[Samba] problem upgrading 3.0.23->3.0.26
samba at tlinx.org
Wed Jul 30 19:45:38 GMT 2008
John H Terpstra wrote:
>>> What are the ownership and permissions settings on the /home directory?
>> "drwxr-xr-x" root/root
> OK, this means that noone (except root) can create or delete a directory in
> the /home directory.
Right...only 'root' is expected to be able to add new directories
under 'home' right now ...
>>> Are you seriously allowing users to write to each other's home
>>>> read only = No
>> Intent was for it to remain under user control -- that's why I use
>> the create mask of 0750 (next)....
> But this way group members can access each others home directories. Hmmm.
> I'm sure I would not like that!
Can't users use file permissions to deny read access to any/all if
they want? It's just that home dirs aren't administratively protected...
but users are free to lock them up further... It isn't designed for
a hostile environment, but a 'sharing' & 'cooperative' environment. It's
not exposed to the outside world...:-)
>>> Why these two parameters? What are you trying to achieve with them?
>>>> create mask = 0750
>>>> inherit acls = Yes
> ACLs are POSIX things. You can see them using the getfacl utility. They can
> be set using the setfacl utility. And, they can be set through Windows
> client applications.
Ok....yikes -- I thought this was some type of Win-ACL emulation
feature -- where one could create an ACL list at a top level and have it
apply to created files/dirs underneath it.
Since this is only affecting the POSIX ACL's, it seems that's not
what I want...(so deleting the inherit acls)....
> Keep your configuration as simple as possible. Follow the examples in
> Samba3-ByExample. Chapters 3 or 4 should be as much as you need at your
Well, I do have that book -- but I sometimes experiment with
trying out the more complex features .... Is the online version
kept up-to-date with evolving samba? That's a fun "feature" of samba,
is that it evolves faster than paper can usually keep up! :-)
> The homes share is really a service that makes a user's home directory
> available from the Windows environment. Under OpenSUSE/SUSE Linux you could
> set the path like this:
> path = /home/%U/Documents
> This way the use is kept away from the dit files (.*) and his Windows files
> are in a safe "container" - so to speak.
I don't mind the "mixing"...
I also use CYGWIN, on Windows. I set my home dir to
"\home\<user>" (I renamed "Documents and Settings" to "Home").
"Documents" is still a subdir under the user's "Home" dir on
the Windows machine: "\home\<user>\Documents\".
> Why do you want POSIX ACLs in your Linux file system? How are you going to
> back them up? POSIX ACLs are not the same as UGO (user, group, other)
> permissions - they are a superset that sits over the top of UGO permissions.
> Avoid them if you can.
I don't use them yet -- no progs create them -- but it is my intent
to support/allow them. My backup does dump them -- I use "xfsdump/xfsrestore",
which saves extended file attributes.
If everyone used XFS as their backing store for samba volumes, they'd
get auto-save of ACL's for free.
>> permissions on /Share=
>> 755, u=law, g=wheel; below /Share any dir's I don't want guest to have
>> access to, are
>> mode 750, (or 700)...
>>>> comment = Host backup-dirs
>>>> path = /backups/%m
>>> Again, add the domain specifier (@BLISS\admin). What is the purpose of
>>> the "%m" parameter here? It makes no sense/
>>>> write list = @admin, @%m
>> Oh poo...yeah... meant to (never got around to it) creating
>> groups for each machine name that accessed the Share to include userid's
>> that were not admin's (like 'backup'); but never got around to creating a
>> user 'backup' to do backups with -- just use an admin signin....
>>> For the remaining shares, the same questions as above apply. It is best
>>> to keep your configuration simple, then add complexity only as it is
>>> proven to be necessary.
>> Well....that's how it started out -- it's just grown warts over time...:-)
>> the setup works under the old samba 3.0.23...just haven't kept up with the
>> times so well on this server...
>>> Please show us the output of executing on both servers:
>>> net groupmap list
>> Null (no output)
> So with Samba-3.0.26 you have Windows groups. This means that:
> valid users = @"BLISS\law"
Actually "law" isn't a group...it's a uid that I added
on top of the group specifications because the group specifications were
not working when I switched to the newer samba.
But similar point...all the groups -- and they are groups
in the unix sense: trusted, trusted_local_net_users, admin, users
They are all groups in /etc/group -- I also tried adding them to
"/etc/samba/smbgroup"... but that didn't seem to work.
> will not allow anyone to access the share because there is no law group under
Was suspecting that. Doesn't samba use the /etc/samba/smbgroup file
> So here is how you can solve that:
> #root > groupadd law
> #root> net groupmap add unixgroup=law ntgroup=law type=domain
What happens (or happened) to my smbgroup file entries? It had
"Domain Admins" (=wheel,=admin,=operator, =uid#10)
"Domain Users" (=users,=uid#200)
trusted, sshd, "trusted_local_net_users", and "localnet"
I thought the intent was for groups that were not "identical to the
unix groups, to be listed in "/etc/samba/smbgroup"?
> Then you will have a group called "law" both for Windows clients and in the
> Linux OS.
By default, I take it that unix-groups are no longer accessible as
NT groups unless explicitly mapped with the "net groupmap..." you mention
>>> Also, what is the output of "net getdomainsid"?
>> SID for domain BLISS....
> That's a good output!
Great...one thing was correct...maybe two...:-)
> You should also learn how to set the "log level", collect log file per client
> machine, etc. so that you can diagnose why connection attempts are failing.
> Here's a snippet:
> log level = 3
> max log size = 0
> log file = /var/log/samba/%L-%m.log
I had it set at one point -- I eliminated it when things seemed to
work correctly and I wanted to try speeding I/O.
I used to have "/var/log/samba/log.%m", and max log = 2048.
any reason to have max log = 0? Doesn't that mean grow w/o limit, where 2048
means keep the last 2Meg?
> John T.
Better than "Jeers,"...
More information about the samba