[linux-cifs-client] Unusual behaviour of veto files parameter on
Samba 3.x using GNU/Linux Clients with 2.6.27 kernel
Joseph Dacuma
jadacuma at yahoo.com
Sat May 16 09:30:55 GMT 2009
Dear All,
Anyone having trouble with the unusual behaviour of veto files parameter on Samba 3.x using GNU/Linux Clients with kernel 2.6.27?
On our network, Samba is configured as PDC where both Windows and Linux clients are being served simultaneously. Veto files is being used on our server.The idea behind is to prevent certain files to be placed inside directories (e.g. .exe, .dll, .iso, .scr, .pif, .deb files) regardless of what client OS they use.
While doing tests, it was observed that whenever files mounted from a GNU/Linux client, the directive of veto files were not consistently enforced on a on some shares. To compound the problem, it could not be determined when the veto parameter will work or fail.
On the positive side, with windows clients, the server blocks everything thrown at it without failure.
At this point, I don't know where the problem is so I tried 3 test cases:
1) Samba version from Debians package repository (Samba Version)
2) Debian Lenny (Server OS)
3) OpenSuSE 11.1 (client distro/kernel version)
To simplify the test only 2 shares will be used on the server both having veto files parameter. All details will be shown at the latter part of this message.
Test case 1:
To rule out the possiblity of secenario number 1, A different version of Samba on the same machine and same OS was installed. From Debian's 3.2.5 package to Sernet's 3.3.4-25 version. With the OpenSuSE acting as the client.
Result was the same. Server was not able to veto files on some directories and was able to veto on others. Therefore default samba package of Debian is at fault.
Good news is on both Windows XP and Windows 2000 clients, both Debian's package and Sernet's enforced veto files directive without failure.
Test Case 2:
Another test server on our network is running on NetBSD 5 with samba 3.0.25 installed (via pkgsrc) with the same smb.conf that was used on the Debian Lenny Server. To minimize discrepancy /media /srv directories were made on NetBSD with the same set of groups and users and password. In short, The only change with smb.conf was the bonded interface. Debian's bond0 was replaced by NetBSD's version of aggregation which is agr0.
Using OpenSuSE client, the result was the same as the above, there are directories where veto was enforced and directories where veto failed. Therefore the GNU/Linux as a server operating system is ruled out as problem.
Good news is on both Windows XP and Windows 2000 clients, NetBSD server veto files parameter was enforced without failure.
Test Case 3:
Mint Linux, a derivative of Ubuntu was used as a client. The problem is the same. Veto files worked on some directories and failed on the other for both NetBSD and Debian GNU/Linux servers.
Hence, Open SuSE 11.0 as client operating system is not the problem. Also, distro and minor kernel differences are not the sources of the problem.
Good news, further tests on both Windows XP and Windows 2000 clients, veto files parameter was enforced without failure.
Whats common based on the test scenarios above is mount.cifs being involved. I'm not sure how to proceed with the investigation and pin-point where the problem lies.
All test procedures and machine set-ups are shown below for everyone's perusal.
The commands below were used both for OpenSuSE and Mint:
mount -t cifs //172.16.4.10/misdata -o username=hrgeiger,password=<verysecretpassword> /media/share1
mount -t cifs //172.16.4.10/oppri -o username=hrgeiger,password=<verysecretpassword> /media/share2
To further investigate and rule-out command errors (user ignorance) using mount via command line, a .deb file barred to be written on both vetoed shares was mounted using smb4k:
ibmtest at linux-8bu5:~/Desktop> cp firmware-bnx2_0.4+etchnhalf.1_all.deb /home/ibmtest/smb4k/ANDRES/misdata/
cp: cannot create regular file `/home/ibmtest/smb4k/ANDRES/misdata/firmware-bnx2_0.4+etchnhalf.1_all.deb': No such file or directory
ibmtest at linux-8bu5:~/Desktop> cp firmware-bnx2_0.4+etchnhalf.1_all.deb /home/ibmtest/smb4k/ANDRES/oppri/
ibmtest at linux-8bu5:~/Desktop> ls -la /home/ibmtest/smb4k/ANDRES/oppri/firmware-bnx2_0.4+etchnhalf.1_all.deb
-rw-rw-r-- 1 ibmtest users 104308 2009-05-11 10:27 /home/ibmtest/smb4k/ANDRES/oppri/firmware-bnx2_0.4+etchnhalf.1_all.deb
Further tests using (a)OpenSuSE 11, (b)Mint, (c)Windows XP and Windows 2000:
(a)OpenSuSE 11
linux-8bu5:~ # df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 20635732 15845612 3741880 81% /
udev 505944 240 505704 1% /dev
//172.16.4.7/misdata 523656902 133528974 390127928 26% /media/share1
//172.16.4.7/oppri 523656902 133528974 390127928 26% /media/share2
linux-8bu5:~ # ls /media/share1
untitled folder
Was able to transfer a barred .iso file using Konqueror.
