February 14, 20224 yr As this is my the very first port here - hello to everyone . I'm new to UNRAID, migrating from Synology. My problem is with Apple Time Machine. Probably as for many users it serves two purposes: hardware fault and ransomware protection. This second option is equally important as the first one. So far I considered Time Machine as quite good ransomeware protection, as not only its share is not widely visible, but also dedicated user is required to connect to connect in Time Machines setting on Mac OS. Thus day-to-day user cannot access Time Machine shares directly (as a share) which means that potential ransomware will have much harder task accessing and encrypting Time Machine data. Unfortunately in UNRAID such a setup is not possible. Even if theoretically it is possible to create dedicated user which will have access to Time Machine shares, it is not working in practice. The very same user must be able to access both regular shares, as well as Time Machine shares. Otherwise Time Machine shares are not visible in Mac OS settings (not listed in Time Machine settings). The only thing which can be done is to set Time Machine share as not visible. That way is far from perfect from ransomware protection point of view. Once ransomware will gain access as day-to-day user account it can easily access and encrypt Time Machine data. Is is possible to define Unraid Time Machine as it is in Synology? (Time Machine not visible and not accessible via SMB; visible and accessible with dedicated user via Mac OS settings panel only) Thanks in advance for any answers and advises!
February 14, 20224 yr Community Expert You might have a look at this approach and see if it will work for you. I have used it for several years and while it does take a couple of extra steps to securely lock your file behind a read only barrier, it is relatively fool proof. https://forums.unraid.net/topic/58374-secure-writing-strategy-for-unraid-server-using-write-once-read-many-mode/#comment-572532
February 14, 20224 yr Author 4 hours ago, Frank1940 said: You might have a look at this approach and see if it will work for you (...) Thanks, but I reckon it would be rather difficult to implement this approach for Apple Time Machine application. Best would be really to have a possibility to connect to TM share using different, dedicated user account – as it was meant to be originally.
February 14, 20224 yr 2 hours ago, Smith007 said: Best would be really to have a possibility to connect to TM share using different, dedicated user account – as it was meant to be originally. You can setup dedicated users for Time Machine. I have 3 different macs running TM backups on my server and they all have credentials completely separate from any of the users on the machines. Or am I misunderstanding your statement?
February 15, 20224 yr Community Expert Have you seen this: https://forums.unraid.net/topic/80641-guide-setting-up-a-time-machine-share-on-your-unraid-67-server/page/3/?tab=comments#comment-1084090 One more thing, I believe that the restriction that only a single SMB login is permitted to a SMB server is actually a Windows client restriction. Have you actually tried to establish a second login for use by Time Machine from Mac client? (I don't use a MAC so I can't test...)
February 15, 20224 yr Author Thanks for your answers. I will try to clarify a bit: I'm working on macOS Monterey 12.1 on iMac and Macbook (thus two TM shares below, but I tried with one only as well with the same effects). Time Machine on UNRAID is (somehow) working. Standard setup is quite straight forward and difficult to make it wrong. However my problem is that to make it work TM share user must be the same as regular smb user AND time machine share must be mounted first, before mounting any other share (I saw other chaps having the same problem in the above links you both have provided). What I want is: reg_user – r/w rights to regular SHARE_A, SHARE_B, SHARE_C, etc... tm1_user – r/w rights to TM1_SHARE (Time Machine enabled, for my iMac) tm2_user – r/w rights to TM2_SHARE (Time Machine enabled, for my Macbook) I do not want to access TM shares as smb shares at all. They should be not visible and not writable for reg_user. Such a config was working perfectly fine on Synology. The only disadvantage was that I had to limit TM volumes size by creating .com.apple.TimeMachine.quota.plist file in each share: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>GlobalQuota</key> <integer>SIZE_IN_BYTES_HERE</integer></dict> </plist> but this is a side comment and was not an issue. There was no problem with TM share visibility, different users for TM and regular shares nor with an order of mounting shares (in fact requirement to mount TM share first is quite annoying). On UNRAID 6.9 Time Machine config seems to be broken. It can probably be fixed by using some combinations of direct smb-extra.conf configs, but I think I will pass for now and wait until it is done properly out-of-the-box. Anyways, many thanks for your help.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.