[Samba] problem upgrading 3.0.23->3.0.26

Linda W samba at tlinx.org
Wed Jul 30 19:45:38 GMT 2008 

John H Terpstra wrote:
>>> What are the ownership and permissions settings on the /home directory?
>> "drwxr-xr-x"  root/root
> 
> OK, this means that noone (except root) can create or delete a directory in 
> the /home directory.
----
	Right...only 'root' is expected to be able to add new directories
under 'home' right now ...


>>> Are you seriously allowing users to write to each other's home
>>> directories?
>>>>          read only = No
>>---
>> 	Intent was for it to remain under user control -- that's why I use
>> the create mask of 0750 (next)....
> 
> But this way group members can access each others home directories.  Hmmm.  
> I'm sure I would not like that!
----
	Can't users use file permissions to deny read access to any/all if
they want?  It's just that home dirs aren't administratively protected...
but users are free to lock them up further...  It isn't designed for
a hostile environment, but a 'sharing' & 'cooperative' environment.  It's
not exposed to the outside world...:-)



>>> Why these two parameters? What are you trying to achieve with them?
>>>
>>>>          create mask = 0750
>>>>          inherit acls = Yes
> 
> ACLs are POSIX things.  You can see them using the getfacl utility. They can 
> be set using the setfacl utility.  And, they can be set through Windows 
> client applications.
----
	Ok....yikes -- I thought this was some type of Win-ACL emulation
feature -- where one could create an ACL list at a top level and have it
apply to created files/dirs underneath it.

	Since this is only affecting the POSIX ACL's, it seems that's not
what I want...(so deleting the inherit acls)....


> Keep your configuration as simple as possible.  Follow the examples in 
> Samba3-ByExample.  Chapters 3 or 4 should be as much as you need at your 
> site.
---	
	Well, I do have that book -- but I sometimes experiment with
trying out the more complex features ....  Is the online version
kept up-to-date with evolving samba?  That's a fun "feature" of samba,
is that it evolves faster than paper can usually keep up! :-)


> The homes share is really a service that makes a user's home directory 
> available from the Windows environment.  Under OpenSUSE/SUSE Linux you could 
> set the path like this:
> [homes]
> 	...
> 	path = /home/%U/Documents
> 	... 
> This way the use is kept away from the dit files (.*) and his Windows files 
> are in a safe "container" - so to speak.
------
	I don't mind the "mixing"...

	I also use CYGWIN, on Windows. I set my home dir to
"\home\<user>" (I renamed "Documents and Settings" to "Home").
"Documents" is still a subdir under the user's "Home" dir on
the Windows machine: "\home\<user>\Documents\".



> Why do you want POSIX ACLs in your Linux file system?  How are you going to 
> back them up?  POSIX ACLs are not the same as UGO (user, group, other) 
> permissions - they are a superset that sits over the top of UGO permissions.  
> Avoid them if you can.
----
I don't use them yet -- no progs create them -- but it is my intent
to support/allow them.  My backup does dump them -- I use "xfsdump/xfsrestore",
which saves extended file attributes.

If everyone used XFS as their backing store for samba volumes, they'd
get auto-save of ACL's for free.



>> permissions on /Share=
>> 755, u=law, g=wheel;  below /Share any dir's I don't want guest to have
>> access to, are
>> mode 750, (or 700)...

>>>> [backups]
>>>>          comment = Host backup-dirs
>>>>          path = /backups/%m
>>> Again, add the domain specifier  (@BLISS\admin). What is the purpose of
>>> the "%m" parameter here? It makes no sense/
>>>
>>>>          write list = @admin, @%m
>> ----
>> 	Oh poo...yeah...  meant to (never got around to it) creating
>> groups for each machine name that accessed the Share to include userid's
>> that were not admin's (like 'backup'); but never got around to creating a
>> user 'backup' to do backups with -- just use an admin signin....
>>
>>> For the remaining shares, the same questions as above apply.  It is best
>>> to keep your configuration simple, then add complexity only as it is
>>> proven to be necessary.
>> ---
>>
>> 	Well....that's how it started out -- it's just grown warts over time...:-)
>> the setup works under the old samba 3.0.23...just haven't kept up with the
>> times so well on this server...
>>
>>> Please show us the output of executing on both servers:
>>> 	net groupmap list
>> ----
>> 	Null (no output)
> 
> So with Samba-3.0.26 you have Windows groups.  This means that:
> 	valid users = @"BLISS\law"
----
	Actually "law" isn't a group...it's a uid that I added
on top of the group specifications because the group specifications were
not working when I switched to the newer samba.

	But similar point...all the groups -- and they are groups
in the unix sense:   trusted, trusted_local_net_users, admin, users

	They are all groups in /etc/group -- I also tried adding them to
"/etc/samba/smbgroup"... but that didn't seem to work.



> will not allow anyone to access the share because there is no law group under 
> Windows.
----
	Was suspecting that.  Doesn't samba use the /etc/samba/smbgroup file
anymore?



> So here is how you can solve that:
> 
> 	#root > groupadd law
> 	#root> net groupmap add unixgroup=law ntgroup=law type=domain
---
	What happens (or happened) to my smbgroup file entries?  It had
"Domain Admins" (=wheel,=admin,=operator, =uid#10)
"Domain Users" (=users,=uid#200)
trusted, sshd, "trusted_local_net_users", and "localnet"

	I thought the intent was for groups that were not "identical to the
unix groups, to be listed in "/etc/samba/smbgroup"?



> Then you will have a group called "law" both for Windows clients and in the 
> Linux OS.
---
	By default, I take it that unix-groups are no longer accessible as
NT groups unless explicitly mapped with the "net groupmap..." you mention
above?


>>> Also, what is the output of "net getdomainsid"?
>> SID for domain BLISS....
> That's a good output!
---
	Great...one thing was correct...maybe two...:-)


> You should also learn how to set the "log level", collect log file per client 
> machine, etc. so that you can diagnose why connection attempts are failing.  
> Here's a snippet: 
> 	log level = 3
> 	max log size = 0
> 	log file = /var/log/samba/%L-%m.log
---
	I had it set at one point -- I eliminated it when things seemed to
work correctly and I wanted to try speeding I/O.

	I used to have "/var/log/samba/log.%m", and max log = 2048.
any reason to have max log = 0?  Doesn't that mean grow w/o limit, where 2048
means keep the last 2Meg?


> Cheers,
> John T.
---
	Better than "Jeers,"...
Cheerio!, :-)
Linda W.

More information about the samba mailing list