linux-8bu5:~ # ls /media/share2
43j925a.iso untitled folder untitled folder 2
(b)Mint
jesferpc share2 # df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 75443008 69029976 2580728 97% /
tmpfs 776620 0 776620 0% /lib/init/rw
varrun 776620 320 776300 1% /var/run
varlock 776620 0 776620 0% /var/lock
udev 776620 2752 773868 1% /dev
tmpfs 776620 284 776336 1% /dev/shm
lrm 776620 2004 774616 1% /lib/modules/2.6.27-11-generic/volatile
//172.16.4.7/oppri 523656902 133528974 390127928 26% /media/share1
//172.16.4.7/misdata 523656902 133528974 390127928 26% /media/share2
jesferpc share2 # ls /media/share1
untitled folder untitled folder 2
Was able to create a barred folder named folder.dll via GUI file browser Nautilus:
jesferpc share2 # ls /media/share2
folder.dll untitled folder
(c)Windows XP and Windows 2000
All files copied/moved made on both shares bearing the extensions listed on veto files parameter were consistently blocked. Notice that "folder.dll" made from Mint Linux client was not displayed (vetoed/blocked) using MS Windows clients.
E:\>dir
Volume in drive E is oppri
Volume Serial Number is 060D-044F
Directory of E:\
05/15/2009 10:19p <DIR> .
05/15/2009 09:41p <DIR> ..
05/15/2009 10:18p <DIR> untitled folder
05/15/2009 10:19p <DIR> untitled folder
0 File(s) 0 bytes
4 Dir(s) 399,490,998,272 bytes free
E:\>dir f:
Volume in drive F is misdata
Volume Serial Number is 060D-1283
Directory of F:\
05/15/2009 10:18p <DIR> .
05/15/2009 09:41p <DIR> ..
05/15/2009 10:18p <DIR> untitled folder
0 File(s) 0 bytes
3 Dir(s) 399,490,998,272 bytes free
Background of the machines used for the test:
Client #1
openSUSE 11.1
Linux version 2.6.27.21-0.1-pae (geeko at buildhost) (gcc version 4.3.2 [gcc-4_3-branch revision 141291] (SUSE Linux) ) #1 SMP 2009-03-31 14:50:44 +0200
Linux linux-8bu5 2.6.27.21-0.1-pae #1 SMP 2009-03-31 14:50:44 +0200 i686 i686 i386 GNU/Linux
Client #2
Linux Mint 6 Felicia
Linux version 2.6.27-11-generic (buildd at vernadsky) (gcc version 4.3.2 (Ubuntu 4.3.2-1ubuntu11) ) #1 SMP Wed Apr 1 20:57:48 UTC 2009 (Ubuntu 2.6.27-11.31-generic)
Linux jesferpc 2.6.27-11-generic #1 SMP Wed Apr 1 20:57:48 UTC 2009 i686 GNU/Linux
Client #3
Windows XP Professional SP3 + latest updates from MS site
Client #4
Windows 2000 Advanced Server SP4
Server # 1
Debian GNU/Linux 5.0
Linux version 2.6.26-2-amd64 (Debian 2.6.26-15) (dannf at debian.org) (gcc version 4.1.3 20080704 (prerelease) (Debian 4.1.2-25)) #1 SMP Fri Mar 27 04:02:59 UTC 2009
Linux swineflu1 2.6.26-2-amd64 #1 SMP Fri Mar 27 04:02:59 UTC 2009 x86_64 GNU/Linux
Default version of Samba from Debian's repository
Version: 2:3.2.5-4lenny2
Maintainer: Debian Samba Maintainers <pkg-samba-maint at lists.alioth.debian.org>
Version: 3.3.4-25
Maintainer: Samba Support <Samba at SerNet.DE>
Builtin modules:
