Adding UPS Monitoring to a Linux Home Lab Server with NUT

I recently added a managed UPS to a Linux server in my lab and wanted the server to do more than just sit on battery backup. I wanted the server to detect the UPS, monitor the battery status, send email alerts, provide a web status page, and shut down cleanly if power was out for too long.

The UPS I used was a CyberPower CP1500PFCLCD PFC Sinewave UPS Battery Backup and Surge Protector, 1500VA/1000W, 12 Outlets, AVR, Mini Tower, UL Certified

Amazon product page:

https://www.amazon.com/CyberPower-CP1500PFCLCD-Sinewave-Outlets-Mini-Tower/dp/B00429N19W


This post walks through the setup in a lab environment using Linux, Network UPS Tools, systemd, Nginx, and a simple notification script.

Lab Environment

The lab server used for this setup was running:

Linux distribution: LMDE 7 “Gigi”
Base: Debian 13 “Trixie”
UPS: CyberPower CP1500PFCLCD
UPS connection: USB cable
UPS software: Network UPS Tools, also known as NUT
Web server: Nginx
Mail relay: Local sendmail-compatible relay


The examples below use sanitized names and addresses:

UPS name: lab-ups
Server IP: 192.168.1.5
Alert email: admin@example.com
Status page: http://192.168.1.5/status/ups/

Substitute your own values where needed.

What I Wanted the UPS Setup to Do

The goal was not just battery backup. I wanted useful management:

• Detect the UPS over USB
• Monitor line power, battery charge, runtime, and load
• Send an email when power events happen
• Wait before shutting down, in case power comes back quickly
• Shut down cleanly if power stays out too long
• Provide a web-based UPS status page
• Start automatically after reboot

The final behavior looked like this:

• Power goes out:
• Start a 5-minute warning timer.
• Start a 30-minute shutdown timer.
• After 5 minutes on battery:
• Send an email warning.
• After 30 minutes on battery:
• Send a shutdown warning.
• Start clean shutdown.
• If power comes back:
• Cancel the timers.
• Send a recovery email.
• If the UPS reaches low battery:
• Shut down immediately.

Step 1: Plug in the UPS USB Cable

First, I connected the UPS to the Linux server using the USB cable that came with the UPS.

Then I checked whether Linux could see it:

lsusb

The UPS appeared as a CyberPower USB device. Example:

Cyber Power System, Inc. CP1500PFCLCD UPS

I also checked recent kernel messages:

dmesg | tail -n 80

This confirmed that the server saw the USB device.

Step 2: Install Network UPS Tools

Network UPS Tools, or NUT, is the standard Linux toolset for monitoring UPS units.

Install it:

apt update
apt install -y nut nut-client nut-server

Then scan for USB UPS devices:

nut-scanner -U

The scan should return something similar to this:

[nutdev1]
    driver = "usbhid-ups"
    port = "auto"
    vendorid = "0764"
    productid = "0601"
    product = "CP1500PFCLCDa"
    vendor = "CPS"

The important line is:

driver = "usbhid-ups"

That is the driver used for many USB HID-compatible UPS units.

Step 3: Configure the UPS

Edit `/etc/nut/ups.conf`:

cp /etc/nut/ups.conf /etc/nut/ups.conf.bak.$(date +%Y%m%d-%H%M%S)

cat > /etc/nut/ups.conf <<'EOF'
[lab-ups]
    driver = usbhid-ups
    port = auto
    vendorid = 0764
    productid = 0601
    desc = "CyberPower CP1500PFCLCD UPS"
EOF

This defines the UPS as `lab-ups`.

Step 4: Set NUT to Standalone Mode

For a single server connected directly to one UPS, standalone mode is appropriate.

Configure `/etc/nut/nut.conf`:

cp /etc/nut/nut.conf /etc/nut/nut.conf.bak.$(date +%Y%m%d-%H%M%S)

cat > /etc/nut/nut.conf <<'EOF'
MODE=standalone
EOF

Step 5: Create the NUT Monitor User

NUT uses a local user account so `upsmon` can monitor the UPS through `upsd`.

Configure `/etc/nut/upsd.users`:

cp /etc/nut/upsd.users /etc/nut/upsd.users.bak.$(date +%Y%m%d-%H%M%S) 2>/dev/null || true

cat > /etc/nut/upsd.users <<'EOF'
[monuser]
    password = replace-this-with-a-strong-local-password
    upsmon master
EOF

chmod 640 /etc/nut/upsd.users
chown root:nut /etc/nut/upsd.users

Use a real password in your own environment.

Step 6: Configure UPS Monitoring

Configure `/etc/nut/upsmon.conf`:

cp /etc/nut/upsmon.conf /etc/nut/upsmon.conf.bak.$(date +%Y%m%d-%H%M%S)

cat > /etc/nut/upsmon.conf <<'EOF'
MONITOR lab-ups@localhost 1 monuser replace-this-with-a-strong-local-password master

MINSUPPLIES 1
SHUTDOWNCMD "/sbin/shutdown -h +0"
POLLFREQ 5
POLLFREQALERT 5
HOSTSYNC 15
DEADTIME 15
POWERDOWNFLAG /etc/killpower

NOTIFYFLAG ONLINE SYSLOG+WALL+EXEC
NOTIFYFLAG ONBATT SYSLOG+WALL+EXEC
NOTIFYFLAG LOWBATT SYSLOG+WALL+EXEC
NOTIFYFLAG FSD SYSLOG+WALL+EXEC
NOTIFYFLAG COMMOK SYSLOG+WALL+EXEC
NOTIFYFLAG COMMBAD SYSLOG+WALL+EXEC
NOTIFYFLAG SHUTDOWN SYSLOG+WALL+EXEC
NOTIFYFLAG REPLBATT SYSLOG+WALL+EXEC
NOTIFYFLAG NOCOMM SYSLOG+WALL+EXEC

NOTIFYCMD /usr/sbin/upssched
EOF

chmod 640 /etc/nut/upsmon.conf
chown root:nut /etc/nut/upsmon.conf

This tells `upsmon` to call `upssched`, which handles timed actions.

Step 7: Fix USB Permissions If Needed

On my setup, the UPS was detected but the driver initially could not open the USB device because of permissions.

The error looked like this:

libusb1: Could not open any HID devices: insufficient permissions on everything
No matching HID UPS found

The fix was to create a udev rule for the CyberPower UPS:

cat > /etc/udev/rules.d/62-cyberpower-ups.rules <<'EOF'
 CyberPower CP1500PFCLCD UPS for NUT
SUBSYSTEM=="usb", ATTR{idVendor}=="0764", ATTR{idProduct}=="0601", MODE="0660", GROUP="nut"
SUBSYSTEM=="usb_device", ATTR{idVendor}=="0764", ATTR{idProduct}=="0601", MODE="0660", GROUP="nut"
EOF

udevadm control --reload-rules
udevadm trigger

Then unplug the UPS USB cable, wait a few seconds, and plug it back in.

Check the permissions:

lsusb | grep -i -E 'cyber|power|ups|0764'

for dev in /dev/bus/usb/*/*; do
    if udevadm info -q property -n "$dev" 2>/dev/null | grep -q 'ID_VENDOR_ID=0764'; then
        echo "===== $dev ====="
        ls -l "$dev"
    fi
done

The device should be owned by root with group `nut`.

Step 8: Start the NUT Services

On Debian 13, the driver runs as a systemd instance, such as:

nut-driver@lab-ups.service

Start and enable the NUT services:

systemctl daemon-reload

systemctl enable --now nut-driver-enumerator.path
systemctl enable --now nut-driver-enumerator.service
systemctl enable --now nut-server
systemctl enable --now nut-monitor

Check the driver instance:

systemctl list-units 'nut-driver*' --all --no-pager

You should see something like:

nut-driver@lab-ups.service loaded active running

Then check all three main pieces:

systemctl is-active nut-driver@lab-ups.service nut-server nut-monitor

Expected:

active
active
active

Step 9: Query the UPS

Now query the UPS:

upsc lab-ups@localhost

Useful values include:

text
battery.charge
battery.runtime
input.voltage
output.voltage
ups.load
ups.status


Example:

text
battery.charge: 100
battery.runtime: 5525
input.voltage: 120.0
output.voltage: 120.0
ups.load: 7
ups.status: OL


`OL` means the UPS is on utility power.

