OS X Yosemite (Server 4.03) and SMB3

Apple announced the release of OS X Yosemite Server 4.03 on January 6th, stating: SMB 3 is the new default protocol for sharing files in OS X Yosemite. SMB3 helps protect against tampering and eavesdropping by encrypting and signing data “in-flight.”

MacNN reported this as “Apple updates Yosemite Server to 4.0.3, formalizes SMB3 default” which I think is the most accurate of all reports, the keyword being “formalizes” since SMB3 has been the default file sharing protocol since the  first release of OS X Yosemite. However, because of the hype SMB3 is currently receiving, I thought it would be worthwhile spending some time explaining what changes it brings to the OS X platform and why we should say farewell to our dear old friend, AFP.

A Quick Drive Through Memory Lane

From AppleTalk to SMB3

AppleTalk, a suite of Apple’s own homegrown networking protocols, was released in 1985. It was a true plug-n-play system with zero configuration. For example, network address numbers and computer names were automatically assigned and each node would be updated with a list of the other nodes via its distributed namespace.

The AppleTalk Filing Protocol would later be renamed to Apple Filing Protocol and would become the primary filing protocol for Mac OS X, gaining support for TCP/IP transport connections in version 2.2, as well as introducing features designed specifically for Mac OS X clients such as the UNIX-style POSIX permissions model and Unicode UTF-8 file name encodings in version 3.0.

In August 2002, Apple released Mac OS X version 10.2 (Jaguar) which included Samba, a reversed-engineered and free implementation of SMB. In 2009, coinciding with the release of Mac OS X Snow Leopard, AppleTalk became officially unsupported.

October 2010 marked the release of Mac OS X Lion (version 10.7) with initial support for SMB2 under the guise of SMBX, Apple’s own take on SMB as part of their ongoing GPL purge. Using SMBX, as of the release of OS X Mavericks (version 10.9) in October 2013, SMB (version 2) would become the primary file sharing protocol for OS X.

SMB2 Feature Highlights

  • Streamlined for faster speed and efficiency
  • Pipelining & Resource Compounding
  • Support for Symbolic Links
  • Caching of File Properties
  • Large read/writes, MTU Support
  • Opportunistic Locking
  • Improved message signing with HMAC SHA-256 hashing
  • Transport Reconnect (Durable File Handles)
  • Better Scalability

SMB3 Features

  • Encryption (power efficient)
  • New AES-Based Signing Algorithm (power efficient)
  • SMB Multi-Channel
  • SMB Direct Protocol

Encryption & Signing

SMB3 uses AES-CCM for end-to-end encryption between client and server, particularly useful for data protection on untrusted networks. In addition, SMB3 adds a signature to every packet transmitted over the wire, using AES-CMAC to validate the integrity of the signature, ensuring that communication between client and host is authenticated and authorized and that the packet has not been tampered with.

Using CMAC for signing overcomes security issues with CCM for variable-length messages. Both AES-CCM and AES-CMAC are able to take advantage of AES instruction support on modern Intel processors for dramatically accelerated and power-efficient encryption and signing.

SMB Multi-Channel

While this feature has not been touted by Apple, there has been at least one test cited on the Internet that shows that SMB3 à la Apple does indeed support multi-channel which makes use of multiple cores for increased data rates via more channels of communication between the memory and the memory controller.

SMB Direct Protocol

The SMB Direct Protocol, or SMB over RDMA allows zero-copy networking. This enables data transfer between the network adapter and application memory without data buffering in the operating system. However, I have not been able to find any evidence that this is supported in OS X.

Using SMB

Setting up an SMB Share on OS X Yosemite Server

OS X Yosemite Server Share for SMB, AFP

You can easily set up shares on OS X Yosemite Server from the Server app. Under Services » File Sharing. If you want to encrypt your connections, you will only be able to select SMB. If you want to allow either SMB or AFP, you’ll have to uncheck Encrypt connections and forfeit encryption, even when SMB is being used.

Verifying Client Connections

smbutil in OS X Terminal

Once you’ve established a connection to a shared volume, you can verify if you’ve connected using SMB, which version you’re using, whether encryption is enabled and a few other attributes by executing the following command in Terminal:

The -m switch means that you will specify the mount point. You can use the -a switch to specify all.

The Future of AFP

Apple likes to pick its battles (instead of spreading itself thin) and sentiment usually does not play a part. We have had to say farewell to Apple technologies we held dear to our hearts such as Firewire and WebObjects. The QuickTime framework has been deprecated in favour of AV Foundation. Apple Lossless Audio Codec has been pretty much abandoned and it looks like Objective-C may be on its way out too, giving up the stage to Swift. It looks like AFP vs. SMB is no exception.

None of the new SMB3 features are available in AFP and if Apple is to stay in the race and stay ahead of the curve, it won’t be back porting these features, ever. AFP will, however, be around for a while as it is still necessary for connecting to Time Machine-based backup systems, for now.

Ryan started programming at an early age of 10 and quickly chose to focus on C-based languages throughout his software development career and on iOS app development starting with the iPhone SDK released in 2008. He now specializes in iOS app development with C, C++, Objective-C and Swift. When he is not programming, he's usually honing his skills in human-based languages, including Spanish, French and Mandarin Chinese. Born in Trinidad, W.I., his travels have taken him all over North America, Europe and Asia. He still has his eyes set on South America.

0 Comments

Leave a reply