[Samba] Allowing file permissions changes with mac os x clients.

samba samba at aio.li
Thu Apr 2 16:31:41 MDT 2015


On 04/02/2015 10:32 PM, Rowland Penny wrote:
> On 02/04/15 20:53, samba wrote:
>> Hi All,
>>
>> at work all our clients are macs (10.10 yosemite). We are trying to
>> move from the classical afp file server to a samba based file server.
>> After a lot of testing, things now works more or less: a mac server
>> acts as Kerberos+OpenLDAP and a linux debian 7 box is doing the file
>> server with samba 4.2.0.
>>
>> A client which has "joined" (which is bound in mac jargon) the
>> OpenLDAP/Kerberos (the opendirectory) domain can mount shares and/or
>> home directories on the samba server, leveraging Kerberos and that is
>> very nice, thanks to SMB3 being implemented both in samba 4 and in osx
>> 10.10.
>>
>> Yet their is no way the mac client can change the permissions of a
>> file whether using the mac "Finder" application or using a classical
>> "chmod". The former says only "you have custom permissions.", while
>> the later returns 0 says nothing but changes nothing either. For the
>> sake of the tests all the shared directories on the samba server are
>> in 777 mode.
>>
>> I tried vfs_fruit by adding
>>         vfs objects = catia fruit streams_xattr
>>         fruit:resource = file
>>         fruit:metadata = stream
>>         fruit:locking = none
>>         fruit:encoding = native
>>         fruit:aapl = yes
>> but with no luck (performances are way worse with these lines enabled
>> when it should be the contrary... did not investigate that yet)
>>
>> Here is my smb.conf:
>> [global]
>>         security = ads
>>         encrypt passwords = yes
>>         realm = OD.EXAMPLE.COM
>>         password server = od.example.com
>>         workgroup = OD
>>         kerberos method = dedicated keytab
>>         dedicated keytab file = /etc/krb5.keytab
>>         map to guest = never
>>         obey pam restrictions = no
>>         client min protocol = SMB3
>>         unix extensions = yes
>>         ea support = yes
>>         case sensitive = yes
>>         delete readonly = yes
>>         winbind enum users  = no
>>         winbind enum groups =  no
>> [homes]
>>         path = /mnt/users/%u
>>         comment = Home Directory for %U
>>         valid users = %S
>>         read only = no
>>         browseable = no
>>         hide unreadable = yes
>>         hide unwriteable files = yes
>>
>> Any help would be much appreciated.
>> Jeremie
>
> Do you actually have an Active Directory domain controller ? security =
> ads is for AD
>
> Rowland
>

Hi Rowland,

No, their is no AD, only a mac opendirectory which is based on openldap 
+ heimdal kerberos + some apple specific password manager. I actually 
set the security to ads because, reading the samba docs, it seems to be 
the only way to have samba authenticate against kerberos.

Jeremie


More information about the samba mailing list