Skip to main content
Version: 3024.10

Global Parameters

The following parameters are in the [global] section of the configuration file.

access_based_share_enumeration

Enables or disables access-based share enumeration.

Value Type: boolean

Value Format: true|false

  • true: Enables access based share enumeration for the server.
  • false: Disables access based share enumeration for the server.

Default Value: false

apple_extensions

Controls Apple Extensions for SMB.

Value Type: boolean

Value Format: true|false

  • true: Enables Apple Extensions for SMB.
  • false: Disables Apple Extensions for SMB.

Default Value: true

apple_server_side_copy

Controls the behavior of server side copy for macOS clients.

Possibly Overridden by Global Parameter: server_side_copy

Value Type: boolean

Value Format: true|false

  • true: Enables server-side copy macOS clients (has no effect if server_side_copy is false).
  • false: Disables server-side copy for macOS clients.

Default Value: false

audit_enable

Enables or disables audit logging globally. Used in conjunction with audit_params.

Value Type: boolean

Value Format: true|false

  • true: Enables audit logging.
  • false: Disables audit logging.

Default Value: false

audit_params

Controls the output parameters for audit logging. Used in conjunction with audit_enable.

Value Type: string

Value Format: path=<path>[,days=<days>][,uid=<uid>][,gid=<gid>][,cn=<cn>][,sensitive_data=<sensitive_data>]

  • path=<path>: (required) Specifies the directory where audit log files are stored. Each audit log file ends with a suffix with the date it pertains to.
  • days=<days>: (optional) Specifies how many days audit log files are retained. Default value: 1.
  • uid=<uid>: (optional) Specifies whether log messages include the POSIX user ID of the authenticated user whose actions are being logged. Possible values:
    • true: Include the POSIX user ID in log messages.
    • false: Do not include the POSIX user ID in log messages. Default value: true.
  • gid=<gid>: (optional) Whether log messages include the POSIX group ID of the authenticated user whose action is being logged. Possible values:
    • true: Include the POSIX group ID in log messages.
    • false: Do not include the POSIX group ID in log messages Default value: true.
  • cn=<cn>: (optional) Specifies whether log messages include the common name of the authenticated user whose action is being logged. Possible values:
    • true: Include the common name in log messages.
    • false: Do not include the common name in log messages Default value: true.
  • sensitive_data=<sensitive_data>: (optional) Defines how sensitive data is handled in log messages. Sensitive data includes domain names, IP addresses, user names and IDs, and file paths. Possible values:
    • allow: All data is displayed as-is.
    • strip: Sensitive data is stripped, and replaced with ***.
    • hash: Sensitive data is hashed, allowing for differentiation between different sensitive data appearances (e.g., distinguishing one IP address from another), without revealing the original values.
      Default value: allow.

Default Value: none

Examples:

  • path=/var/log/tsmb-audit,days=1,uid=true sets the path to /var/log/tsmb-audit, retains the audit log files for 1 day, and includes the POSIX user ID in log messages.

authz_require_posix

Requires all users to have a valid POSIX ID mapping.

Value Type: boolean

Value Format: true|false

  • true: Requires all users to have a valid POSIX ID mapping.
  • false: Allows all SMB users to connect, regardless of POSIX ID mapping.

Default Value: false

ca

Enables or disables the persistent file handle database globally. Used in conjunction with ca_path.

Overridden by Per-Share Parameter: ca

Value Type: boolean

Value Format: true|false

  • true: Enables the persistent file handle database globally.
  • false: Disables the persistent file handle database globally.

Default Value: false

ca_path

Controls the path for the persistent file handle database. Used in conjuction with ca.

Value Type: string

Possibly Overridden by Per-Share Parameter: ca_params

Value Format: <path>

  • <path> specifies the path on a shared storage where Fusion SMB stores its persistent file handle database. This path must be accessible by all nodes in the Fusion SMB cluster to support continuous or high availability. If not overridden on a per-share basis using the optional <path> portion of the share's ca_params parameter, the path of the the persistent file handle database for each share with continuous availability enabled defaults to <path>/<netname> (where <netname> is the share's netname parameter).

Default Value: none

Examples:

  • /mnt/shared/ca stores the persistent file handle database in /mnt/shared/ca/<share_name> for each share where continuous availability is enabled.

case_insensitive

Controls default case-sensitivity for all shares.

Overridden by Per-Share Parameter: case_insensitive

Value Type: boolean

Value Format: true|false

  • true: Makes file operations case-insensitive by default.
  • false: Leaves file operations case-sensitive by default.

Default Value: false

change_notify

Controls the method used to generate change notifications.

Value Type: string

Value Format: smb|kernel|none

  • smb: Generates change notifications based on file operations performed by SMB clients against Fusion SMB. This option does not detect changes made by other means, such as direct access to the storage, or changes made by other protocols (e.g., NFS shares enabled for the same data). Use this setting for custom VFS modules that don't trigger inotify events.
  • kernel: Generates change notifications for clients based on notifications Fusion SMB receives from the kernel's inotify interface. This includes changes made via any method, including direct access to storage, or changes made by other protocols.
  • none: Disables change notifications.