Common status values:

text
OL        On line power
OB        On battery
LB        Low battery
OL CHRG   On line and charging

Step 10: Create an Email Notification Script

I wanted the server to send an email when UPS events happened.

Create `/usr/local/sbin/lab-ups-notify.sh`:

cat > /usr/local/sbin/lab-ups-notify.sh <<'EOF'
!/usr/bin/env bash

TO="admin@example.com"
FROM="Lab Server <server@example.com>"
LOG="/var/log/lab-ups.log"

EVENT="${NOTIFYTYPE:-UNKNOWN}"
MESSAGE="${*:-No message supplied}"
NOW="$(date '+%Y-%m-%d %H:%M:%S %Z')"
HOST="$(hostname -f 2>/dev/null || hostname)"

UPS_STATUS="$(upsc lab-ups@localhost 2>/dev/null || true)"

{
    echo "[$NOW] UPS event: $EVENT - $MESSAGE"
} >> "$LOG"

timeout 30 /usr/sbin/sendmail -t <<MAIL
From: ${FROM}
To: ${TO}
Subject: [LAB SERVER] UPS event: ${EVENT}

The lab server received a UPS event.

Time:
  ${NOW}

Host:
  ${HOST}

Event:
  ${EVENT}

Message:
  ${MESSAGE}

UPS Status:
${UPS_STATUS}
MAIL

exit 0
EOF

chmod 0755 /usr/local/sbin/lab-ups-notify.sh


Test it:

NOTIFYTYPE=TEST /usr/local/sbin/lab-ups-notify.sh "Manual UPS notification test"

If the email arrives, the notification script is working.

Step 11: Configure Timed Shutdown Behavior

I did not want the server to shut down immediately for a short power blink. I wanted it to wait.

The plan was:

• After 5 minutes on battery:
• Send warning email.
• After 30 minutes on battery:
• Start clean shutdown.
• If power comes back:
• Cancel shutdown timers and send recovery email.
• If low battery happens:
• Shut down immediately.

Create the `upssched` command script:

cat > /usr/local/sbin/lab-upssched-cmd.sh <<'EOF'
!/usr/bin/env bash

LOG="/var/log/lab-ups.log"
NOW="$(date '+%Y-%m-%d %H:%M:%S %Z')"

case "$1" in
    onbatt-warning)
        NOTIFYTYPE=ONBATT-WARNING /usr/local/sbin/lab-ups-notify.sh \
            "The lab server has been on UPS battery power for 5 minutes."
        echo "[$NOW] upssched: 5-minute on-battery warning sent" >> "$LOG"
        ;;

    onbatt-shutdown)
        NOTIFYTYPE=ONBATT-SHUTDOWN /usr/local/sbin/lab-ups-notify.sh \
            "The lab server has been on UPS battery power for 30 minutes. Starting clean shutdown."
        echo "[$NOW] upssched: 30-minute on-battery shutdown triggered" >> "$LOG"
        /sbin/upsmon -c fsd
        ;;

    online-recovery)
        NOTIFYTYPE=ONLINE-RECOVERY /usr/local/sbin/lab-ups-notify.sh \
            "Power has been restored. The lab server is back on utility power. UPS shutdown timers have been cancelled."
        echo "[$NOW] upssched: online recovery email sent; shutdown timers cancelled" >> "$LOG"
        ;;

    *)
        echo "[$NOW] upssched: unknown command: $1" >> "$LOG"
        ;;
esac
EOF

chmod 0755 /usr/local/sbin/lab-upssched-cmd.sh


Then configure `/etc/nut/upssched.conf`:

cp /etc/nut/upssched.conf /etc/nut/upssched.conf.bak.$(date +%Y%m%d-%H%M%S) 2>/dev/null || true

cat > /etc/nut/upssched.conf <<'EOF'
CMDSCRIPT /usr/local/sbin/lab-upssched-cmd.sh
PIPEFN /run/nut/upssched.pipe
LOCKFN /run/nut/upssched.lock

AT ONBATT * START-TIMER onbatt-warning 300
AT ONBATT * START-TIMER onbatt-shutdown 1800

AT ONLINE * CANCEL-TIMER onbatt-warning
AT ONLINE * CANCEL-TIMER onbatt-shutdown
AT ONLINE * EXECUTE online-recovery

AT LOWBATT * EXECUTE onbatt-shutdown
EOF

chmod 640 /etc/nut/upssched.conf
chown root:nut /etc/nut/upssched.conf

Restart the monitor:

systemctl restart nut-monitor

Verify:

systemctl status nut-monitor --no-pager

Step 12: Install the NUT CGI Web Status Page

I also wanted a simple web page to show UPS status.

Install the packages:

apt update
apt install -y nut-cgi fcgiwrap

Find the CGI files:

dpkg -L nut-cgi | grep -E 'cgi|upsstats|upsset|hosts'

On Debian, the CGI files are usually here:

/usr/lib/cgi-bin/nut/upsstats.cgi
/usr/lib/cgi-bin/nut/upsimage.cgi
/usr/lib/cgi-bin/nut/upsset.cgi

Configure `/etc/nut/hosts.conf`:

cp /etc/nut/hosts.conf /etc/nut/hosts.conf.bak.$(date +%Y%m%d-%H%M%S)

cat > /etc/nut/hosts.conf <<'EOF'
MONITOR lab-ups@localhost "Lab UPS"
EOF

Start `fcgiwrap`:

systemctl enable --now fcgiwrap.socket
systemctl status fcgiwrap.socket --no-pager

Step 13: Add an Nginx Location for the UPS Page

In my lab, I exposed the UPS page as a subpage of the server’s local status site:

http://192.168.1.5/status/ups/

The Nginx block looked like this:

location = /status/ups {
    return 301 /status/ups/;
}

location /status/ups/ {
    include fastcgi_params;
    fastcgi_pass unix:/run/fcgiwrap.socket;
    fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nut/upsstats.cgi;
    fastcgi_param SCRIPT_NAME /status/ups/;
    fastcgi_param PATH_INFO "";
    fastcgi_param QUERY_STRING $query_string;
    add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0";
}

location = /status/ups/upsimage.cgi {
    include fastcgi_params;
    fastcgi_pass unix:/run/fcgiwrap.socket;
    fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/nut/upsimage.cgi;
    fastcgi_param SCRIPT_NAME /status/ups/upsimage.cgi;
    fastcgi_param QUERY_STRING $query_string;
    add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0";
}

Test Nginx:

nginx -t
systemctl reload nginx

Then test the page:

curl -I http://192.168.1.5/status/ups/

The detailed UPS page was available at:

http://192.168.1.5/status/ups/?host=lab-ups@localhost

Step 14: Final Verification Commands

Here are the main commands I use to check the UPS setup:

systemctl is-active nut-driver@lab-ups.service nut-server nut-monitor

upsc lab-ups@localhost | grep -E 'ups.status|battery.charge|battery.runtime|ups.load|input.voltage|output.voltage'

systemctl list-units 'nut-driver*' --all --no-pager

tail -n 50 /var/log/lab-ups.log

Expected UPS status on normal wall power:

ups.status: OL

Final Result

After setup, the server had:

• UPS detected over USB
• NUT driver running
• NUT server running
• NUT monitor running
• Email alerts working
• Timed shutdown behavior configured
• Recovery email when power returns
• Web status page available on the LAN
• Automatic startup after reboot

At the current low load in my lab, the UPS reported roughly 90 minutes of runtime. I chose not to run the server all the way down. Instead, the system waits 30 minutes on battery, then shuts down cleanly unless power returns first.

That gives short outages a chance to clear while still protecting the server, filesystems, and running services from an uncontrolled power loss.

Closing Thoughts

A UPS is useful by itself, but it becomes much more useful when the server can talk to it. With a USB cable and Network UPS Tools, a Linux server can monitor power status, send alerts, display a web status page, and shut itself down cleanly.

For a home lab or small server rack, this is one of those upgrades that is worth doing before the next power outage.

Managing a Cisco Catalyst Switch from a Linux Server Using a USB-to-RJ45 Console Cable

I recently connected a Linux server in my lab directly to a Cisco Catalyst switch using a USB-to-RJ45 Cisco console cable. The goal was simple: manage the switch from the Linux command line without needing a separate laptop, USB serial adapter, or Windows terminal program.

