sambajail | egrep 
'xattr|dnodesize|relatime|acl'
hktank/jails/sambajail  aclmode               restricted
hktank/jails/sambajail  aclinherit            passthrough
hktank/jails/sambajail  xattr                 sa
hktank/jails/sambajail  dnodesize             auto
hktank/jails/sambajail  acltype               nfsv4
hktank/jails/sambajail  relatime              on

root# zfs get all hktank/content/Shares/ProjekteACLTest | egrep 
'xattr|dnodesize|relatime|acl'
hktank/content/Shares/Projs  aclmode               restricted
hktank/content/Shares/Projs  aclinherit            passthrough
hktank/content/Shares/Projs  xattr                 sa
hktank/content/Shares/Projs  dnodesize             auto
hktank/content/Shares/Projs  acltype               nfsv4
hktank/content/Shares/Projs  relatime              on

(the latter is mounted as /Shares in the sambajail)

-----

Additional behavioral notes:

With

fruit:metadata = netatalk (default), and
fruit:resource = stream

We get no errors from the Finder, the label is set; remounting the share 
does not show any label when previously removing ._Proj1_Subdir 
appledouble file (and restarting samba_server)

Check on the filesystem shows:

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
org.netatalk.Metadata

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       368 Oct 13 13:44 
._Proj1_Subdir

(the AppleDouble is just 368 bytes)

-----

With:

fruit:metadata = netatalk (default), and
fruit:resource = xattr (experimental setting as of manual)

We get Finder error code -8058, the label is set; remounting the share 
does not show any label when previously removing ._Proj1_Subdir 
appledouble file (and restarting samba_server)

root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir 
org.netatalk.Metadata

root# ls -al  /Shares/Projs/Proj_1
-rwxrwx---+  1 testa            prj_00001       4096 Oct 13 14:00 
._Proj1_Subdir

(the AppleDouble is 4K)

---

Final detail - my ACLs on /Shares/Projekte/Projs/Proj_1
(and /Shares/Projekte/Projs/Proj_1/Proj1_Subdir):
# owner: ceo
# group: prj_00001
          everyone@:--------------:fd-----:deny
             owner@:rwxpDdaARWcCos:fd-----:allow
             group@:rwxpDdaARWcCos:fd-----:allow
          everyone@:------a-R-c--s:-------:allow

On 10/13/25 14:25, Lorenzo Perone via samba wrote:
> Hello Samba and FreeBSD Samba Teams (as well as samba admins that might 
> have experiences and/or advice to share) :)
Hello.


> I have an issue that is driving me crazy and really acting as a time 
> grave. Maybe someone can help.
I'll tell you what I know/use.
Can't help with the rest, but if you have any further specific question 
maybe I can check my settings.


> I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS 
> (2.2.6)
Same here, but "zfs version" gives 2.2.7! Why does yours differ (on
14.3)?


> My setup is samba420 in a FreeBSD Jail under ZFS
Same here.


> and with the use of LDAP/ACLs (passdb backend = ldapsam:...)
I'm using "security=ADS", but this should not matter.
I'm not using ACLs, though: I think this still shouldn't matter, but
I'm
not sure.


> Is there any working config with FreeBSD/ZFS and Samba that honors Mac 
> clients without making it a horrible experience for Windows / Linux 
> clients (AppleDouble files)?
I use:
vfs objects=fruit streams_xattr shadow_copy2 full_audit
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
fruit:nfs_aces=no
fruit:metadata = stream
fruit:encoding = native
fruit:resource = xattr
fruit:nfs_aces = no

I don't have any AppleDouble file, but I see .DS_Store files. Not sure 
if that is acceptable for you.

I do see DosStream.com.apple.metadata:_kMDItemUserTags.

I'm not sure my users can work with tags properly (I'm not there to
try).



  bye
	av.

Hi,

While I?m not a Samba expert or a developer, a few things came to mind.

Do you know if fruit:resource = xattr and large xattr support is actually
implemented on FreeBSD? The fruit man page only talks about Solaris derivatives.