pdb_ldap pdb_smbpasswd pdb_tdbsam rpc_lsarpc rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl2 rpc_ntsvcs2 rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog2 rpc_samr idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin vfs_default vfs_posixacl
Server #2
NetBSD rayn.co.ched.gov.ph 5.0_RC4 NetBSD 5.0_RC4 (GENERICF) #0: Thu Apr 23 17:22:05 PHT 2009 jojod at rayn.co.ched.gov.ph:/usr/src/sys/arch/amd64/compile/GENERICF amd64
samba-3.0.34 SMB/CIFS protocol server suite
Builtin modules:
pdb_smbpasswd pdb_tdbsam rpc_lsa rpc_reg rpc_lsa_ds rpc_wkssvc rpc_svcctl rpc_ntsvcs rpc_net rpc_netdfs rpc_srv rpc_spoolss rpc_eventlog rpc_samr rpc_echo idmap_tdb idmap_passdb idmap_nss nss_info_template auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin vfs_default
Samba configuration file used for both servers
#======================= Global Settings =======================
[global]
workgroup = CHEDCO
netbios name = ANDRES (ANDRES2 when both servers were up simultaneously)
server string = Windows 2003 Enterprise Server
interfaces = lo bond0 (agr0 for NetBSD)
bind interfaces only = yes
hosts deny = ALL
hosts allow = 172.16.4.0/22 127.0.0.1
dont descend = /proc /dev /root /tmp /srv /mnt /media
#### Debugging/Accounting ####
log file = /var/log/samba/%m.log
log level = 3
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
###### Authentication #######
security = user
encrypt passwords = true
guest ok = no
passdb backend = tdbsam
########## Domains ###########
domain logons = yes
logon path =
logon home =
logon script = %U.bat
########## Printing ##########
load printers = no
############ Misc ############
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 95 (96 when on NETBSD when both servers were up)
domain master = yes
preferred master = yes
time server = yes
dns proxy = no
====================== Share Definitions =======================
[misdata]
path = /home/misdata
comment = misdata group directory
guest ok = no
writeable = yes
create mask = 0660
directory mask = 0750
force group = misdata
valid users = @misdata
veto files = /*.deb/*.rpm/*.mp3/*.mp4/*.dat/*.mpg/*.mpeg/*.avi/*.wmv/*.iso/*.nrg/*.bin/*.cue/*.exe/*.msi/*.dll/*.pif/*.scr/*.ini/*.bat/*.com/*.cmd/*.vb/*.vbs/*.inf/*.3gp/*.mov/*.rar/*.flv/DSC*.jpg/DSC*.jpeg
delete veto files = yes
[oppri]
path = /home/oppri
comment = oppri common directory
guest ok = no
read only = yes
create mask = 0664
directory mask = 0775
read list = @chedusers
write list = @misdata @misnet
veto files = /*.deb/*.rpm/*.mp3/*.mp4/*.dat/*.mpg/*.mpeg/*.avi/*.wmv/*.iso/*.nrg/*.bin/*.cue/*.exe/*.msi/*.dll/*.pif/*.scr/*.ini/*.bat/*.com/*.cmd/*.vb/*.vbs/*.inf/*.3gp/*.mov/*.rar/*.flv/DSC*.jpg/DSC*.jpeg/
delete veto files = yes
I might have missed something. Should anyone need other tests or log files please advise. I'd be more than willing to supply them. All comments and suggestions are welcome. :)
Kind regards,
Joseph
More information about the linux-cifs-client
mailing list