This is a practical lab setup for anyone who works with older Cisco switches, home lab racks, or small network environments. Once the cable is connected, the Linux server can act as a permanent console workstation for the switch.

 

 

 

 

 

 

 

 

Lab Hardware and Software Used

For this lab, I used the following equipment:

Linux server
Linux distribution: LMDE 7 “Gigi”
Base: Debian 13 “Trixie”

Cisco switch
Model: Cisco Catalyst WS-C2960G-8TC-L

Console cable
Cable Matters USB-to-RJ45 Cisco console cable
FTDI-based USB serial chipset
Length: 6 feet

The specific cable used was sold as a Cable Matters USB-to-RJ45 Console Cable compatible with Cisco console cables / rollover cords, and purchased from Amazon: https://www.amazon.com/dp/B078PVJ5ZQ 

This kind of cable is not an Ethernet cable. The RJ45 end plugs into the console port on the Cisco switch, not into a regular Ethernet switch port.

What the Cable Does

A Cisco console connection is a serial connection. Many Cisco switches use an RJ45-style console port, but electrically it is not Ethernet.

The USB-to-RJ45 console cable includes a USB-to-serial adapter in the cable assembly. In this lab, Linux detected the USB-to-serial chipset as an FTDI device. Once detected, the system created a serial console device that could be used to connect to the Cisco switch. 

Physical Connection

The connection is straightforward:

Linux server USB port
        |
        | USB-to-RJ45 Cisco console cable
        |
Cisco Catalyst console port

The RJ45 end must go into the console port on the Cisco switch. Do not plug it into a normal Ethernet data port.

Step 1: Confirm Linux Sees the USB Serial Adapter

After plugging in the USB side of the console cable, I checked whether Linux detected the USB serial chipset:

lsusb | grep -i -E 'ftdi|serial|cable|0403'

Example output:

Bus 005 Device 002: ID 0403:6001 Future Technology Devices International, 
Ltd FT232 Serial (UART) IC

Then I checked the kernel log:

dmesg | grep -i -E 'ttyUSB|ftdi|usb serial' | tail -n 30

The important line was:

FTDI USB Serial Device converter now attached to ttyUSB0

That means Linux created a serial device at:

/dev/ttyUSB0

Linux also created a stable device path:

ls -l /dev/ttyUSB* /dev/serial/by-id/* 2>/dev/null

Example output:

/dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH6SK75M-if00-port0 -> ../../ttyUSB0
/dev/ttyUSB0

I prefer using the /dev/serial/by-id/ path because /dev/ttyUSB0 can change if additional USB serial devices are connected later.

Step 2: Install Serial Console Tools

On the Linux server, I installed screen and minicom:

sudo apt update
sudo apt install -y screen minicom

Either tool can be used. screen is quick and simple. minicom is more purpose-built for serial console work.

Step 3: Connect with screen

Most Cisco Catalyst console ports use 9600 baud.

To connect using screen:

screen /dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH6SK75M-if00-port0 9600

After the session opens, press Enter once or twice. The Cisco prompt should appear:

Switch>

To enter privileged EXEC mode:

enable

The prompt should change to:

Switch#

At that point, the Linux server is connected to the Cisco switch console.

Step 4: Disable Output Paging

Cisco IOS often pauses long output with --More--. For lab documentation and troubleshooting, I usually disable paging for the current session:

terminal length 0

This does not permanently change the switch. It only affects the current console session.

Step 5: Run Basic Discovery Commands

Useful commands for identifying and documenting the switch include:

show version
show inventory
show running-config
show startup-config
show ip interface brief
show interfaces status
show vlan brief
show logging

In this lab, the switch was identified as:

Model: Cisco Catalyst WS-C2960G-8TC-L
IOS image: c2960-lanbasek9-mz.122-55.SE5.bin
Processor: PowerPC405
Memory: 65536K bytes
Management interface: Vlan1
Management IP method: DHCP

The switch had a DHCP-assigned management IP address on VLAN 1.

Step 6: Save Configuration Changes

After changing Cisco IOS configuration, save the running configuration to startup configuration:

write memory

or:

copy running-config startup-config

If prompted for the destination filename, press Enter to accept the default.

Step 7: Disconnect Properly from screen

Do not just close the terminal window. To cleanly disconnect from screen:

Ctrl-A
K
y

That means:

1. Press Ctrl-A.

2. Press K.

3. Press y to confirm.

This exits the screen session and releases the serial device.

Step 8: Connect with Minicom

Minicom is another good option for Cisco console access.

To connect:

minicom -D /dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH6SK75M-if00-port0 -b 9600

If the screen appears blank, press Enter once or twice.

To exit Minicom:

Ctrl-A
X

Then confirm that you want to leave Minicom.

Step 9: Log the Entire Cisco Console Session to a File

For documentation, I like logging the whole Cisco console session to a file. This creates a record of the commands run and the output returned by the switch.

Create a log directory:

mkdir -p /root/cisco-logs

Start screen with logging enabled:

screen -L -Logfile /root/cisco-logs/catalyst-2960-$(date +%Y%m%d-%H%M%S).log \
/dev/serial/by-id/usb-FTDI_FT232R_USB_UART_AH6SK75M-if00-port0 9600

Inside the Cisco session, run the commands you want to capture:

terminal length 0
show version
show inventory
show running-config
show interfaces status
show vlan brief
show ip interface brief

When finished, exit screen:

Ctrl-A
K
y

Then review the log file:

ls -lt /root/cisco-logs/
less /root/cisco-logs/catalyst-2960-*.log

This is one of the easiest ways to collect clean documentation from a Cisco switch in a lab.

Step 10: Disable Old Web Management If Needed

Older Cisco Catalyst switches may have the built-in HTTP or HTTPS management server enabled. If you browse to the switch management IP and get a username/password prompt, that may be the switch’s internal web interface.

For an older lab switch, I prefer disabling web management unless I specifically need it:

configure terminal
no ip http server
no ip http secure-server
end
write memory

Verify:

show running-config | include ip http

Expected output:

no ip http server
no ip http secure-server

For a lab switch, console access is often enough. If remote management is needed later, configure SSH, a local admin user, an enable secret, and management access restrictions.

Troubleshooting

If Linux does not show the serial device, check:

lsusb
dmesg | grep -i -E 'ttyUSB|ftdi|usb serial'
ls -l /dev/ttyUSB* /dev/serial/by-id/* 2>/dev/null

If another program is using the serial port:

fuser -v /dev/ttyUSB0

If the screen is blank:

Press Enter.
Confirm the RJ45 connector is plugged into the console port.
Confirm the baud rate is 9600.
Try minicom if screen behaves oddly.

If the characters are garbled, the serial settings are probably wrong. Most Cisco Catalyst console ports use:

9600 baud
8 data bits
No parity
1 stop bit
No flow control

Final Thoughts

Connecting a Linux server to a Cisco Catalyst switch with a USB-to-RJ45 console cable is a simple and useful lab setup. It lets the Linux server act as a dedicated console workstation for the switch. It also makes it easy to capture switch configuration, check port status, save logs, and perform recovery work without dragging out another machine.

For a home lab, small rack, or learning environment, this is a practical and inexpensive way to manage older Cisco gear from the Linux command line.

Happy Father's Day on the Summer Solstice!

Happy Flag Day!

 

82nd Anniversary of D-Day

 

 

 

 

 

 

 

 

 

 

Eighty-two years ago today, freedom stood on the edge of extinction, and Allied forces stormed into hell to help save the world. We will never forget the courage, the sacrifice, and the blood spilled on that fateful day. 

Why Many Churches Object to Freemasonry: A Historical and Theological Overview

Freemasonry has long presented itself as a moral, fraternal, and charitable organization rather than a church or religion. Many Masons sincerely understand it that way. The United Grand Lodge of England, for example, describes Freemasonry as non-religious and non-political, while still requiring members to affirm belief in a “Supreme Being” (United Grand Lodge of England, n.d.). The Grand Lodge of Ohio similarly states that Freemasonry is not a religion or a substitute for religion, even though its ceremonies include religious or spiritual elements (Grand Lodge of Ohio, n.d.).