With veto_appledouble = yes (the default), I don?t think you should see the ._
files from the client side with fruit:resource = file.

I wonder if this is related to the issues I?ve seen with folder icons on a Linux
Samba server:
https://bugzilla.samba.org/show_bug.cgi?id=15013?

As a test could you test with:
fruit:resource = file
fruit:encoding = native / private
fruit:veto_appledouble = no

Just to see if it works then. This works for me with Samba 4.22 but on 4.20 I
couldn?t get it to work at all IIRC. Also try if copying a file with tags or
labels work instead of applying them directly on the server. Would be
interesting to know if this is the same issue I?ve seen. I haven?t tested with
tags and labels, only with icons.

Regards,
Perttu

> On 13. Oct 2025, at 15.25, Lorenzo Perone via samba <samba at
lists.samba.org> wrote:
> 
> Hello Samba and FreeBSD Samba Teams (as well as samba admins that might
have experiences and/or advice to share) :)
> 
> I have an issue that is driving me crazy and really acting as a time grave.
Maybe someone can help. I googled, intensively chatted with CGPT, before
reaching out, but I'm out of ideas.
> 
> I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS
(2.2.6), using vfs_fruit in an attempt to provide seamless Apple SMB metadata
support (Finder labels, tags, etc.).
> 
> My setup is samba420 in a FreeBSD Jail under ZFS and with the use of
LDAP/ACLs (passdb backend = ldapsam:...)
> 
> I'm trying to produce a setup that will support Mac and Windows
clients, in a way that does not produce errors on the clients and does not
clutter the server with ._xxx AppleDouble files.
> 
> I applied the following procedure during testing of different settings, at
each round:
> 
> 0) (with samba off)
> 1) Remove all rights and ACLs on the interested dir
> 2) re-set them according to my rules
> 3) Remove all xattrs and ._ files recursively
> 4) Start Samba
> 5) Connect a mac client
>  (always with a new name to avoid caching:
>  t1.server.tld, t2.server.tld, etc)
> 6) Set a color label on the same folder
> 7) See results / logs / filesystem changes
> 8) Stop Samba + Disconnect mac Client
> 9) Change settings
> 10) goto 1
> 
> Mac Finder Labels (e.g. colored tags) are written ? I can see the extended
attribute, either as DosStream.com.apple.metadata:_kMDItemUserTags or as
org.netatalk.Metadata ? but Finder seems not read them back, falling back to
creating AppleDouble ._ files.
> 
> Attempts to use fruit:metadata = netatalk with resource = xattr have lead
to crashes (segfaults) in adouble_open_from_base_fsp() under FreeBSD, at least
in some cases (can't reproduce this atm).
> 
> In summary: no stable, clean operation exists (no ._ files, correct
read/write of Finder metadata) on FreeBSD / ZFS in my setup.
> 
> I think I tried almost every combination of fruit:metadata, fruit:resource
and other settings, as well as cleaning up ACLs/POSIX rights, restarting,
remounting at every attempt..
> 
> Given this, I?d like to ask:
> 
> Is there any working config with FreeBSD/ZFS and Samba that honors Mac
clients without making it a horrible experience for Windows / Linux clients
(AppleDouble files)?
> 
> Are there ongoing or planned upstream efforts to fix the FreeBSD / ZFS +
xattr / vfs_fruit story ? particularly metadata read-back (stream enumeration)
and avoidance of AppleDouble fallback (_if_ that's the real problem)?
> 
> I?d be happy to provide traces (SMB logs, or any other requested detail),
minimal reproducer configs, or even help apply FreeBSD-specific patches if
anyone wishes. If you prefer a particular format or repository for submitting
test cases or patches, I?d be glad to follow.
