[Samba] root ownership on some profile files cause login errors

Justin Zachor zachor-samba at gamelogic.com
Mon Nov 29 21:37:17 GMT 2004


Here's another question related to how to use masks --

In my PDC area I specify:

     logon path = \\netapp\profiles\%u

This puts server-based (roaming) profiles on my Network Appliance (which 
itself is an SMB/PDC client).

A previous admin here left this commented section:

   #[profiles]
   #  path = /var/lib/samba/profiles # path = /netapp/profiles ???
   #  read only = no
   #  create mask = 0600
   #  directory mask = 0700

So, is this the sytax for masks?
Do I add "create mask = 0744" -OR- "force create mask = 0744"?
Where do I put it? Anywhere in smb.conf?

Should the mask be 0077? (it's a mask, not chown notation, right??)

PS, When I had Windows login trouble, these perms tweaks fixed it:
    /home/profiles# chown -R <user> <user>
    /home/profiles# chmod -R 700 <user>

NOTE: We're using Samba as a PDC fine with the below smb.conf. So I 
don't want to muck up permission by adding an improper mask statement.
So Again, this permissions issue only came up when I copied a profile 
from a local Win2K box to the PDC profile dir using local administrator 
"Copy To..." feature under System | User Profiles (control panel).

Thanks again!
-JAZ

joec wrote:
> Try this:
> net mask = 0744 (or 755 depending on what you want the permissions to be)
> directory mask = 0755
> 
> Check a samba book for the correct options, but that is how I did the trick on my network at home.
> 
> Joe
> 
> Justin Zachor <zachor-samba at gamelogic.com> wrote :
> 
> 
>>On a newly migrated profile (migrated onto Samba server, from local)
>>some files/dirs get root ownership.
>>
>>How can I stop this from happening, without having to manually adjust
>>the permissions?  Should I use &quot;force create mode = 0600&quot; or
>>&quot;force
>>directory mode = 0700&quot;? If so, then where?
>>
>>For example
>>drwx------    2 root   daemon    4096 Nov 12 14:58 S-1-5-21-515...
>>
>>&quot;Windows cannot copy file \\netapp\profiles\user\Application
>>Data\Microsoft\Protect\S-1-5-21-515...\ to location C:\Documents and
>>Settings\user.FOOBAR\Application
>>Data\Microsoft\Protect\S-1-5-21-515...\. Contact your network
>>administrator.
>>
>>DETAIL - Access is denied.&quot;
>>
>>&quot;Windows cannot load the profile and is logging you on with a
>>temporary profile. Changes you make to this profile will be lost when
>>you log off.&quot;
>>------------smb.conf--------------
>>[global]
>>
>># -- BEGIN PDC --
>>     domain logons = yes
>>     logon path = \\netapp\profiles\%u
>>     logon drive = H:
>>     logon home = \\netapp\%u\.winprofile
>>     logon script = logon.bat
>>
>>     add user to group script = /usr/sbin/usermod -G %g %u
>>     add machine script = /usr/sbin/adduser --firstuid 9001 \
>>         --lastuid 9500 \
>>         --gid 9000 --home /dev/null --shell /bin/false \
>>         --no-create-home \
>>         --disabled-password --gecos &quot;%u Samba Machine Account&quot; \
>>         --force-badname %u
>>     admin users = @ntadmins
>>     workgroup = FOOBAR
>># -- END PDC --
>>
>>     invalid users = root
>>&lt;snip&gt; (many misc settings here -- omitted for ease of reading)
>>
>>[netlogon]
>>     comment = Network Logon Service
>>     browseable = no
>>     path = /var/lib/samba/netlogon
>>     read only = yes
>>     write list = @ntadmins
>>#[profiles]
>>#    path = /var/lib/samba/profiles # path = /netapp/profiles ???
>>#    read only = no
>>#    create mask = 0600
>>#    directory mask = 0700
>>[homes]
>>    comment = Home Directories
>>    browseable = no
>>    force create mode = 0755
>>    force directory mode = 0755
>>    writable = yes
>>--------------------------------------------------------
>>Thanks in advance



More information about the samba mailing list