Default Value: kernel

compression_algorithms

Controls the compression algorithms used by the server.

Value Type: string

Value Format: <algorithm>[,<algorithm>,...]

  • <algorithm>: The compression algorithm to use for SMB compression. The supported algorithms are:
    • LZ77

Default Value: none (SMB compression is disabled)

Examples:

  • LZ77: Enables SMB compression using the LZ77 algorithm.

compression_threads

Controls the number of threads used for compression.

Value Type: integer

Value Format: <threads>

  • <threads>: A positive integer representing the number of threads to use for compression.

Default Value: 1

Examples:

  • 10 starts 10 threads for compression.

compression_threshold

Controls the minimum message size for compression.

Value Type: integer

Value Format: <bytes>

  • <bytes>: A non-negative integer, representing the threshold size in bytes for SMB compression. Messages exceeding this threshold will be compressed if SMB compression is enabled.

Default Value: 4096

Examples:

  • 8192: Only messages larger than 8KB will be compressed.
  • 0: Compress all messages, regardless of size.

connections_max

Controls the maximum number of connections.

Value Type: integer

Value Format: <connections>
<connections> specifies the maximum number of concurrent client connections allowed to the server. Once the limit is reached, new connections will be rejected. A value of 0 allows for an unlimited number of connections, constrained only by the available system resources.

Default Value: 1024

important

The connections_max parameter in conjunction with the open_files_max parameter, controls the maximum number of open file descriptors Fusion SMB can consume. It is critical to keep the combined total of these two parameters within the system's limit. Misconfiguration may result in the server process crashing.

crypto_threads

Controls the number of threads allocated for cryptographic operations, including encryption, decryption, signing, and signature verification.

Value Type: integer

Value Format: <threads>

  • <threads> is a positive integer representing the number of threads available for all cryptographic functions, including encryption, decryption, signing, and signature verification.
note

Recommended configuration value should match the number of logical cores available on the host.

Default Value: 1

Examples:

  • 10 allocates 10 threads for cryptographic functions.

dfs

Enables/disables the Distributed File System (DFS) namespace.

Value Type: boolean

Value Format: true|false

  • true: Enables inclusion in DFS.
  • false: Disables inclusion in DFS.

Default Value: false

dialect_max

Controls the maximum SMB dialect version exposed by the server.

Mutually exclusive with: dialects

Value Type: string

Value Format: <dialect>

Default Value: SMB3.1.1

Examples:

  • SMB3.1.1: Enables all supported SMB dialects.
  • SMB2.1: Enables only dialects SMB1 through SMB2.1.
  • SMB1: Enables only SMB1 (CIFS).

dialects

Controls which SMB dialects are exposed by the server.

Mutually exclusive with: dialect_max

Value Type: string

Value Format: <dialect> [<dialect> ...]

Default Value: SMB2.002 SMB2.1 SMB3.0 SMB3.02 SMB3.1.1

Examples:

  • SMB1 SMB2.002 SMB2.1 SMB3.0 SMB3.02 SMB3.1.1: Enables all supported SMB dialects.
  • SMB2.002 SMB2.1 SMB3.0 SMB3.02 SMB3.1.1: Enables all supported SMB dialects, except for SMB1 (CIFS).

domain

Controls the domain or workgroup name for Active Directory or Apple Open Directory, or the NetBIOS workgroup name for standalone servers or when part of a NetBIOS workgroup.

  • When part of an Active Directory domain:

    Value Type: string

    Value Format: <domain>
    <domain>: specifies the name of the Active Directory domain (or in rare cases, Apple Open Directory domain). It should be a fully-qualified domain name (e.g., acme.local).

    Default Value: none

    Examples:

    • acme.local specifies the Active Directory domain acme.local.

  • When part of a NetBIOS workgroup:

    Value Type: string

    Value Format: <workgroup>
    <workgroup>: specifies the name of the workgroup. Should be a NetBIOS name (e.g., ACME).

    Default Value: none

    Examples:

    • ACME specifies the NetBIOS workgroup ACME.

domain_servers

Overrides the domain controller server names for Active Directory.

Value Type: string

Value Format: [<server>[,<server>,...]]
If specified, the value should be in square brackets ([...]), containing comma-separated values <server>, where each <server> is a domain controller server name.

Default Value: none. Fusion SMB will automatically discover domain controller server names by querying the DNS for the _ldap._tcp SRV records.

Examples:

  • [dc1.acme.local, dc2.acme.local] will use the domain controller server names dc1.acme.local and dc2.acme.local to authenticate SMB users.

domain_sid

Applicable only to Fusion SMB instances acting as domain members in Apple Open Directory. By default, Fusion SMB attempts to retrieve the SID from the configuration object with common name CIFSServer configured in the LDAP server hosted on Apple Open Directory. In cases where SID is not available on the LDAP server, this option provides a way to explicitly configure the domain SID.

Value Type: string

Value Format: <sid>
Where <sid> is the domain SID.

