[Samba] confused about directory permissions for profdata

Jonathon Doran jon at doransw.com
Fri Jul 3 21:11:44 GMT 2009

This week I migrated out main server from Fedora 8 to Fedora 11.  It  
has been a stressful time, but things are mostly working.  Samba and  
LDAP weren't really a problem, but I've beat down the list of problems  
to something Samba related.

(For the benefit of anyone else going this route, the biggest problem  
by far was iptables.  Maybe we had it turned off under FC8, but I  
suspect it has grown some teeth.  Pretty quickly you learn that when  
faced with a new problem one first should shut down iptables and see  
if it goes away.)

I spent half a day looking into why smbldap-useradd was generating an  
error about a missing object.  After saving copies of the PERL  
scripts, I started adding print statements to them.  It turns out that  
I had dropped the 's' off of Groups in a dn.

Right now I can add machines to the domain, and then log in on  
accounts pulled off the backup.  I am pleasantly surprised that I  
didn't have to edit the SIDs for the users.  I did one account by hand  
to test with, and then when I sat down to do the rest I saw that  
something had gone in and fixed all the SIDs.  Maybe I'm crazy, and  
maybe I am imagining things.

But what I am stuck on at the moment is some sort of permissions  
problem with user profiles.  Perhaps someone can set me straight.  I  
have the split profile structure (profiles and profdata) as mentioned  
in ch 5 of "Samba By Example".  The files live on a NAS box, and are  
exported via NFS.  Root squashing is turned on.  Smb.conf rexports  
these to client machines.

I'm sure this is probably making my life harder, but we just don't  
have the disk space on the server since there are people who don't  
blink at putting 10G
on their desktop.  I can ask them not to, but that doesn't help.  I  
give them a mounted home directory with tons of free disk space, but  
they are addicted to the Windows desktop.  In this case, "happy users"  
means I need to accept
they are going to do this.  We have folder redirection in place, and the
profiles on a nice big/fast disk.

The problem is that Windows does not have permission to work with these
directories.  It seems like a trivial problem, but it isn't making any sense
and I am exhausted from no sleep this week.  As root, I can run access files
in the folders.  With samba's debugging set at 10 for a client, it  
appears that the accesses are performed as root but failing.

If I have a folder set to 2770 owned by the user, and the user's primary
group, Windows cannot access the share.  If I give the world access,  
Windows is happy.  If I move the profile out of the way, Windows  
creates a new one with
2755 and the same owner/group.  When one tries to log out and log back  
in, Windows has a fit about corrupted recycle bins, which I take to  
mean that it doesn't have write permission.  Samba by example suggests  
750 for the profdata subdirectories, and Windows is definitely unhappy  
with that.

If anyone has any suggestions, I would very much like to hear them.

Jon Doran
University of North Texas LARC

More information about the samba mailing list