APFS or MacOS Extended: Share USB3 drive as Time Machine Backup Destination

[goffredo]

I'd like to use a new 5TB USB3 external hard drive on my 2023 Mac Mini M2, running OS Ventura 13.3.1, as a shared Time Machine backup destination. I got a few slightly older macs (Mac OS 12.x) on my wifi network that I'd like to back up to this volume by mapping it to these older macs as a SMB network volume using a dedicated backup user account created with 'sharing only' status, and then selecting that volume as the time machine backup destionations. Easy stuff, I've done it a hundred times.

I've had nothing but trouble trying this with the drive formatted as APFS. Falling back to Mac OS Extended worked but the backups are really, really slow. Just checking in to see if this is typical Time Machine BS I have to live with, or if I'm doing something dumb and what I'm trying to do should work.

First thing I did on the machine acting as the time machine 'server' was go into Users & Groups and created a new "Sharing Only" user account called backup.

Next, I used Disk Utility to format the drive as an APFS volume and put a "MyBackups" directory at root level. Then I turned File Sharing on, added the new MyBackups folder on the APFS volume to 'Shared Folders', right-clicked it for Advanced Options to enable "Share as Time Machine backup destination". So far, so good.

To the MyBackups shared folder, I added my new 'backup' user so he has permissions, and toggled from "Read" to "read/write" permissions.

First big problem: No matter what I do, when I reboot the computer, go into File Sharing, and look at the MyBackups shared folder ... my "backup" user does not show up! He has disappeared. ??? Re-adding him did not fix the problem; a reboot and he is gone. And so as you can imagine, trying to map this volume from another computer on my network using 'backup' user to authenticate did not work well. Only when I gave up and reformatted the drive as a Mac Extended volume, would the 'backup' user permission persist across reboots, and work as expected.

Second and Third Big Problems forthcoming. I wanted to stop with First Big Problem and see if this is a no-go before I elaborate further.

 

[SymeonArgyrus]

Have you tried a user name other than "backup" - Maybe there is some issue with the name?

 

[Brian33]

Seems like what you're attempting should work, with APFS format on the external volume. Very odd.

How about if you format the external APFS, but don't use a Sharing Only user -- just as a test. Perhaps there's some bug related to Sharing Only users in Ventura.

 

[HDFan]

but the backups are really, really slow.

How fast is your network? How much are you backing up?

I got a few slightly older macs (Mac OS 12.x) on my wifi network that I'd like to back up to this volume by mapping it to these older macs as a SMB network volume

My experience with SMB backups to NAS units is that they are glacially slow, even with a very fast 10 GbE network. I assume that it is due to all that network traffic back and forth validating all of those TM pieces. Is there any difference in speed (after first backup) using something like Carbon Copy Cloner? Note that in a 3-2-1 backup strategy TM should only be one of those backups due to its tendency to fail.

 

[goffredo]

tried a user name other than "backup

That's a really good idea. I did actually try a few other usernames, like backupUser and tmBackup. Same results.

How about if you format the external APFS, but don't use a Sharing Only user -- just as a test

Tried that ... that brings me to elaborate upon the Second Big Problem: I formatted the external USB3 drive as APFS and added the "MyBackups" directory to it (and went into Advanced Sharing to make it a Time Machine destination). After failing to create a Sharing Only account that can access the drive as per above, I thought I'd just try to do a local backup and see if even that would work.

To do that, I simply went into Time Machine and opted to select a new backup drive to use. I expected the "MyBackups" directory to appear, but in fact it did not. The root APFS drive, which hosts this time-machine-shared directory, was the only thing that appeared as a choice to select. And when I selected it, it wanted to re-format the entire drive for use as a time machine backup drive, instead of simply using the existing MyBackups folder as its destination.

My experience with SMB backups to NAS units is that they are glacially slow

Yeah. I can accept that. As long as it works, I suppose. But the tinkerer in me is going to try and repartition the USB3 external drive with a small test APFS partition and try a few more tests with my Time Machine setup before I give up completely on using APFS.

 

[goffredo]

I'd like to use a new 5TB USB3 external hard drive on my 2023 Mac Mini M2, running OS Ventura 13.3.1, as a shared Time Machine backup destination. I got a few slightly older macs (Mac OS 12.x) on my wifi network that I'd like to back up to this volume by mapping it to these older macs as a SMB network volume using a dedicated backup user account created with 'sharing only' status, and then selecting that volume as the time machine backup destionations. Easy stuff, I've done it a hundred times.

Update: I made some progress here and wanted to share, in case anyone else came along in my footsteps. I think the critial step was to assign permission of the backup user account to the shared folder (and rebooting) before setting that shared folder as a Time Machine backup destination. Doing it the other way -- setting the shared folder as a time machine backup destination, and THEN assigning the backup user account r/w permission to that shared folder -- did not seem to stick as per my original post.

Also, I feel that doing the File Sharing toggle & reboot steps below helped eliminate some of the oddness I experienced initially.