Default Value: none

Examples:

  • domain_sid = S-1-5-21-3646377160-2951818606-1606422254

durable_v1_timeout

Controls the timeout for durable handles V1.

Value Type: integer

Value Format: <duration>

  • <duration> is a positive integer representing the number of seconds for the timeout of durable handles V1.

Default Value: 960

Examples:

  • 960 seconds (16 minutes) is the default timeout for durable handles V1.

durable_v2_timeout

Controls the timeout for durable handles V2.

Value Type: integer

Value Format: <duration>

  • <duration> is a positive integer representing the number of seconds for the timeout of durable handles V2.

Default Value: 180

Examples:

  • 180 seconds (3 minutes) is the default timeout for durable handles V2.

enable_ipc

Enables/disables IPC$ shares.

Value Type: boolean

Value Format: true|false

  • true: Enables the IPC$ share.
  • false: Disables the IPC$ share.

Default Value: true

enable_oplock

Enables/disables opportunistic locks (oplocks).

warning

This parameter is deprecated. Use oplock instead.

Overriden by Share Parameter: enable_oplock

Value Type: boolean

Value Format: true|false

  • true: Allows the user to acquire opportunistic locks (oplocks) on files.
  • false: Disables the acquisition of oplocks on files.

Default Value: true

encrypt_data

Enables/disables encryption in transit.

Overridden by Per-Share Parameter: encrypt_data

Value Type: boolean

Value Format: true|false

  • true: enable encryption in transit for all shares.
  • false: disable encryption in transit for all shares.

Default Value: false

group_member_db

Value Type: string

Value Format: <path>
Where <path> is the path of group members database for the file-backed user database. The file needs to exist before the starting Fusion SMB.

Examples:

  • /etc/tsmb-group would configure Fusion SMB to use /etc/tsmb-group as the group members database file.

ignore_unresolved_share_deny_permission

Controls whether to deny access to shares with unresolved permission grantees when their access level is no, or to ignore handling them altogether.

Value Type: boolean

Value Format: true|false

  • true: Ignores handling of unresolved permission grantees when their access level is no.
  • false: Denies access to shares with unresolved permission grantees when their access level is no.

Default value: false

ldap_base_dn

Controls the base distinguished name (DN) for LDAP user authentication when userdb_type is set to ldap.

Value Type: string

Value Format: <dn>

  • <dn>: The distinguished name (DN) of the organization unit (OU) that contains the users.

Default Value: none

Examples:

  • ou=people,dc=acme,dc=com: The users are in the people OU in the acme.com domain.

ldap_bind_dn

Controls the binding distinguished name (DN) for LDAP user authentication when userdb_type is set to ldap.

Value Type: string

Value Format: <dn>

  • <dn>: The distinguished name (DN) of the user account that has access to the NT hashes for the users.

Default Value: none

Examples:

  • cn=admin,dc=acme,dc=com: The user is admin in the acme.com domain.

ldap_bind_pw

Sets the password to use for binding to the LDAP server when userdb_type is set to ldap.

Value Type: string

Value Format: <password>

  • <password>: The password for the user specified in the ldap-bind-dn parameter.

Default Value: none

ldap_nthash_attr

Sets the LDAP attribute that contains the users' NT hash when userdb_type is set to ldap.

Value Type: string

Value Format: <attr>

  • <attr>: The name of the attribute that contains the NT hash for the users. For most configurations, the value should be sambaNTPassword.

Default Value: none

Examples:

  • sambaNTPassword: The NT hash is stored in the sambaNTPassword attribute.

ldap_timeout

Sets the timeout for LDAP operations when userdb_type is set to ldap.

Value Type: integer

Value Format: <seconds>

  • <seconds>: The number of seconds to wait for an LDAP operation to complete before timing out.

Default Value: none

Examples:

  • 30: Wait 30 seconds for an LDAP operation to complete before timing out.

ldap_uri

Sets the URI of the LDAP server when userdb_type is set to ldap.

Value Type: string

Value Format: <uri>

  • <uri>: the LDAP server URI.

Default Value: none

Examples:

  • ldap://ldap.acme.com: the LDAP server URI, without encryption.
  • ldaps://ldap.acme.com: the LDAP server URI, with TLS encryption.

ldap_username_attr

Sets the LDAP attribute that contains the users' username when userdb_type is set to ldap.

Value Type: string

Value Format: <attr>

  • <attr>: The name of the attribute that contains the users' username.

Default Value: none

Examples:

  • username: The username is stored in the username attribute.

listen

Controls the network listening addresses, protocols and ports.

Value Type: string

This parameter is required.

Fusion SMB will fail to start unless a value is specified.

Multiple Values Allowed

This parameter can be specified multiple times in your configuration to enable multiple listening configurations—for example, to listen on both IPv4 and IPv6.

Value Format: <interface>,<address>,<family>,<port>,<protocol>[,<options>]

  • <interface>: The network interface to listen on. To listen on all interfaces, use ANY.

