[Samba] Excel makes files read-only when users save

Totem totem-lists at totem.is-a-geek.com
Fri Mar 11 23:39:10 GMT 2005

I'm having a problem that I've seen people talk about in the list 
archives. Unfortunately I haven't found any solutions that work. It is a 
documented bug and I've added my story to it.


I'm posting my problem here as well because it is causing me some 
serious grief. For the past few months I have been working towards 
replacing our old Netware and Windows servers with Samba servers. I did 
all the logistical planning, did (what I thought was) thorough testing, 
and finally moved all of our users to Samba last weekend.

Now I'm having a problem with Excel. If I can't get it fixed my boss 
will eventually loose patience and will want to move away from Samba 
(probably to NT). That would be bad for me! I hate NT and I like 
weekends and sleep, so I'm hoping someone here can help.

We setup a NT domain using Samba PDC's and BDC's with OpenLDAP. It is 
running on FreeBSD 5.X and everything is installed from the ports 
collection. I've verified that the problem occurs on a Samba 3.0.11 BDC 
running on FreeBSD 5.3-RELEASE-p5. It also is happening on older 
versions of both Samba and FreeBSD. We're using Extended ACL's on the 
share in question. I'm using NSS_LDAP and SMBLDAP-Tools, but not PAM or 
Kerberos (there aren't any UNIX clients). Almost all the clients are 
Windows 2k, with the exception of a hand full of 98 and XP machines.

Here is what I do to create the problem. The error happens everytime. 
Users cause this error in the course of doing business as well, this is 
just how I am testing for it.

1) I created a spreadsheet called “test.xls” in Excel 2000 on my Windows 

2) I Made some changes and saved it to a Samba share (mapped drive on my
workstation), and then closed the file.

# ls -l test.xls
-rw-rwx—+ 1 totem wheel 13824 Mar 10 20:47 test.xls
# getfacl test.xls

3) On the server, I modified the owner of the file.

# chown testuser test.xls
# ls -l test.xls
-rw-rwx—+ 1 testuser wheel 13824 Mar 10 20:51 test.xls
# getfacl test.xls

4) I opened the file again in Windows 2000 (using my account which is 
not the
file owner).

5) I made some changes to the file and saved it. This error message was
displayed: “Document saved successfully. Cannot reopen the saved 
document due to
low memory. Please close the document.”

6) The owner and permissions are changed on the server.

# ls -l test.xls
-r–rwx—+ 1 totem wheel 13824 Mar 10 20:56 test.xls
bash-2.05b# getfacl test.xls

The problem is that when the file is replaced(?) by a modified copy of 
the spreadsheet it is made read-only. It also gives ownership to the 
user who saves and the previous owner is added to the ACL. Really I 
wouldn't care (or have noticed) if the file was made writable. Write 
permissions should be given by the group assignments in the ACL and 
should be inherited from the parent directory.

I've tried just about every configuration option that I could think of 
with no success. I've also made sure that I have default permissions 
applied to the directories that store spreadsheets. Other applications 
work fine and rights are assigned/inherited correctly.

Here's my whole darned smb.conf file (slightly obscured).

# Identification
server string = Samba
workgroup = company.com
netbios name = BDC_SERVER

# Domain/Browser
domain logons = Yes
wins server =
domain master = No
local master = Yes
os level = 65
name resolve order = wins bcast hosts

# Network
interfaces = fxp0, l0
bind interfaces only = Yes
smb ports = 139 445
deadtime = 15

# Loging
log level = 1
syslog = 0
log file = /var/log/samba/%m.log
max log size = 50

# Characters
unix charset = LOCALE

# Account Backend
passdb backend = ldapsam:ldap://localhost
username map = /usr/local/etc/smbusers
ldap suffix = dc=company,dc=com
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = uid=BDCManager,ou=People,dc=company,dc=com
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = No
winbind enum groups = No

# Backend Scripts
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" 
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"

# Other Services
time server = Yes

# Logon/Profile Settings
#logon path = \\%L\profiles\%u
#logon home = \\%L\%u\.profiles
logon script = logon.bat
logon drive = H:

# Password Settings
encrypt passwords = Yes
min passwd length = 6

# Printing
printing = CUPS
printcap name = CUPS
printer admin = Administrator, user1
show add printer wizard = No
load printers = Yes

# Performance Tuning
wide links = No

comment = Home of %u on %L
valid users = %S
read only = No
browseable = No
inherit permissions = Yes
map acl inherit = Yes
hide unreadable = Yes
map archive = No

comment = Profile Data Share
path = /samba/profiles
read only = No
profile acls = Yes
csc policy = disable
map archive = No
force user = %U
valid users = %U "Domain Admins"
create mask = 0600
force create mode = 060
directory mask = 0700
force directory mode = 070

comment = Network Logon Service
path = /samba/netlogon
guest ok = Yes
locking = No
read only = No
inherit permissions = Yes
map acl inherit = Yes
hide unreadable = Yes
map archive = No

comment = Main File Share
path = /samba/share
read only = No
inherit permissions = Yes
map acl inherit = Yes
hide unreadable = Yes
map archive = No

comment = Images (Read Only)
path = /samba/share/Departments/Information Technology/Images
guest ok = Yes
read only = Yes

comment = User Home Directories
path = /samba/home
read only = No
inherit permissions = Yes
map acl inherit = Yes
hide unreadable = Yes
map archive = No
guest ok = No
valid users = user2, user1, user3

comment = Samba Print Spool
path = /var/spool/samba
printable = Yes
guest ok = Yes
use client driver = Yes
browseable = No

comment = Printer Drivers
path = /samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = Administrator, user1

Anyone know why this is happening? Is there a workaround? I can't 
abandon Extended ACL's (I suspect it would solve the read-only problem) 
because our business needs require them.

More information about the samba mailing list