[Samba] fake_perms and read-only profiles

Andrew Bartlett abartlet at samba.org
Thu Feb 24 12:02:32 GMT 2005 

On Tue, 2005-02-22 at 09:17 -0500, Josh Kelley wrote:
> I tried using the fake_perms module to set up some read-only profiles 
> and couldn't get it to work.  Could someone please point out what I'm 
> doing wrong?
> 
> I created a copy of my regular [profiles] share with the fake_perms 
> module loaded:
> [staticprofiles]
>     path = /staticprofiles
>     invalid users = root
>     browseable = yes
>     csc policy = disable
>     veto oplock files = /prf*.tmp/
>     vfs object = fake_perms
> 
> I created the staticprofiles directory and a subdirectory for the 
> account named "alumni":
> mkdir /staticprofiles
> mkdir /staticprofiles/alumni
> chown alumni:users /staticprofiles/alumni

No, the chown should be root:root

> I set the alumni account to use the staticprofiles share instead of the 
> profiles share that everyone else uses:
> pdbedit -u alumni -p '\\myserver\staticprofiles'
> 
> It's my understanding that under this setup, the alumni account would be 
> unable to write to \\myserver\staticprofiles\alumni via Samba but that 
> it wouldn't get any errors when it tries to write.  But that's not what 
> happens.  If the alumni account has write permissions to the 
> /staticprofiles/alumni directory, then it can write to it via Samba.  If 
> it doesn't have permissions, then it gets an access denied error when it 
> tries to write.
> 
> Am I doing something wrong?  Or do I misunderstand what fake_perms is 
> supposed to do?

The profile is intended to be read-only, and the ntuser.dat should be
renamed ntuser.man to give the client the hint.  This ensures the client
doesn't try to write back, and the real FS permissions ensures that they
can't.

The thing being faked is the copied permissions that the client uses on
the client NTFS filesystem.  If the permissions were read-only to the
user, the profile copy would fail (write into read-only dir).

fake_perms actually shares much of it's behaviour with 'profile acls =
yes', and I probably should have just fixed that behaviour, but
anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050224/c5040bcc/attachment.bin

More information about the samba mailing list