  • <address>: An IPv4 or IPv6 address to listen on, depending on <family>. To listen on all addresses, use 0.0.0.0 for IPv4 and :: for IPv6.

    note

    If <protocol> is NBNS, NBSS, NBDS, LLMNR, or WSD, Fusion SMB will listen on all addresses regardless of the value of <address>.

  • <family>: The address family to listen on:

    • IPv4: Listen on an IPv4 address.
    • IPv6: Listen on an IPv6 address.
    • RDMA_IPv4: (for RDMA-enabled NICs) Listen on an IPv4 address for RDMA. Requires <protocol> to be SMBD. Requires <address> to be 0.0.0.0.
    • RDMA_IPv6: (for RDMA-enabled NICs) Listen on an IPv6 address for RDMA. Requires <protocol> to be SMBD. Requires <address> to be ::.

  • <port>: The TCP/UDP port number to listen on.

  • <protocol>: The transport protocol to use:

    note

    The WSD and LLMNR protocols use multicast groups and cannot be bound to the loopback interface or address (e.g., 127.0.0.1).

  • <options>: Additional listening configuration in the following format, <option>=<value>[,<option>=<value>,...], where <option>=<value> can be:

    • RSS=<num>, where <num> is the number of RSS queues to use.
      For some testing and troubleshooting cases, you might enable RSS on a non-RSS-capable NIC by specifying a value greater than 0. This will cause Fusion SMB to advertise the NIC as RSS-capable, although it is unlikely to result in any performance gains.

      Default value: none. When the RSS option is omitted, Fusion SMB determines the NIC's RSS capabilities and sets the number of receive queues accordingly.

      Possible values:

      • 0: Disables advertising the NIC as RSS-capable.
      • any positive 32-bit integer (14294967295): Sets the number of receive queues to the specified value. Values greater than 32 are unlikely to be useful.

    • max_read_write_size=<bytes>, where <bytes> is the maximum size of an RDMA read or write request in bytes when using SMB Direct.

      This option is valid only when <protocol> is SMBD. For other settings of <protocol>, this option is ignored.

      It sets the maximum number of bytes the server can send or receive in a single RDMA read or write request (MaxReadWriteSize). Note that the actual request size may be smaller than this value, depending on the client's capabilities and implementation.

      Default value: none. When the max_read_write_size option is omitted, a default value of 8388608 (8 MiB) is used, which is consistent with the value in the Windows implementation of RDMA.

      Possible values:

      • any positive 32-bit integer (14294967295): Sets the maximum size of an RDMA read or write request to the specified value.

    • server=<name>, where <name> is the server name for share scoping.

      When set, the shares accessed through this interface on the specified port and protocol will be scoped to clients that access the server using the specified server name.

      Default value: none. When the server option is omitted, share scoping on the interface is disabled for all shares by default (although it can be specified on a per-share basis).

Default Value: N/A. Value MUST be set.

Examples:

  • eth0,0.0.0.0,IPv4,445,DIRECT_TCP: Listens on all IPv4 addresses on port 445 using Direct TCP on the eth0 interface.
  • eth0,0.0.0.0,IPv4,445,DIRECT_TCP,RSS=2: Listens on all IPv4 addresses on port 445 using Direct TCP on the eth0 interface with 2 RSS queues.
  • ANY,::,IPv6,445,DIRECT_TCP: Listens on all IPv6 addresses on port 445 using Direct TCP on all interfaces.
  • ANY,::,IPv6,445,DIRECT_TCP,RSS=0: Listens on all IPv6 addresses on port 445 using Direct TCP on all interfaces with RSS disabled.
  • ANY,0.0.0.0,IPv4,139,NBSS: Listens on all IPv4 addresses on port 139 using NetBIOS Session Service on all interfaces.
  • ANY,0.0.0.0,RDMA_IPv4,445,SMBD: Listens on all IPv4 addresses on port 445 for RDMA using SMB Direct on all interfaces.
  • ANY,::,RDMA_IPv6,445,SMBD: Listens on all IPv6 addresses on port 445 for RDMA using SMB Direct on all interfaces.

log_destination

Controls the destination for the log.

Value Type: string

Value format: <destination>
Where <destination> can be one of the following:

  • console: Logs are written to the standard output and standard error.
  • syslog: Logs are written to the system log (syslog).
  • file: Logs are written to a file.

Default value: console

log_level

Controls the level of the log.