That distinction is exactly where many churches see the problem. The historic Christian objections are usually not aimed at Freemasonry’s charitable work, civic friendship, or moral instruction. They are aimed at the religious ambiguity built into Masonic practice: prayer, ritual, oaths, sacred symbols, moral teaching, and references to God that are intentionally broad enough to include Christians, Jews, Muslims, deists, and others. Many churches argue that this “generic” religious framework competes with, obscures, or contradicts central Christian claims about God, Christ, salvation, and Christian witness.

The Catholic Church: The Longest Formal Opposition

The Roman Catholic Church has consistently and formally opposed Freemasonry. Catholic opposition dates back to Pope Clement XII’s 1738 condemnation of Masonic membership. Later Catholic teaching continued to treat Freemasonry as incompatible with Catholic doctrine, especially because of its secrecy, religious indifferentism, naturalistic moral philosophy, and historical conflict with church authority.

In 1983, the Congregation for the Doctrine of the Faith clarified that the Catholic Church’s negative judgment had not changed even though the revised Code of Canon Law no longer named Freemasonry directly. The declaration stated that Masonic principles had “always been considered irreconcilable with the doctrine of the Church,” that Catholic membership remained forbidden, and that Catholics enrolled in Masonic associations were in grave sin and could not receive Holy Communion (Congregation for the Doctrine of the Faith, 1983). A 2023 Vatican note reaffirmed the same position, again stating that active Catholic membership in Freemasonry is forbidden because of the irreconcilability between Catholic doctrine and Freemasonry (Dicastery for the Doctrine of the Faith, 2023).

The Catholic concern is not limited to whether a local lodge is hostile to Christianity. A Vatican reflection published after the 1983 declaration emphasized that the problem is doctrinal and philosophical, not merely practical. In other words, even if a lodge is friendly toward Christians, the Catholic objection remains because Freemasonry’s principles are viewed as religiously and morally incompatible with Catholic faith (Congregation for the Doctrine of the Faith, 1985).

The “Supreme Being” Problem

One of the most common Christian objections is Freemasonry’s use of broad language for God. Freemasonry generally requires belief in a Supreme Being, but it does not require belief in the Triune God of Christianity. Its defenders see this as religious tolerance. Many churches see it as theological reduction.

For orthodox Christians, God is not merely a generic Creator or moral overseer. God is Father, Son, and Holy Spirit, and Jesus Christ is not optional to Christian worship. Churches that object to Freemasonry argue that prayers or rituals addressed to a religiously neutral “Supreme Being” can blur the difference between Christian worship and generalized theism. This is why some churches describe Freemasonry as religiously syncretistic or religiously indifferent. It gathers men of different religions around shared religious symbols while avoiding the doctrinal claims that distinguish those religions.

This does not necessarily mean Freemasonry claims to be a church. The issue is subtler. Many churches argue that Freemasonry functions religiously even while denying that it is a religion.

Salvation, Moralism, and Good Works

Another frequent objection is that Masonic language about moral improvement, purity of life, light, and the “celestial lodge” can sound like a works-based path to eternal reward. Historic Christianity teaches that salvation is by God’s grace through faith in Jesus Christ, not by moral achievement, fraternity, ritual progress, or good works.

The Southern Baptist Convention’s 1993 report took a nuanced position. It acknowledged that some Masonic teachings, such as honesty, integrity, industry, and character, can be compatible with Christian practice. However, the report also identified several Masonic teachings that many Southern Baptists considered incompatible with Christianity, including the implication that salvation may be attained through good works and the presence of universalistic themes in some Masonic writings (Southern Baptist Convention, 1993). The SBC ultimately left Masonic membership as a matter of personal conscience, but urged Southern Baptists to evaluate Freemasonry carefully in light of Christ, Scripture, and the report’s findings.

The Methodist Church of Great Britain reached a similarly cautious but not absolute conclusion. Its 1996 report did not declare that Freemasons were automatically disqualified from Methodist membership or office. However, it warned that unresolved doctrinal issues remained, including the nature of God, salvation, prayer, religion, and ritual. It also warned that a strong emphasis on doing good could lead men to believe that moral conduct is all their Creator requires of them (Methodist Church, 1996).

The Lutheran Church Missouri Synod took a stronger position. Its pastoral guidance states that LCMS members should not belong to organizations whose rituals teach salvation by works, invoke a generic Supreme Being, and omit reference to the person and work of God’s Son (Lutheran Church Missouri Synod, 2008). The Wisconsin Evangelical Lutheran Synod similarly rejects participation in organizations with religious features that conflict with the Christian faith, identifying Freemasonry as one such lodge (Wisconsin Evangelical Lutheran Synod, 2019).

Oaths, Secrecy, and Christian Witness

Many churches also object to Masonic oaths and secrecy. The concern is not merely that a private organization has internal customs. Churches object when secrecy is joined to religious ritual, solemn obligations, symbolic penalties, and duties that may appear to compete with a Christian’s public loyalty to Christ and the church.

The Methodist Church’s 1996 report specifically expressed concern about the “secrecy culture” surrounding Freemasonry, even while recognizing that some changes had been made in recent years (Methodist Church, 1996). The Orthodox Church in America’s clergy guidelines instruct priests to speak privately and pastorally with a Freemason in their flock and to show the incompatibility of Orthodoxy with Freemasonry (Orthodox Church in America, 2023). At funerals, the same guidelines direct clergy not to allow words or symbols other than those of the Orthodox faith into the church or funeral home.

To many Christian critics, this secrecy creates a discipleship problem. Christianity is a public confession centered on Christ. Masonic obligations, signs, symbols, and private ritual can appear to place a second set of binding commitments alongside the commitments of baptism, church membership, and Christian obedience.

The Omission of Jesus Christ

A major objection among conservative Protestant critics is that Masonic prayers and ceremonies often avoid the name of Jesus Christ so that non-Christian members are not excluded or offended. Freemasonry sees this as inclusivity. Critics see it as a denial of Christian witness.

The Orthodox Presbyterian Church’s 1942 report argued that the omission of Christ from prayers and biblical material was a serious theological problem. The report concluded that Masonry was religious in character and therefore anti-Christian, while also acknowledging that sincere Christians might be Masons because they were uninformed or misinformed about the lodge’s religious character (Orthodox Presbyterian Church, 1942). Later OPC guidance stated that the denomination stands firmly against membership in the Masonic Lodge, though it does not maintain a constitutional bar against every Freemason being a church member (Orthodox Presbyterian Church, 2008).

The concern is simple: Christians are commanded to confess Christ. If a Christian joins in ritual prayer where the name and saving work of Christ must be intentionally omitted, many churches see that as a compromised witness.

Eastern Orthodox Concerns

Eastern Orthodox objections often overlap with Catholic and Protestant concerns but are expressed through Orthodox categories of worship, mystery, and ecclesial identity. The Church of Greece formally condemned Freemasonry in 1933, describing it not merely as a philanthropic or philosophical society, but as a mystery-like religious system incompatible with Christianity. The Orthodox Church in America’s current clergy guidelines continue to treat Freemasonry as incompatible with Orthodoxy (Orthodox Church in America, 2023).

For Orthodox churches, the issue is not only doctrine in the abstract. It is also liturgical and sacramental. Orthodoxy understands Christian identity as participation in the life, worship, and mysteries of the Church. A parallel system of ritual, symbols, secrecy, and spiritual brotherhood can therefore be seen as a rival religious formation.

Not All Churches Respond the Same Way

It is important to be fair: Christian churches do not all take the same position. Some prohibit Masonic membership. Some strongly discourage it. Some leave it to conscience. Some mainline Protestant bodies have no firm denominational rule against lay membership. Even in denominations with formal objections, local practice may vary.

The SBC is a good example of nuance. Its report identified incompatibilities, but it did not create a universal denominational ban. The Methodist Church likewise raised serious concerns but did not automatically disqualify Freemasons from membership or office. By contrast, the Catholic Church’s position is clearly prohibitive, and some Lutheran, Orthodox, and conservative Presbyterian bodies maintain stronger opposition.

Conclusion

Many churches object to Freemasonry because they believe it creates a religiously ambiguous space where Christian doctrine is diluted. Freemasonry’s defenders say it is not a religion and that its moral teachings help men become better members of their own faiths. Critics respond that Freemasonry still uses religious language, sacred symbols, prayers, ritual obligations, and teachings about moral improvement in ways that resemble religion while avoiding the exclusive claims of Christianity.