> Some details are provided below.
> 
> Thank you for your work on Samba and vfs_fruit, the FreeBSD port, and thank
you in advance for any pointers or guidance you can share.
> 
> Best regards,
> 
> Lorenzo
> seasoned FreeBSD and Samba admin
> 
> === Details ===:
> 
> This is with:
> fruit:metadata = stream
> fruit:resource = stream
> 
> Excerpt of log.smbd
> (with log level = 2 vfs_fruit:5):
> 
> Setting a Finder label on the folder Projs/Proj_1/Proj1_Subdir:
> 
>  testa opened file
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags
read=No write=Yes (numopen=7)
> [2025/10/13 12:44:44.110842,  2]
../../source3/smbd/close.c:938(close_normal_file)
>  testa closed file
Projs/Proj_1/Proj1_Subdir:com.apple.metadata<U+F022>_kMDItemUserTags
(numopen=5) NT_STATUS_OK
> [2025/10/13 12:44:44.111247,  2] ../../source3/smbd/open.c:1608(open_file)
>  testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA read=No
write=Yes (numopen=7)
> [2025/10/13 12:44:44.111449,  2]
../../source3/smbd/close.c:938(close_normal_file)
>  testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo:$DATA (numopen=5)
NT_STATUS_OK
> [2025/10/13 12:44:44.111877,  2] ../../source3/smbd/open.c:1608(open_file)
>  testa opened file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo read=Yes write=No
(numopen=6)
> [2025/10/13 12:44:44.111968,  2]
../../source3/smbd/close.c:938(close_normal_file)
>  testa closed file Projs/Proj_1/Proj1_Subdir:AFP_AfpInfo (numopen=4)
NT_STATUS_OK
> [2025/10/13 12:44:44.139762,  2] ../../source3/smbd/open.c:1608(open_file)
>  testa opened file Projs/Proj_1/._Proj1_Subdir read=Yes write=No
(numopen=3)
> 
> Details after this on the filesystem:
> 
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir
DosStream.com.apple.metadata:_kMDItemUserTags   DosStream.AFP_AfpInfo
> 
> root# ls -al  /Shares/Projs/Proj_1
> -rwxrwx---+  1 testa            prj_00001       368 Oct 13 12:44
._Proj1_Subdir
> 
> 
> testparm (the current one..)
> 
> [global]
>        bind interfaces only = Yes
>        disable netbios = Yes
>        dns proxy = No
>        domain master = Yes
>        get quota command = /usr/local/sbin/query_quota
>        interfaces = ix0 ix1
>        ldap admin dn = uid=samba-admin,ou=System,dc=<redacted>
>        ldap group suffix = cn=groups
>        ldap machine suffix = ou=Computers
>        ldap passwd sync = yes
>        ldap ssl = no
>        ldap suffix = dc=<redacted>
>        ldap user suffix = cn=users
>        local master = No
>        netbios name = <redacted>
>        obey pam restrictions = Yes
>        passdb backend = ldapsam:ldap://<redacted>
>        preferred master = Yes
>        security = USER
>        server string = <redacted>
>        smb1 unix extensions = No
>        winbind enum groups = Yes
>        winbind enum users = Yes
>        winbind nss info = rfc2307
>        winbind use default domain = Yes
>        workgroup = <redacted>
>        idmap config * : ldap_user_dn =
samba-admin,ou=System,dc=<redacted>
>        idmap config * : range = 500-999999
>        streams_xattr:xattr_compat = no  # also tried with "yes"
>        streams_xattr:store_stream_type = no # also tried with
"yes"
>        nfs4:chown = true
>        fruit:model = MacPro7,1 at ECOLOR=226,226,224
>        fruit:posix_rename = yes
>        fruit:copyfile = yes
>        fruit:encoding = native
>        fruit:resource = stream
>        fruit:metadata = stream
>        idmap config * : backend = tdb
>        access based share enum = Yes
>        block size = 4096
>        create mask = 0660
>        directory mask = 02770
>        force create mode = 0660
>        force directory mode = 02770
>        fstype = ZFS