Value Type: integer string:integer

Value format: <level> <topic:level> <topic:level>
Where <level> can be one of the following:

  • 0: No logging
  • 1: Critical
  • 2: Error
  • 3: Warning
  • 4: Info
  • 5: Debug
  • 10 to 15: Authentication events
    • User authentication failures
    • User authorization failures
    • Successful user logins
  • 20 to 25: Network level events
    • Client handled SMB protocol errors
    • Received SMB packets names
  • 30 to 35: VFS operations
    • File and directory opening/closing
    • readdir with dumped contents
    • File reads/writes
    • Other operations
  • 80 to 89: Raw network packet information
    • Raw network packets: complete TCP data stream dumped as is (can be used to reconstruct a packet capture)
    • Packets after decryption
    • Packets as seen on network
  • 90 to 100: function traces

Logging topics can also be set at individual levels. This is often used in troubleshooting specific issues. The topics are as follows:

  • audit: Audit service
  • authn: Authentication
  • authz: Authorization
  • cli: Related command line interface tools
  • cluster_heartbeat: RTT handling in cluster
  • compression: SMB compression
  • conn_db: DB for connections
  • core: Core thread
  • ext_db: External database interactions
  • fsa: File System Algorithms (MS-FSA) layer, has the following sub-topics:
    • fsa_cluster: FSA thread
    • fsa_db: FSA open database
    • fsa_rstr: Restore of FSA data functionality
  • idmap: Idmapper table operations
  • keepalive: Keepalive messages between internal threads
  • metrics: Metric collectors, has the following sub-topics:
    • metrics_collector: Metrics collectors
    • metrics_orchestrator: Metrics orchestrator service daemon
    • metrics_reader: Metrics readers
  • notify: Notification service daemon, has the following sub-topics:
    • inotify: File change notification based on inotify
    • notify_subscriber: Notification subscriptions
    • smb_notify: SMB change-notify events
  • open_db: DB for persistent opens
  • pkt: Special topic for logging high level network packets
  • posix-acl: POSIX ACL backend
  • process: External process and libraries handling
  • proto: SMB protocol processing
  • quota: VFS quota control
  • raw: Special topic for logging raw network packets
  • rdma: RDMA related operations
  • restore: SMB Open restore functionality
  • rpc: RPC processing
  • smb_replay: SMB2 replay table
  • srv: Server thread, has the following sub-topics:
    • srv_app: IPC$ share operations
  • sys: Generic operating system interactions
  • transport: Transport (network) thread
  • vfs: VFS (file system) operations, has the following sub-topics:
    • vfs_module: External modules for VFS
    • vfs_xattr: Xattr handling in VFS

Default value: 4

Examples:

  • log_level = 30: Verbose debug logging level to include authentication, network and VFS operations.
  • log_level = 4 core:100 proto:100 vfs:100: Log normally for everything, except core, proto and vfs which will provide maximum logging.

log_params

Controls the parameters for the log.

Value Type: string

Value format: [path=<path>][,long][,timestamp][,time_usec=<true|false>][,tid][,trace][,sensitive_data=<sensitive_data>]
Where <parameter> can be one of the following:

  • path=<path>: (required) if the log_destination parameter is set to file. The path to the log file.
  • long: (optional) Disables truncation of log messages, allowing the entire message to be printed. By default, log messages are truncated:
    • 'Log-metadata' is truncated to a maximum of 80 characters.
    • 'Log-content' is truncated to a maximum of 256 characters, plus any bytes unused by the 'log-metadata' component.
    • The total message is limited to 337 bytes (80 + 256 + 1 newline character). Enabling this option prints the full log message, which may improve debugging but can incur a performance penalty.
  • timestamp: (optional) Includes timestamps in the ISO 8601 format format in the log messages (YYYY-MM-DD HH:MM:SS[.uuuuuu]).
  • time_usec=<true|false>: (optional) Includes microsecond resolution timestamps in the log messages. Enabled by default when timestamp is enabled.
  • tid: (optional) Includes thread identifiers in the log messages.
  • trace: (optional) Includes trace identifiers in the log messages, specifically the function name and a line number.
  • sensitive_data=<sensitive_data>: (optional) How sensitive data should be handled in the log messages. Data deemed "sensitive" includes domain names, IP addresses, user names and IDs, and file paths. Possible values:
    • allow: All data appears as-is in the log messages.
    • strip: Sensitive data is stripped from the log messages, and instead appears as ***.
    • hash: Sensitive data is hashed in the log messages. This is useful in order to differentiate between different sensitive data (e.g., distinguishing one IP address from another), yet cannot be used to recover the original values. Default value: allow.

Default value: none. None of the formatting options are enabled.

network_interface_info

Controls the server's response to requests for network interface information.

Value Type: string

Value Format: [{addr=<address>[,speed=<speed>][,index=<index>][,rdma][,rss]}[, { ...}]]

  • The value is a list inside a pair of square brackets, [].
  • Each element in the list is inside a pair of curly braces, {}.
  • The following key-value pairs are supported:
    • addr=<address>: (required) The IP address of the network interface to advertise.
    • speed=<speed>: (optional) The speed of the network interface in bps. Default value: 1000000000 (1 Gbps).
    • index=<index>: (optional) The index of the interface as assigned by the operating system. Must be unique per interface but can be shared among multiple addresses belonging to the same interface. Default value: 4294967295.
    • rdma: (optional) Indicates RDMA support. Default value: unset.
    • rss: (optional) Indicates RSS support. Default value: unset.

Default Value: none

Examples:

  • [{addr=10.1.1.123,rdma,rss}, {addr=192.168.1.12}] advertises two network interfaces. The first address is an RDMA and RSS-capable interface with the IP address.

open_files_max

Controls the maximum number of open files.