Historically, the strongest objections cluster around five issues: the generic “Supreme Being” rather than the Triune God, the risk of works-based moralism, secret oaths and obligations, the omission of Jesus Christ from prayer and ritual, and the appearance of a parallel spiritual brotherhood outside the church.

For Christians evaluating Freemasonry, the real question is not whether Masons do charitable work or whether individual Masons are sincere. Many do, and many are. The deeper question is whether a Christian can participate in Masonic ritual and obligation without compromising the confession that Jesus Christ is Lord, that salvation is by grace, and that Christian worship and witness must remain centered on the Triune God.

References

Congregation for the Doctrine of the Faith. (1983, November 26). Declaration on Masonic associations. The Holy See. https://www.vatican.va/roman_curia/congregations/cfaith/documents/rc_con_cfaith_doc_19831126_declaration-masonic_en.html

Congregation for the Doctrine of the Faith. (1985, February 23). Irreconcilability between Christian faith and Freemasonry: Reflections a year after the declaration of the Congregation for the Doctrine of the Faith. The Holy See. https://www.vatican.va/roman_curia/congregations/cfaith/documents/rc_con_cfaith_doc_19850223_declaration-masonic_articolo_en.html

Dicastery for the Doctrine of the Faith. (2023, November 13). The request of His Excellency, the Most Rev. Julito Cortes, Bishop of Dumaguete, regarding the best pastoral approach to membership in Freemasonry by the Catholic faithful. The Holy See. https://www.vatican.va/roman_curia/congregations/cfaith/documents/rc_ddf_doc_20231113_richiesta-cortes-massoneria_en.html

Grand Lodge of Free & Accepted Masons of Ohio. (n.d.). Is Freemasonry a religion? Freemason.com. https://www.freemason.com/general-faq/freemasonry-religion/

Home Mission Board of the Southern Baptist Convention. (1993). A report on Freemasonry. North American Mission Board. https://www.namb.net/apologetics/wp-content/uploads/sites/4/2016/03/A_Report_on_Freemasonry.pdf

Lutheran Church Missouri Synod, Commission on Theology and Church Relations. (2009). Membership in certain fraternal organizations: A pastoral approach. https://ctsfw.net/media/pdfs/CTCRMembershipinCertainFraternalOrganizationsAPastoralApproach.pdf

Methodist Church. (1996). Freemasonry. https://www.methodist.org.uk/documents/8019/fo-statement-freemasonry-1996_BKj0TuG.pdf

Orthodox Church in America. (2023). Guidelines for clergy. https://www.oca.org/files/PDF/official/2023-OCA-Guidelines-for-Clergy.pdf

Orthodox Presbyterian Church. (1942). Christ or the Lodge? A report on Freemasonry. https://opc.org/GA/masonry.html

Orthodox Presbyterian Church. (2008). Freemasonry. https://opc.org/qa.html?question_id=291

United Grand Lodge of England. (n.d.). Frequently asked questions. https://www.ugle.org.uk/discover-freemasonry/frequently-asked-questions

Wisconsin Evangelical Lutheran Synod. (2019, September 23). Freemasonry and the Bible. https://wels.net/faq/freemasonry-and-the-bible/

Wisconsin Evangelical Lutheran Synod. (2020, September 22). Freemasonry. https://wels.net/faq/freemasonry/

Follow-Up: Does the Linux Time Machine SMB Setup Change on Linux Mint 22?

In the previous article, I covered why Apple is moving away from Apple Filing Protocol (AFP) and how to configure a Linux Mint server as a Time Machine backup target using Samba and SMB. A natural follow-up question is whether the process works differently on Linux Mint 22 compared with Linux Mint 21.3.

The short answer is: not very much. The same general Samba, SMB, Avahi, and vfs_fruit configuration works on both Linux Mint 21.3 and Linux Mint 22.x. However, there are a few version-related details worth understanding before you build or upgrade a Linux-based Time Machine server.

Linux Mint 21.3 vs Linux Mint 22.x

Linux Mint 21.3, codenamed Virginia, is part of the Linux Mint 21 series. It is based on the Ubuntu Jammy package base and is supported until April 2027 (Linux Mint, n.d.-a).

Linux Mint 22.x, including Linux Mint 22.3, codenamed Zena, is part of the Linux Mint 22 series. It is based on the Ubuntu Noble package base and is supported until April 2029 (Linux Mint, n.d.-a; Linux Mint, n.d.-b).

For a Time Machine server, this means Linux Mint 22.x gives you a newer long-term support base, a longer support window, and newer packages from the Ubuntu 24.04 LTS family. Linux Mint 21.3 is still usable and supported, but it is closer to the end of its support lifecycle.

Does the Samba Configuration Change?

The basic Samba configuration does not need to change just because you are using Linux Mint 22 instead of Linux Mint 21.3.

The package installation command is the same:

sudo apt update
sudo apt install samba avahi-daemon

The service commands are also the same:

sudo systemctl enable --now smbd
sudo systemctl enable --now avahi-daemon

The same Samba share structure can be used:

[global]
   workgroup = WORKGROUP
   server role = standalone server
   security = user
   map to guest = Bad User
   min protocol = SMB2

   fruit:aapl = yes
   fruit:model = TimeCapsule

[TimeMachine]
   comment = Time Machine Backups
   path = /data/timemachine
   browseable = yes
   read only = no
   valid users = tmbackup

   vfs objects = catia fruit streams_xattr
   fruit:time machine = yes
   fruit:time machine max size = 1T

The important part is not whether the system is Mint 21.3 or Mint 22.x. The important part is that Samba is configured to advertise the share properly for Apple clients. Samba’s vfs_fruit module is the feature that improves compatibility with Apple SMB clients, and the fruit:time machine = yes option tells Samba to advertise the share as Time Machine-capable (Samba Team, n.d.).

What Actually Changes on Linux Mint 22?

The biggest change is the underlying package base. Linux Mint 22.x uses the newer Ubuntu Noble package base, while Linux Mint 21.3 uses the older Ubuntu Jammy package base (Linux Mint, n.d.-a).

In plain English, that means Mint 22.x generally has newer versions of system components, libraries, drivers, and server packages. For a Samba Time Machine server, that is generally a positive thing. Newer Samba packages often include bug fixes, security fixes, and compatibility improvements.

However, the administrative workflow stays the same:

sudo apt update
sudo apt install samba avahi-daemon
sudo vi /etc/samba/smb.conf
testparm
sudo systemctl restart smbd

After installation, it is a good idea to confirm the installed Samba version:

samba --version

Then validate the configuration:

testparm

If testparm reports no major issues, restart Samba:

sudo systemctl restart smbd

Does Avahi Still Matter?

Yes. Avahi is still useful on Linux Mint 22.

Samba handles SMB file sharing. Avahi helps with local network discovery, allowing Macs to find services using Bonjour-style discovery. You can still connect manually from Finder using an address such as:

smb://server1.local/TimeMachine

Or, if local name resolution is not working:

smb://192.168.1.50/TimeMachine

Using the IP address is often the simplest troubleshooting step when the Mac cannot find the server by name.

Should You Upgrade a Working Mint 21.3 Time Machine Server?

If your Linux Mint 21.3 Time Machine server is working correctly, there is no immediate technical requirement to rebuild it on Linux Mint 22. Linux Mint 21.3 remains supported until April 2027 (Linux Mint, n.d.-a).

However, for a new build, I would choose Linux Mint 22.x. It has the longer support window, newer package base, and better long-term position. A backup server is something you want to set up once, document well, and avoid touching unless necessary. Starting from the newer LTS base makes more sense for a fresh installation.

For an existing Mint 21.3 server, the decision depends on your priorities.

If the server is stable, patched, and used only on your trusted home network, keeping Mint 21.3 until you are ready for a planned upgrade is reasonable.

If you are building a new backup target, replacing older hardware, or cleaning up your home lab, Linux Mint 22.x is the better choice.

Practical Recommendation

For a new Time Machine server, use Linux Mint 22.x.

For an existing Linux Mint 21.3 server, keep it if it is stable, documented, and receiving updates. Plan a controlled upgrade before the Linux Mint 21.x support window ends.

In either case, the core Samba configuration remains the same:

vfs objects = catia fruit streams_xattr
fruit:time machine = yes
fruit:time machine max size = 1T

Those settings matter more than the difference between Mint 21.3 and Mint 22.x.