>        hide unreadable = Yes
>        hosts allow = <redacted>
>        include = /usr/local/etc/smb4-shares.test.conf
>        store dos attributes = No
>        strict sync = No
>        use sendfile = Yes
>        vfs objects = catia fruit zfsacl streams_xattr
> 
> 
> ZFS Dataset settings:
> 
> root# zfs get all hktank/jails/sambajail | egrep
'xattr|dnodesize|relatime|acl'
> hktank/jails/sambajail  aclmode               restricted
> hktank/jails/sambajail  aclinherit            passthrough
> hktank/jails/sambajail  xattr                 sa
> hktank/jails/sambajail  dnodesize             auto
> hktank/jails/sambajail  acltype               nfsv4
> hktank/jails/sambajail  relatime              on
> 
> root# zfs get all hktank/content/Shares/ProjekteACLTest | egrep
'xattr|dnodesize|relatime|acl'
> hktank/content/Shares/Projs  aclmode               restricted
> hktank/content/Shares/Projs  aclinherit            passthrough
> hktank/content/Shares/Projs  xattr                 sa
> hktank/content/Shares/Projs  dnodesize             auto
> hktank/content/Shares/Projs  acltype               nfsv4
> hktank/content/Shares/Projs  relatime              on
> 
> (the latter is mounted as /Shares in the sambajail)
> 
> -----
> 
> Additional behavioral notes:
> 
> With
> 
> fruit:metadata = netatalk (default), and
> fruit:resource = stream
> 
> We get no errors from the Finder, the label is set; remounting the share
does not show any label when previously removing ._Proj1_Subdir appledouble file
(and restarting samba_server)
> 
> Check on the filesystem shows:
> 
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir
org.netatalk.Metadata
> 
> root# ls -al  /Shares/Projs/Proj_1
> -rwxrwx---+  1 testa            prj_00001       368 Oct 13 13:44
._Proj1_Subdir
> 
> (the AppleDouble is just 368 bytes)
> 
> -----
> 
> With:
> 
> fruit:metadata = netatalk (default), and
> fruit:resource = xattr (experimental setting as of manual)
> 
> We get Finder error code -8058, the label is set; remounting the share does
not show any label when previously removing ._Proj1_Subdir appledouble file (and
restarting samba_server)
> 
> root# lsextattr user /Shares/Projekte/Projs/Proj_1/Proj1_Subdir
org.netatalk.Metadata
> 
> root# ls -al  /Shares/Projs/Proj_1
> -rwxrwx---+  1 testa            prj_00001       4096 Oct 13 14:00
._Proj1_Subdir
> 
> (the AppleDouble is 4K)
> 
> ---
> 
> Final detail - my ACLs on /Shares/Projekte/Projs/Proj_1
> (and /Shares/Projekte/Projs/Proj_1/Proj1_Subdir):
> # owner: ceo
> # group: prj_00001
>         everyone@:--------------:fd-----:deny
>            owner@:rwxpDdaARWcCos:fd-----:allow
>            group@:rwxpDdaARWcCos:fd-----:allow
>         everyone@:------a-R-c--s:-------:allow
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 13 Oct 2025 14:25:49 +0200
Lorenzo Perone via samba <samba at lists.samba.org> wrote:
> Hello Samba and FreeBSD Samba Teams (as well as samba admins that
> might have experiences and/or advice to share) :)
> 
> I have an issue that is driving me crazy and really acting as a time 
> grave. Maybe someone can help. I googled, intensively chatted with
> CGPT, before reaching out, but I'm out of ideas.
> 
> I am running Samba (samba420-4.20.7_10) on FreeBSD (14.3) + OpenZFS 
> (2.2.6), using vfs_fruit in an attempt to provide seamless Apple SMB 
> metadata support (Finder labels, tags, etc.).
> 
> My setup is samba420 in a FreeBSD Jail under ZFS and with the use of 
> LDAP/ACLs (passdb backend = ldapsam:...)
> 
You appear to be trying to set up something akin to an old NT4-style
PDC, but without SMBv1, not sure if this is going to work and it has
been years since I even tried.