My notes:

• I used Disk Utility to partition my new USB3 external hard drive into two APFS (not encrypted) partitions: myRemoteBackups and myLocalBackups. I rebooted between each major operation here.
• I originally wanted to use the same single APFS volume to host time machine backups from the computers on my home network (remote users), as well as backups from the computer hosting the backup drive itself (local user). You can't do this if your backup drive is formatted as APFS. Interestingly, you can do this if your backup drive is formatted as Mac Extended. This was the cause of my Second Big Problem above. I decided sticking with APFS might offer some performance benefits over using the older Mac Extended filesystem, and so this is why I decided to create two separate APFS partitions as per above. The idea is, the computer hosting the USB3 external hard drive selects "myLocalBackups" as its backup destination and it's happy. And the various other computers on the home network map to "myRemoteBackups" and share that as their backup destination, and they are happy.
• I created a dedicated backup user account named "mybackup" using the "Users & Groups" Add Account button, and assigned a very strong password. For this new user account I selected "Sharing Only" since the backup account time machine uses does not need a home directory, a shell, and so forth. I rebooted after this operation.
• I toggled File Sharing off, rebooted again, and then turned File Sharing back on again. I read elsewhere ("Fix File Sharing Not Working in MacOS Ventura" on OSXDaily) that there were known issues with SMB shares in Ventura, and this was recommended as a general fix-all when file sharing was acting up, as it was for me with my disappearing user permission per my original post.
• In File Sharing, I used the left + to add "myRemoteBackups" drive as a new Shared Folder. I rebooted, turned file sharing off, rebooted, and turned file sharing back on again.
• In File Sharing, after selecting "myRemoteBackups" in Shared Folders, I used the right + to select the "mybackup" user and grant it permission to the share. I toggled from default "read only" to "read & write". I rebooted, turned file sharing off, rebooted, and turned file sharing back on again.
• In File Sharing, I right-clicked on "myRemoteBackups", went to Advanced Options, and enabled "Shared as a Time Machine backup destination". Note that I did NOT enable "allow guest users" nor "SMB encrypted connections" here. I rebooted, turned file sharing off, rebooted, and turned file sharing back on again.
• On each mac on my home network that i wanted to back up, I first went to finder and did Command-K Connect to Server, and entered the static IP address my home network router assigns to my Mac Mini, e.g.: smb://192.168.1.123/myRemoteBackups. Then when asked, supplied login name and password of the "mybackup" Sharing Only account on this machine, and checked "Remeber this password" box. This mounted the shared folder corresponding to the myRemoteBackups APFS volume on the USB3 drive on my Mac Mini 'server'. Then I went into Time Machine, selected this shared folder as the backup destination; a dialog prompting for login credentials was already pre-populated and I simply accepted them, and the backup began.
• On the Mac Mini that is hosting the backup drive, I simply selected the myLocalBackups drive and began the backup there, no issues with this.
• Edit: Especially for a removable hard drive, you want to at least enable Time Machine's backup encryption. As anther poster noted, It turns out that relying on the filesystem to enforce permission and ownership of the "mybackup" user account can be easily over-ridden by a malicious actor who absconds with the drive. I did not use any encryption <etc>

And that was how I wasted an entire day messing around with Time Machine.

 

[Brian33]

I did not use any encryption. To clarify, in Disk Utility I did not select encrypted APFS as the filesystem -- just normal APFS; and, in Time Machine when selecting the backup destination when creating the initial backup to this new backup destination, I did not enable the "Encrypt Backup" option. Instead, I am relying on the fact that my backup files are owned by the user account "mybackup", which has a very strong password, as some level of assurance against someone stealing the external USB3 drive, plugging it into their computer, and being able immediately to access my files ... a similar threat level to someone stealing my computer and trying to log in to it to access my files. Perhaps this is ill-advised and I welcome advice here for making my low-risk home network backup more secure without having to remember and enter a bunch of passwords every time I reboot the machine that hosts the Time Machine shared drive.

Relying on the files being owned by user account "mybackup" won't provide any protection if they are on an external drive. The external can be plugged into any Mac, and as long as Finder's "Ignore ownership on this volume" is enabled in the Get Info window (which is the default setting), then any user account can read/write to those files. The ONLY way to prevent a thief from reading files on an external drive is encryption.

I used Disk Utility to partition my new USB3 external hard drive into two APFS (not encrypted) partitions: myRemoteBackups and myLocalBackups. I rebooted between each major operation here.

For the remote backups, you can use encryption WITHOUT encrypting your "myRemoteBackups" partition. When TM sets up remote backups it always create a disk image (in particular, a "sparsebundle") on the shared volume. That disk image simulates a physical disk and has its own volume and format. If you enable the "Encrypt Backup" option in TM setup, that disk image's format will be set to Encrypted APFS. Even though the underlying (shared) partition is unencrypted, the files within the sparsebundle will be encrypted. I recommend you re-do the TM setup for the remote backups to enable the encryption feature.

Your other partition, "myLocalBackups" should also be encrypted with the same option, IMHO. You don't have to reformat the partition yourself -- I believe when you enable the Encrypted option in the TM interface then TM will reformat the partition for you.

In both cases, the encryption password can be stored in a keychain, so you won't have to continually enter the passwords. (Of course, you should also save the encryption password safely with your other passwords, in case you need to read the backup drive from another Mac or different account!)

 

[goffredo]

as long as Finder's "Ignore ownership on this volume" is enabled in the Get Info window

Huh, I never knew about this setting. And duckduckgoing on this topic takes me deep down a rabbit hole. It seems like ignoring ownership doesn't necessarily ignore file permissions: for example, if the owner of a file doesn't have permission to it (which would be odd but certainly possible), ignoring ownership on a volume won't suddenly grant someone permission to such a file.

And a whole bunch of other fun file permission and ownership stuff I don't care to figure out ... so, thank you and I'll be re-doing my backups with time machine's encryption setting! I'll update my original post above to indicate this is a gotcha as well, incase someone is lazy and doesn't read down this far.

 

[gilby101]

incase someone is lazy and doesn't read down this far.

Great thread. And, obviously, I did read this far (or did I skip to the last post?)