Upgrade Checklist

Before upgrading an existing Linux Mint 21.3 Time Machine server to Linux Mint 22.x, make sure you have the following:

1. A backup of /etc/samba/smb.conf
2. A record of your Samba users
3. A record of the Time Machine share path
4. A record of ownership and permissions on the backup directory
5. A current backup of any important data on the server
6. A tested way to reconnect the Mac to the SMB share after the upgrade

At minimum, save the Samba configuration:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.backup.$(date +%F)

Check the backup directory permissions:

ls -ld /data/timemachine

List the Samba users:

sudo pdbedit -L

After the upgrade, verify Samba and Avahi:

systemctl status smbd --no-pager
systemctl status avahi-daemon --no-pager

Then validate Samba:

testparm

Conclusion

Linux Mint 22 does not fundamentally change the process of serving a Time Machine backup share from a Linux server. The same SMB-based Samba configuration still applies, and the same Apple-focused vfs_fruit settings are still the key to making the share work properly with macOS.

The main difference is lifecycle and package freshness. Linux Mint 21.3 is based on the Ubuntu Jammy package base and is supported until April 2027. Linux Mint 22.x is based on the Ubuntu Noble package base and is supported until April 2029 (Linux Mint, n.d.-a). For a new Time Machine server, Linux Mint 22.x is the better long-term choice. For an existing Linux Mint 21.3 server, the configuration can continue to work, but it would be wise to plan the move to Mint 22.x before the support window closes.

The bottom line is simple: Apple is moving Time Machine network backups away from AFP and toward SMB. Whether you use Linux Mint 21.3 or Linux Mint 22.x, Samba with vfs_fruit is the correct path forward.

References

Linux Mint. (n.d.-a). All versions. https://linuxmint.com/download_all.php

Linux Mint. (n.d.-b). Linux Mint 22.3 Release Notes. https://www.linuxmint.com/rel_zena.php

Linux Mint. (n.d.-c). Linux Mint 21.3 Release Notes. https://linuxmint.com/rel_virginia.php

Samba Team. (n.d.). vfs_fruit. Samba Documentation. https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html

Ubuntu. (n.d.). The Ubuntu lifecycle and release cadence. Canonical. https://ubuntu.com/about/release-cycle

Apple Is Moving Away from AFP: How to Use a Linux SMB Server for Time Machine Backups

Apple’s Time Machine has been around for years, and many Mac users still associate network backups with Apple’s older AirPort Time Capsule, AirPort Extreme shared disks, or network storage devices that supported Apple Filing Protocol, commonly known as AFP. However, AFP is now part of Apple’s legacy networking past. For anyone running a home lab, Linux file server, or NAS-style backup target, the practical replacement is SMB.

This article explains what is happening with AFP, why Apple is moving away from it, and how to configure a Linux Mint 21.3 server as a Time Machine backup destination using Samba and SMB.

What Is AFP?

AFP stands for Apple Filing Protocol. It was Apple’s native file-sharing protocol for many years, especially during the classic Mac OS and early Mac OS X era. It was designed around Apple’s file system expectations and supported Mac-specific metadata, resource forks, and other behaviors that mattered more in earlier generations of the Mac ecosystem.

For a long time, AFP worked well in Apple-only environments. It was commonly used by older Mac file servers, AirPort Time Capsule devices, AirPort Extreme USB disk sharing, and some third-party NAS appliances. Because Time Machine was originally introduced in the Mac OS X era, many older Time Machine network backup targets were built around AFP.

The problem is that AFP is no longer Apple’s preferred direction. Apple now clearly recommends SMB when a choice exists between SMB and AFP for Time Machine backups (Apple, n.d.-a). Apple also states that Time Machine backup to NAS devices over AFP is not recommended and will not be supported in a future version of macOS (Apple, 2025a). In macOS Sequoia, Apple has also stated that the AFP client is deprecated and will be removed in a future version of macOS (Apple, n.d.-b).

AFP Is a Protocol, Not a Disk Format

One point that causes confusion is the phrase “AFP disk.” AFP is not a disk format like APFS, HFS+, ext4, XFS, or ZFS. AFP is a network file-sharing protocol. When someone says that macOS will not support “AFP disks,” what they usually mean is that macOS will stop supporting network shares accessed through AFP.

The actual disk behind the network share might be formatted as HFS+, APFS, ext4, XFS, ZFS, Btrfs, or something else. The client Mac normally does not directly see that underlying filesystem. It sees a network share presented through a protocol such as AFP or SMB.

This distinction matters because the solution is usually not to reformat the Linux server’s disk. The solution is to stop serving the backup location through AFP and serve it through SMB instead.

Why Apple Is Moving Away from AFP

Apple’s move away from AFP makes sense for several reasons.

First, AFP is old and Apple-specific. It is not a broad cross-platform standard in the same way SMB has become. SMB is widely used by macOS, Windows, Linux, enterprise NAS devices, and general file servers.

Second, Apple’s modern file-sharing direction has been moving toward SMB. Apple’s own Time Machine documentation says that if a choice is available between SMB and AFP, SMB should be used for backup (Apple, n.d.-a). Apple’s Time Machine support article also says third-party NAS devices should support Time Machine over SMB (Apple, 2025a).

Third, Apple’s modern file system, APFS, does not align with an AFP-centered future. Apple’s APFS documentation states that APFS volumes can be shared using SMB or NFS, but not AFP, and identifies AFP as deprecated (Apple, n.d.-c).

Finally, removing AFP reduces the number of legacy components Apple must maintain and secure. Every protocol included with macOS has to be tested, patched, and supported. As AFP usage declines, it makes sense for Apple to consolidate around SMB.

What This Means for Home Labs and Linux Servers

If you run a Linux server and want it to serve as a Time Machine destination, you should configure Samba for SMB-based Time Machine support. Samba is the standard SMB server implementation used on Linux and Unix-like systems.

For Mac compatibility, Samba provides a module called vfs_fruit. The Samba documentation describes vfs_fruit as providing enhanced compatibility with Apple SMB clients. It can also advertise a share as a Time Machine-capable destination by using the fruit:time machine = yes option (Samba Team, n.d.).

In practical terms, this means a Linux Mint 21.3 server can replace an AFP-based backup target as long as Samba is configured correctly.

Example Goal

In this example, the Linux Mint server will provide a Time Machine backup share with these assumptions:

Server hostname: server1
Backup directory: /data/timemachine
Linux backup user: tmbackup
Samba share name: TimeMachine
Maximum advertised Time Machine size: 1T

You can change those values to match your own environment.

Step 1: Install Samba and Avahi

On the Linux Mint server, install Samba and Avahi:

sudo apt update
sudo apt install samba avahi-daemon

Samba provides the SMB file-sharing service. Avahi provides local network service discovery using mDNS and DNS-SD, which is compatible with Apple Bonjour-style discovery (Avahi, n.d.). In many home networks, Avahi helps the Mac find the server automatically in Finder and Time Machine.

Enable and start the services:

sudo systemctl enable --now smbd
sudo systemctl enable --now avahi-daemon

Check that they are running:

systemctl status smbd --no-pager
systemctl status avahi-daemon --no-pager

Step 2: Create a Dedicated Time Machine User

Create a Linux user for Time Machine backups:

sudo adduser tmbackup

Then create a Samba password for that user:

sudo smbpasswd -a tmbackup
sudo smbpasswd -e tmbackup

This account will be used by the Mac when connecting to the Time Machine share.

For a home server, it is usually cleaner to create a dedicated backup account instead of using your normal Linux login account. This makes it easier to control permissions and isolate the backup location.

Step 3: Create the Backup Directory

Create the directory that will store the Time Machine sparsebundle backup files:

sudo mkdir -p /data/timemachine

Set ownership so the backup user can write to it:

sudo chown tmbackup:tmbackup /data/timemachine

Set restrictive permissions:

sudo chmod 700 /data/timemachine

This gives the tmbackup user access while preventing other local users from browsing the backup directory.

Step 4: Back Up the Samba Configuration

Before editing Samba, make a backup copy of the existing configuration:

sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak.$(date +%F)

Edit the Samba configuration using vi:

sudo vi /etc/samba/smb.conf

Add or adjust the following configuration.