Value Type: integer

Value Format: <files>
<files> specifies the number of files that can be kept open simultaneously by the server across all client sessions. The minimum value is 1024. A value of 0 indicates that the server will use the system's default value (i.e., the value in /proc/sys/fs/nr_open).

Default Value: 8192

warning

Setting this parameter to a high value on devices with limited RAM may cause significant memory fragmentation, potentially triggering the Out of Memory (OOM) killer.

important

The connections_max parameter in conjunction with the open_files_max parameter, controls the maximum number of open file descriptors that Fusion SMB can consume. It is critical to keep the sum of these parameters below the system's limit. Misconfiguration may result in the server process crashing.

oplock

Controls the type of opportunistic locks to be issued.

Potentially Overridden by Share Parameter: oplock

Value Type: string

Value Format: <type>
<type> specifies the type of opportunistic lock to be issued:

  • all: Full oplock/lease support.
  • disabled: Disables oplock/lease support. This prevents the server from advertising the SMB2_GLOBAL_CAP_LEASING capability to clients.
  • none: Enables oplock/lease support and advertises the SMB2_GLOBAL_CAP_LEASING capability to clients. However, Fusion SMB server only grants NONE oplock/lease regardless of the value of RequestedOplockLevel.
  • exclusive: Similar to all, however only one oplock can be granted on a file at a time. Multiple clients can access a file, as long as there are no oplocks on it, or all clients have the same lease key.

Default Value: all

privilegedb

Controls the path to the privileges database.

Value Type: string

Value Format: <path>

  • <path> specifies the path to the privilege database file.

Default Value: none

Examples:

  • /var/lib/tsmb/privilegedb specifies that the path to the privilege database is the privilegedb file in the /var/lib/tsmb directory.
important

If you are in a clustered environment, ensure that the path to the privilege database path is on the shared storage.

reject_unencrypted_access

When using encryption in transit, controls whether to reject unencrypted SMB messages from clients.

Value Type: boolean

Value Format: true|false

  • true: Causes the server to reject all unencrypted messages from clients.
  • false: Allows processing unencrypted messages from clients.

Default Value: false

require_message_signing

Controls whether to require clients to perform message signing.

Value Type: boolean

Value Format: true|false

  • true: Requires all incoming SMB messages to be signed, and drops any unsigned messages.
  • false: Allows unsigned messages to be processed.

Default Value: false

runstate_dir

Controls the path to the runtime state directory.

This parameter is required.

Fusion SMB will fail to start unless a value is specified.

Value Type: string

Value Format: <path>

  • <path> for the runtime state directory for Fusion SMB.

Default Value: none

Examples:

  • /var/lib/tsmb–a common choice for the runtime state directory.

scale_out

Enables/disables and toggles between scale-out modes.

Value Type: string

Value Format: true|false|autonomous:

  • true: Enables scale-out.
  • false: Disables scale-out.
  • autonomous: Enables scale-out, but without synchronizing the FSA state between nodes.

Default Value: true

server_comment

Controls the optional descriptive comment for the server.

Value Type: string

Value Format: <comment>
Where <comment> is used for specifying an optional comment string describing the server. This value is used as a comment in browser announcement frames and is visible when using net view on Windows CLI.

Default Value: none.

server_name

Controls the NetBIOS name of the server.

Value Type: string

Value Format: <name>
Where <name> is the name of the server you want to use, up to 15 characters (NetBIOS limitation).

Default Value: none. If not specified the hostname of the machine will be used.

sess_open_files_max

Controls the maximum number of open files per session.

Value Type: integer

Value Format: <sessions>
The maximum number of open files per session. 0 indicates that the maximum number of open files is unlimited.

Default Value: 1024

important

The sess_open_files_max parameter must be set to a value lower than the value of open-files-max. If it is set to a higher value, a warning will be displayed, and the parameter will automatically revert to its default value of 1024.

sessions_max

Controls the maximum number of client sessions.

Value Type: integer

Value Format: <sessions>
<sessions> specifies the maximum number of client sessions that can be active on the server at any given time. A value of 0 indicates an unlimited number of sessions.

Default Value: 0.

server_side_copy

Controls the behavior of server side copy for all clients.

Possibly Overrides Global Parameter: apple_server_side_copy

Value Type: boolean

Value Format: true|false

  • true: Enables server-side copy for all clients.
  • false: Disables server-side copy (including macOS clients).

Default Value: true

shares_max

Controls the maximum number of shares.

Value Type: integer

Value Format: <shares>
Specifies the maximum number of shares that can be configured on the server, including both administrative and user shares.

Default Value: 1048576

smb2_credits_max

Controls the maximum number of credits for SMB2.

Value Type: integer

Value Format: <credits>
<credits> specifies the maximum amount of credits the server will advertise to clients.

Default Value: 8092

smb2_read_max

Controls the maximum number of bytes in a read operation.

Value Type: integer

Value Format: <bytes>
<bytes> specifies the maximum data size the server can return in a single READ operation to the client. The maximum value is determined by the SMB dialect being used.

