docker-timemachine: Big Sur changes to Time Machine causing permissions error on first backup

Getting a “permission denied” error when trying to create a backup for the first time from Big Sur. Looks like this is a common problem caused by Apple changing something without telling anyone, and seems to be fixed by adding some options to the smb.conf, apparently the most central being adding acl_xattr to vfs objects =. Check out https://developer.apple.com/forums/thread/666293

Adding catia to vfs objects may be a good idea too, I keep seeing it everywhere for Time Machine purposes:

As an inheritance from Windows some characters (such as the colon 😃 are illegal in SMB, while they are allowed on both macOS and Linux. This means that in order to transfer them over SMB they need to be encoded somehow, and Time Machine uses a private Unicode range for this. This is totally fine, but can (allegedly) look a bit weird if listing the files on the server. So, optionally the catia module can be used to reverse this encoding server side.

But that may come with other strings attached (some say you also have to add fruit:encoding = native when you use it?), and it’s irrelevant for this issue, I think.

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 21 (8 by maintainers)

Commits related to this issue

Added acl_xattr to the default vfs objects; fixes #69 Signed-off-by: Matt Bentley <mbentley@mbentley.net> — committed to mbentley/docker-timemachine by mbentley 4 years ago
Merge pull request #72 from mbentley/big-sur-fix Added acl_xattr to the default vfs objects; fixes #69 — committed to mbentley/docker-timemachine by mbentley 4 years ago

Most upvoted comments

Thanks for reporting. I’ve seen conflicting information about catia as I actually removed it relatively recently via https://github.com/mbentley/docker-timemachine/commit/028d0e704edd7025ce4fe3a4fd7561db9abe6240 based on the Samba wiki. I didn’t have any issues when catia was included or excluded, at least with an existing time machine backup.

I just created #70 which allows you to set variables to customize the values mentioned. I created and pushed a docker image to test: mbentley/timemachine:smb-pr70. There are three new variables that default to the following values which you can customize to change the settings as needed:

  -e SMB_INHERIT_PERMISSIONS="no" \
  -e SMB_NFS_ACES="yes" \
  -e SMB_VFS_OBJECTS="fruit streams_xattr" \

If you could, give that a shot and let me know if that works for you. I can add a variable for fruit:encoding but there are potential issues with adding it if users try to change it without understanding the impact of doing so. Per the Samba docs on vfs_fruit:

fruit:encoding = [ native | private ] Controls how the set of illegal NTFS ASCII character, commonly used by OS X clients, are stored in the filesystem.

Important: this is known to not fully work with fruit:metadata=stream or fruit:resource=stream.

private (default) - store characters as encoded by the OS X client: mapped to the Unicode private range

native - store characters with their native ASCII value. Important: this option requires the use of vfs_catia in the VFS module stack as shown in the examples section.

mbentley on Nov 22, 2020