[global]
   workgroup = WORKGROUP
   server role = standalone server
   security = user
   map to guest = Bad User
   min protocol = SMB2

   fruit:aapl = yes
   fruit:model = TimeCapsule

[TimeMachine]
   comment = Time Machine Backups
   path = /data/timemachine
   browseable = yes
   read only = no
   valid users = tmbackup

   vfs objects = catia fruit streams_xattr
   fruit:time machine = yes
   fruit:time machine max size = 1T

Save and exit vi.

A few settings are especially important:

min protocol = SMB2 prevents older SMB1 connections.

fruit:aapl = yes enables Apple SMB2+ extensions, which improve behavior and performance for Mac clients.

vfs objects = catia fruit streams_xattr enables the Samba modules commonly used for better macOS SMB compatibility.

fruit:time machine = yes advertises the share as Time Machine-capable.

fruit:time machine max size = 1T limits the size reported to Time Machine. This helps prevent Time Machine from assuming it can consume the entire underlying filesystem. Samba’s documentation warns that this value is an approximation based on Time Machine sparsebundle contents, so the share should be dedicated to Time Machine backups when using this option (Samba Team, n.d.).

Step 5: Test the Samba Configuration

Run:

testparm

If Samba reports no serious errors, restart Samba:

sudo systemctl restart smbd

Then confirm Samba is listening:

sudo systemctl status smbd --no-pager

Step 6: Allow Samba Through the Firewall

If UFW is enabled on the Linux Mint server, allow Samba:

sudo ufw allow Samba

Check firewall status:

sudo ufw status verbose

If the server and Mac are on the same trusted home network, this is usually sufficient. If the server is exposed to untrusted networks, do not open SMB broadly. SMB should normally be limited to a trusted LAN or VPN.

Step 7: Connect from macOS

On the Mac, open Finder and choose:

Go > Connect to Server

Enter:

smb://server1.local/TimeMachine

If .local name resolution does not work, use the server’s IP address instead:

smb://192.168.1.50/TimeMachine

Log in with:

Username: tmbackup
Password: the Samba password you set with smbpasswd

Once the share mounts successfully, open Time Machine settings on the Mac and select the network share as the backup disk.

On recent macOS versions, go to:

System Settings > General > Time Machine

Then add or select the SMB share as the backup destination.

Step 8: Encrypt the Backup from the Mac

When setting up the Time Machine destination, enable backup encryption from the Mac if available. This protects the backup contents if someone gains access to the server’s disk or copies the Time Machine sparsebundle.

Encryption is especially important for laptops because Time Machine backups may contain browser data, documents, email data, SSH keys, application data, and other sensitive information.

Store the encryption password safely. If you lose the Time Machine encryption password, you may not be able to restore from that backup.

Step 9: Verify That Backups Are Running

After configuration, start a backup from the Mac. On the Linux server, you can watch the backup directory:

sudo ls -lh /data/timemachine

You should eventually see a Time Machine sparsebundle created for the Mac.

You can also check Samba logs if something fails:

sudo journalctl -u smbd --no-pager

Or review Samba log files:

ls -lh /var/log/samba/

Troubleshooting Tips

If the Mac cannot see the server automatically, connect manually using Finder with the smb:// path.

If the Mac can connect but Time Machine does not list the share, recheck that the share includes:

fruit:time machine = yes

If the share appears but backups fail, check permissions on the backup directory:

ls -ld /data/timemachine

The directory should be writable by the Samba user.

If name resolution fails, try the server’s IP address instead of the .local hostname.

If the backup grows too large, reduce the value of:

fruit:time machine max size = 1T

Then restart Samba:

sudo systemctl restart smbd

Recommended Practices

Use a dedicated share for Time Machine. Do not mix normal file storage and Time Machine backups in the same directory.

Use a dedicated Samba user for backups.

Use a wired connection for the first backup if possible. The first Time Machine backup can be large.

Use redundant storage if the backup matters. A Time Machine backup stored on a single failing disk is still a single point of failure.

Do not expose SMB directly to the internet.

Periodically test restores. A backup is only useful if it can be restored.

Conclusion

AFP served Mac users well for many years, but it is now a legacy protocol. Apple is clearly moving Time Machine network backups toward SMB, and future macOS versions will remove AFP support. For Linux server users, the practical answer is to configure Samba with Apple-compatible settings and enable Time Machine support through vfs_fruit.

A Linux Mint 21.3 system can work well as a Time Machine backup target when Samba is configured properly. By using SMB, a dedicated backup user, proper permissions, and the fruit:time machine = yes setting, you can replace an older AFP-based backup workflow with a more modern and future-ready configuration.

References

Apple. (2025a, December 5). Backup disks you can use with Time Machine. Apple Support. https://support.apple.com/en-us/102423

Apple. (n.d.-a). Types of disks you can use with Time Machine on Mac. Apple Support. Retrieved June 3, 2026, from https://support.apple.com/guide/mac-help/types-of-disks-you-can-use-with-time-machine-mh15139/mac

Apple. (n.d.-b). What’s new for enterprise in macOS Sequoia. Apple Support. Retrieved June 3, 2026, from https://support.apple.com/en-us/121011

Apple. (n.d.-c). Apple File System Guide: Frequently Asked Questions. Apple Developer Documentation Archive. Retrieved June 3, 2026, from https://developer.apple.com/library/archive/documentation/FileManagement/Conceptual/APFS_Guide/FAQ/FAQ.html

Avahi. (n.d.). mDNS/DNS-SD. Retrieved June 3, 2026, from https://avahi.org/

Samba Team. (n.d.). vfs_fruit. Samba Documentation. Retrieved June 3, 2026, from https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html

Installing the Latest Minecraft Java Server on Linux Mint and Connecting from Windows 11

Running a private Minecraft server is a useful home-lab project because it combines Linux administration, Java runtime management, firewall configuration, systemd service management, and basic client/server troubleshooting. This guide explains how to install the latest Java-based Minecraft server on the latest Linux Mint release, then connect to it from a Windows 11 Minecraft client.

As of May 23, 2026, the latest Linux Mint release listed by the project is Linux Mint 22.3 'Zena,' and the latest Minecraft Java release identified on Minecraft.net is Minecraft Java Edition 26.1.2, published April 9, 2026. Future readers should always confirm the current version on the official Linux Mint and Minecraft download pages before installing.

Java Edition versus Bedrock Edition

This article is about the Minecraft: Java Edition server, distributed as a .jar file. Mojang's server download page states that the Java Edition server setup is compatible with Minecraft: Java Edition, not Bedrock Edition. That distinction matters because a normal Windows Bedrock client will not connect directly to a vanilla Java Edition server.

For this setup, the Windows 11 client must run:

Minecraft: Java Edition

not:

Minecraft for Windows

The Minecraft Launcher can provide access to both editions, but the edition selected in the launcher must match the server type. The Microsoft Store listing for the launcher identifies it as available for Windows 10 and Windows 11 and notes that it provides access to Minecraft: Java Edition and Minecraft for Windows.

Install Java 25 on Linux Mint

Recent Minecraft Java versions require a newer Java runtime. The Minecraft Java Edition 26.1 release notes state that the game now requires Java 25 and that the included Java distribution is the Microsoft build of OpenJDK 25.

Linux Mint may not include Java 25 in its default repositories, so a practical approach is to install Eclipse Temurin from Adoptium. Adoptium provides DEB packages for Debian and Ubuntu-style systems, and its documentation specifically notes that Linux Mint users should use UBUNTU_CODENAME instead of VERSION_CODENAME when configuring the repository.

Install Java 25:

sudo apt update sudo apt install -y wget apt-transport-https gpg wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public \ | gpg --dearmor \ | sudo tee /etc/apt/trusted.gpg.d/adoptium.gpg > /dev/null echo "deb https://packages.adoptium.net/artifactory/deb $(awk -F= '/^UBUNTU_CODENAME/{print$2}' /etc/os-release) main" \ | sudo tee /etc/apt/sources.list.d/adoptium.list sudo apt update sudo apt install -y temurin-25-jdk

 Verify the Java version:

java -version

 You should see output showing Java 25. If multiple Java versions are installed, you can use the full Java path later in the systemd service to avoid accidentally launching Minecraft with the wrong runtime.