Default Value:

  • 65536 for dialect 2.002 and lower
  • 8388608 for dialect 2.1 and higher

smb2_trans_max

Controls the maximum number of bytes in metadata operations.

Value Type: integer

Value Format: <bytes>
<bytes> specifies the maximum buffer size that may be used for QUERY, SET, and NOTIFY operations. This value is communicated to the client. The maximum value is determined by the SMB dialect in use.

Default Value:

  • 65536 for dialect 2.002 and lower
  • 8388608 for dialect 2.1 and higher

smb2_write_max

Controls the maximum number of bytes in a write operation.

Value Type: integer

Value Format: <bytes>
Where <bytes> will be used to communicate to the client the maximum data size the server will accept in a single WRITE operation. The maximum value is determined by the SMB dialect being used.

Default Value:

  • 65536 for dialect 2.002 and lower
  • 8388608 for dialect 2.1 and higher

Controls the behavior of symbolic links.

Value Type: string

Value Format: deny|global

  • deny: Denies access to symlinks that point outside of the share. None of these symlinks will be accessible to the client, even in directory listings.
  • global: Allows using symlinks even if the symlinks go beyond the borders of share root directory. This functionality can present a security risk. Use with caution.

Default Value: deny

tcp_tickle

Controls connection recovery with TCP Tickle. Used in conjuction with tcp_tickle_params.

Value Type: boolean

Value Format: true|false

  • true: Enables connection recovery with TCP tickle.
  • false: Disables connection recovery with TCP tickle.

Default Value: false

tcp_tickle_params

Controls the location of the connection recovery database. Used in conjuction with tcp_tickle.

Value Type: string

Value Format: path=<path>

  • <path> specifies the path to the connection recovery database on the shared storage.

Default Value: none

Examples:

  • /mnt/shared/cr stores the connection recovery database in the specified directory.

transport_rx_threads

Controls the number of threads for receiving data.

Value Type: integer

Value Format: <threads>
<threads> specifies the number of transport threads used for receiving data from clients. A value of 0 indicates that the data from packets will be read in the context of the kernel's io_mux threads.

Default Value: 0

transport_tx_threads

Controls the number of threads for sending data.

Value Type: integer

Value Format: <threads>
<threads> specifies the number of transport threads used for sending data to clients.

Default Value: 1

userdb_file

The path of the file-backed user database. Used in conjuction with userdb_type.

Value Type: string

Value Format: <path>
Where <path> is the path of the file-backed user database file. The file needs to exist before the starting Fusion SMB.

danger

The file-backed user database must be properly secured, since it contains password hashes. Some ways of securing it include:

  • Store it in a directory that is not accessible to non-privileged users.
  • Set appropriate permissions on the file to limit access (e.g., chmod 600 <path>).
  • Store it on an encrypted file system.

Examples:

  • /etc/tsmb-shadow would configure Fusion SMB to use /etc/tsmb-shadow as the file-backed user database file.

userdb_idmap

Controls the POSIX ID mapping method.

Value Type: string

Value Format: <method>[,<method>,...]
Where <method> is one of the following:

  • nss: Specifies that the ID mapping is performed using the system Name Service Switch (NSS), as defined in the /etc/nsswitch.conf file. This is the default method. When using nss, other methods cannot be specified.
  • rfc2307[:<domain>]: Specifies that the ID mapping is performed using the RFC 2307 schema. Optionally, specify the <domain> to scope the ID mapping to a specific domain.
  • rid:[<domain>]:<uid_min>[:<uid_max>]: Indicates that the ID mapping is done dynamically based on the RID portion of the user's SID:
    • If <domain> is specified, the ID mapping is scoped to that domain.
    • <uid_min> and <uid_max> define the range of UIDs to use for the mapping. If <uid_max> is not specified, the range extends from <uid_min> to the maximum UID value.
    • <uid_max> is required when multiple trusted domains are specified.

Default Value: nss

Examples:

  • nss specifies that the ID mapping is done using the system Name Service Switch (NSS).
  • rfc2307:acme.local specifies that the ID mapping is done using the RFC 2307 schema.
  • rid:acme.local:1000:1999,rid:example.com:2000:2999 specifies dynamic ID mapping based on the the RID portion of the user's SID, with the UID range of 1000 to 1999 for the acme.local domain, and 2000 to 2999 for example.com.

userdb_trusted_domains

Determines if a list of trusted domains is retrieved from the LDAP of the specified Active Directory. If disabled, only users and groups in the primary domain will be available for ID-mapping.

info

Enabling this setting may introduce delay to ID-mapping in a complex environment if trust relationships are defined with servers that are unreachable or slow to respond.

Value Type: boolean

Value Format: true|false

  • true: enable SID lookup for trusted domains as well as the primary domain
  • false: SID lookup is only performed within the primary domain

Default Value: false

userdb_type

The user authentication method to use.

This parameter is required.

Fusion SMB will fail to start unless a value is specified.