It would probably make more sense to set up an AD DC, but if you must
persevere, than can I suggest you read 'man idmap_ldap' and 'man
smb.conf'.

Rowland

Hi and Thanx for taking your time!

On 10/13/25 16:57, Perttu Aaltonen via samba wrote:
> Do you know if fruit:resource = xattr and large xattr support is actually
implemented on FreeBSD? The fruit man page only talks about Solaris derivatives.
I am not 100% sure, but with dnodesize=auto it should also handle large 
xattr. But I have to find yet a more authoritative page.
> With veto_appledouble = yes (the default), I don?t think you should see the
._ files from the client side with fruit:resource = file.
> 
> I wonder if this is related to the issues I?ve seen with folder icons on a
Linux Samba server:
> https://bugzilla.samba.org/show_bug.cgi?id=15013
> 
> As a test could you test with:
> fruit:resource = file
> fruit:encoding = native / private
> fruit:veto_appledouble = no
With this setting (+: fruit:metadata = netatalk), Finder spits out an 
error dialogue (Error -8058)
xattr is created (but not read back)
annoying sidecar file is created (368 bytes long)

With

fruit:metadata = netatalk
fruit:resource = file
fruit:encoding = native
fruit:veto_appledouble = yes

Nothing is created, but Finder brings up a "sudo window" requiring 
biometrics or admin password (which makes no sense, since it is not local)
> Just to see if it works then. This works for me with Samba 4.22 but on 4.20
I couldn?t get it to work at all IIRC.
I will try again with 4.22 as soon as the port is out. I've seen it has 
many FreeBSD patches in files/ and fear the rabbit hole waiting for me 
there.
>Also try if copying a file with tags or labels works instead of applying
them directly on the server. Would be interesting to know if this is the same
issue I?ve seen. I haven?t tested with tags and labels, only with icons.
On 10/13/25 15:26, Andrea Venturoli wrote:
> 
> Same here, but "zfs version" gives 2.2.7! Why does yours differ
(on 14.3)?
Sorry, I realized I copied the zfs version from a FreeBSD 14.2 host. 
14.3 has 2.2.7. Sorry for the confusion.
>> and with the use of LDAP/ACLs (passdb backend = ldapsam:...)
> 
> I'm using "security=ADS", but this should not matter.
> I'm not using ACLs, though: I think this still shouldn't matter,
but I'm
> not sure.
I cannot switch over to ADS just yet in that environment.
Too many other services are binding to OpenLDAP at this stage. I also 
don't think that this should be an issue - although, in samba / smb / ad 
land, many things are tied together, so it could be an issue.
>> Is there any working config with FreeBSD/ZFS and Samba that honors Mac 
>> clients without making it a horrible experience for Windows / Linux 
>> clients (AppleDouble files)?
> 
> I use:
> vfs objects=fruit streams_xattr shadow_copy2 full_audit
> fruit:wipe_intentionally_left_blank_rfork = yes
> fruit:delete_empty_adfiles = yes
> fruit:nfs_aces=no
> fruit:metadata = stream
> fruit:encoding = native
> fruit:resource = xattr
> fruit:nfs_aces = no
This combination works at least without leaving sidecar files around 
(which is one of my main goals), and /for the most time/, Finder is not 
displaying any error when setting labels. In most cases, the xattr 
'DosStream.com.apple.metadata:_kMDItemUserTags:$DATA' is set (and 
seemingly with the right label, when reading it from the terminal), but 
it is not read back from the Finder (or sent back by smbd).

This is a viable compromise, at least one worth testing out (thanx Andrea).

But still, it would be nice if the 
DosStream.com.apple.metadata:_kMDItemUserTags:$DATA were read back. From 
what I can see on log.smbd and testing enumeration with smbclient 
allinfo, the xattr is never listed as an ADS.

I was about to try patching it (finding where the enumeration gets 
lost), but I see that the FreeBSD port already has around 30 patches in 
place. I'm giving up on Finder tags/labels for now. Art least, it 
doesn't clutter the filesystem with sidecar files for now. If any dev 
(particularly on samba at freebsd.org) does have a clue or can use help 
testing a patch, I'll be more than glad to set it up.

Best Regards,

Lorenzo



Thanx to any one