Create a Minecraft server user and directory

Do not run the Minecraft server as root. Create a dedicated service account and server directory:

sudo useradd --system --home-dir /opt/minecraft --shell /usr/sbin/nologin minecraft sudo mkdir -p /opt/minecraft sudo chown -R minecraft:minecraft /opt/minecraft

Switch into the server directory:

cd /opt/minecraft

 Download the Minecraft server .jar

Download the official Java Edition server .jar from Mojang's Minecraft server download page or from the latest release article. Mojang's server download page states that downloading the software means agreeing to the Minecraft End User License Agreement and Privacy Policy, so this step should be done from the official Minecraft source.

Use a browser to open the official Minecraft server download page, right-click the server .jar link, and copy the link address. Then download it on the Linux Mint server:

sudo -u minecraft wget -O /opt/minecraft/server.jar '<paste official Minecraft server.jar URL here>'

For future-proof documentation, I recommend naming the downloaded file server.jar and documenting the actual Minecraft version separately in a text file:

echo "Minecraft Java Server installed from official Mojang server.jar link" | sudo tee /opt/minecraft/README.txt sudo chown minecraft:minecraft /opt/minecraft/README.txt

 First start and EULA acceptance

Start the server once to generate the initial configuration files:

sudo -u minecraft /usr/lib/jvm/temurin-25-jdk-amd64/bin/java -Xms2G -Xmx4G -jar /opt/minecraft/server.jar nogui

 The server will stop and create an eula.txt file. Edit it:

sudo vi /opt/minecraft/eula.txt

 Change:

eula=false

 to:

eula=true

 Save the file. Mojang's server download page explains that the server is run from the command line with Java and that the nogui option can be omitted only if the graphical interface is desired. On a Linux server, nogui is normally the right choice.

Start the server again:

sudo -u minecraft /usr/lib/jvm/temurin-25-jdk-amd64/bin/java -Xms2G -Xmx4G -jar /opt/minecraft/server.jar nogui

 When the server finishes loading, you should see a message indicating that it is ready. Stop it with:

Ctrl + C

Configure basic server settings

The main configuration file is:

/opt/minecraft/server.properties

 Edit it:

sudo vi /opt/minecraft/server.properties

 For a simple home server, these are the most important settings to review:

server-port=25565 server-ip= motd=A Linux Mint Minecraft Server enable-command-block=false white-list=false online-mode=true difficulty=easy gamemode=survival

 Leave server-ip= blank unless you have a specific reason to bind the server to only one address. For most home and lab servers, leaving it blank allows Minecraft to listen normally on the system's available interfaces.

Open the firewall

Minecraft Java Edition normally listens on TCP port 25565. If UFW is enabled on Linux Mint, allow that port:

sudo ufw allow 25565/tcp sudo ufw status verbose

 Find the Linux server's IP address:

ip -o -4 addr show up scope global

 You should see an address such as:

192.168.1.50/24

 The Windows client will use that IP address to connect.

Manage the server with systemd

A manual command is useful for testing, but a real server should be managed by systemd. Create a service file:

sudo vi /etc/systemd/system/minecraft.service

 Add:

[Unit] Description=Minecraft Java Server After=network.target [Service] Type=simple User=minecraft Group=minecraft WorkingDirectory=/opt/minecraft ExecStart=/usr/lib/jvm/temurin-25-jdk-amd64/bin/java -Xms2G -Xmx4G -jar /opt/minecraft/server.jar nogui Restart=on-failure RestartSec=10 SuccessExitStatus=0 143 [Install] WantedBy=multi-user.target

 Reload systemd and start the service:

sudo systemctl daemon-reload sudo systemctl enable --now minecraft

 Check status:

systemctl status minecraft

 Watch the live logs:

journalctl -u minecraft -f

 Useful management commands:

sudo systemctl start minecraft sudo systemctl stop minecraft sudo systemctl restart minecraft systemctl status minecraft journalctl -u minecraft -n 100

Troubleshooting Java version errors

If the server fails with an error such as:

UnsupportedClassVersionError

the Minecraft server .jar was compiled for a newer Java runtime than the one used to start it. Since Minecraft 26.1 requires Java 25, the fix is to make sure the systemd service uses Java 25 directly:

/usr/lib/jvm/temurin-25-jdk-amd64/bin/java -version

If that shows Java 25, use that exact path in the ExecStart= line of the systemd service.

Install the Minecraft client on Windows 11

On the Windows 11 PC, install the Minecraft Launcher from the Microsoft Store or from the official Minecraft download page. Minecraft's download page says the launcher can be installed through the Microsoft Store or from Minecraft.net, and the official Help Center provides instructions for downloading and installing the launcher.

On Windows 11:

1.       Open Microsoft Store.

2.       Search for Minecraft Launcher.

3.       Install Minecraft Launcher.

4.       Open the launcher.

5.       Sign in with the Microsoft account that owns Minecraft.

6.       Select Minecraft: Java Edition.

7.       Use Latest Release, or choose the exact version that matches the server.

8.       Click Play.

The client and server should run the same Minecraft Java version. Mojang's 26.1.2 release notes instruct players to use the Minecraft Launcher and set it to 'Latest Release' to install the release.

If you need to select a specific version:

Minecraft Launcher → Minecraft: Java Edition → Installations → New Installation

Then choose the version that matches the server.

Connect from Windows 11 to the Linux Mint server

Once Minecraft Java Edition is running on Windows 11:

9.       Click Multiplayer.

10.   Click Add Server or Direct Connection.

11.   Enter the Linux Mint server IP address.

12.   Click Join Server.

If the server IP is:

192.168.1.50

and the server is using the default port, enter:

192.168.1.50

If you changed the port, enter it like this:

192.168.1.50:25565

If the client cannot connect, test from Windows PowerShell:

Test-NetConnection 192.168.1.50 -Port 25565

A successful result should show:

TcpTestSucceeded : True

If that test fails, check these items:

·         The Minecraft service is running on Linux.

·         The Linux firewall allows TCP 25565.

·         The Windows client is on the same network or has a route to the server.

·         The client is running Minecraft: Java Edition, not Bedrock Edition.

·         The client version matches the server version.

·         The server.properties file uses the correct port.

Optional: allow only known players

For a private server, consider enabling the whitelist:

sudo vi /opt/minecraft/server.properties

Set:

white-list=true

Restart the server:

sudo systemctl restart minecraft

Add a player from the Minecraft server console or by using the server command interface:

whitelist add PlayerName

You can send commands to the running server through the service logs only if you have set up a console method such as screen, tmux, or a management wrapper. For a basic setup, stopping the service and running the server manually for administration is sometimes simpler.

Final checklist

A working Linux Mint Minecraft Java server should have:

·         Linux Mint installed and updated.

·         Java 25 installed.

·         Official Minecraft Java server.jar downloaded from Mojang.

·         Dedicated minecraft service account.

·         EULA accepted.

·         server.properties reviewed.

·         TCP port 25565 allowed through the firewall.

·         minecraft.service enabled and running.

·         Windows 11 client running Minecraft: Java Edition.

·         Client version matching the server version.

This setup gives you a stable vanilla Minecraft Java server that starts automatically, runs as a non-root user, logs through systemd, and is accessible from Windows 11 clients on the network.

References

Adoptium. (n.d.). Linux (RPM/DEB/APK) installer packages. Eclipse Foundation. https://adoptium.net/installation/linux

Linux Mint. (n.d.). Download Linux Mint 22.3. https://linuxmint.com/download.php

Microsoft. (n.d.). Minecraft Launcher. Xbox. https://www.xbox.com/en-US/games/store/minecraft-launcher/9pgw18npbzv5

Mojang. (2026, March 24). Minecraft Java Edition 26.1. Minecraft. https://www.minecraft.net/en-us/article/minecraft-java-edition-26-1

Mojang. (2026, April 9). Minecraft Java Edition 26.1.2. Minecraft. https://www.minecraft.net/en-us/article/minecraft-java-edition-26-1-2

Mojang. (n.d.-a). Download Minecraft & server software. Minecraft. https://www.minecraft.net/en-us/download

Mojang. (n.d.-b). Download the Minecraft: Java Edition server. Minecraft. https://www.minecraft.net/en-us/download/server

Mojang. (n.d.-c). How to download and install the Minecraft Launcher. Minecraft Help Center. https://help.minecraft.net/hc/en-us/articles/23907917790093-How-to-Download-and-Install-the-