Value Type: string

Value Format: <type>[,<type>][,<type>]
Where <type> is one of:

  • ad: Use Active Directory. This requires the domain parameter to be configured.
  • aod: Use Apple Open Directory. This requires the domain parameter to be configured.
  • text: Use the file-backed user database. This requires the userdb_file to be configured.
  • ldap: Use LDAP. This requires all the ldap_* parameters to be configured.

Default Value: none

Examples:

  • userdb_type = text
  • userdb_type = ad,text
  • userdb_type = aod
  • userdb_type = aod,text
  • userdb_type = ldap
  • userdb_type = ldap,text
note

Except for 'text' backend, all other userdb backends are mutually exclusive.

vfs_data_threads

Controls the number of threads in the global pool for VFS data operations.

Potentially Overridden by Share Parameter: vfs_data_threads

Value Type: integer

Value Format: <threads>
<threads> specifies the number of threads for VFS data operations in the global pool (shared across all shares without a dedicated pool). If set to 0, data operations will use the same thread pool as metadata operations, as specified by the vfs_metadata_threads parameter.

Default Value: 1

vfs_metadata_threads

Controls the number of threads in the global pool for VFS metadata operations.

Potentially Overridden by Share Parameter: vfs_metadata_threads

Value Type: integer

Value Format: <threads>
<threads> specifies the number of threads for VFS metadata operations in the global pool (i.e., shared between all shares without a dedicated pool). If set to 0, metadata operations will share the same thread pool as data operations, as specified in the vfs_data_threads parameter.

Default Value: 1

vss

Controls whether to enable or disable Volume Shadow Copy Service (VSS) by default.

Overridden by Per-Share Parameter: vss

Value Type: boolean

Value Format: true|false

  • true: Enables VSS on all shares, except for shares for which it was explicitly disabled.
  • false: Disables VSS on all shares, except for shares for which it was explicitly enabled.

Default Value: false

vss_params

Controls the default VSS configuration.

Overridden by Per-Share Parameter: vss_params

Value Type: string

note

The following format applies only when when the default VSS implementation is used. If the underlying file system of the share has a different VSS implementation, use that file system's specific format to configure VSS.

Value Format: path=<path>[,share_root=<share_root>]

  • path=<path> (required): <path> is where the snapshot roots are located. Under this directory, subdirectories are expected named with the following timestamp format: @GMT-YYYY.MM.DD-hh.mm.ss (e.g., @GMT-2019.11.11-12.10.10, @GMT-2024.05.03-22.12.42, etc.). To allow for a consistent naming pattern across all shares, <path> can include the following variables:
    • ${share.netname}: refers to the share's name, as defined in the share's netname parameter.
    • ${share.path.dirname}: refers to the share's path, as defined in the share's path parameter, without the last component (e.g., /path/to for /path/to/share).
    • ${share.path.basename}: refers to the share's path, as defined in the share's path parameter, without the leading path (e.g., share for /path/to/share).
  • share_root=<share_root> (optional): This parameter is used when you have multiple shares on the same volume, and when a snapshot is taken, it's taken for the entire volume. Hence, <share_root> specifies the the directory inside each snapshot subdirectory that contains the files for this particular share at that point of time. If not specified, the share root defaults to the root of the snapshot subdirectory.

Default Value: none

Examples:

  • path=/mnt/.snapshots/${share.netname},share_root=data, if the share's name is sh1 and its path is /mnt/data, specifies that the snapshot roots are located in the /mnt/.snapshots/sh1 directory, and the share's data for each snapshot is in the /mnt/.snapshots/sh1/@GMT-<timestamp>/data directory.
  • path=${share.path.dirname}/.snapshots,share_root=data, if the share's path is /mnt/data, specifies that the snapshot roots are located in the /mnt/.snapshots directory, and the share's data for each snapshot is in the /mnt/.snapshots/@GMT-<timestamp>/data directory.
  • path=${share.path.dirname}/.snapshots,share_root=${share.path.basename}, if the share's path is /mnt/data/public, specifies that the snapshot roots are located in the /mnt/.snapshots directory, and the share's data for each snapshot is in the /mnt/.snapshots/@GMT-<timestamp>/public directory.

watchdog_interval

Controls the time interval (in seconds) between for the watchdog's keep-alive requests.

Value Type: integer

Value Format: <seconds>
<seconds> specifies the time interval (in seconds) between the watchdog's keep-alive requests. The value must be a positive integer.

Default Value: 10

watchdog_timeout

Controls the timeout for the watchdog's keep-alive requests.

Value Type: integer

Value Format: <seconds>
<seconds> specifies the duration in seconds to wait for a keep-alive response. The value must be a positive integer, and should be set to a reasonably high value to avoid unintended service terminations under heavy load. For example, if a large number of users (e.g. 1000) attempt to authenticate at the same time, the authentication service may require additional time to process each request. If the keep-alive timeout is set too low, the authentication service might fail to respond to a watchdog keep-alive request within the timeout, causing the service to be terminated. The default value fits most use cases, and adjustments are usually unnecessary.

Default Value: 200