samba - May 2005 - permissions not transferred using robocopy, xxcopy, net share migrate shares

Hello:

I've been working for a few days on getting a FreeBSD 5.3 server up and
running as a samba data backup server.

My goal is to schedule periodic backups of our file server. After reading
recommendations (e.g. by Mr. Terpstra) I've focused my attempts aroung
robocopy, xxcopy, net rpc share migrate shares. 

However, I'm running into stumbling blocks that seem to involve a problem
with permissions to write to ACLs -- but only when trying to transfer files
from Windows to Samba.

Before you pass this by as another "can't change ACLs" post: YES,
using
Windows Explorer I CAN add files, view & change ACLs, etc to the samba share
folders/files (see bottom of this message to see what I can do so far) as
user DOMAIN\administrator. I've also tried forcing user as root (in
smb.conf) to see if that would work (it doesn't).

ROBOCOPY
=======C:\>robocopy temp \\srv04\backup\temp6 /MIR /copyall 

gives me the following:
	                   3	C:\temp\
2005/05/14 09:20:24 ERROR 5 (0x00000005) Copying NTFS Security to
Destination Directory C:\temp\
Access is denied.

XXCOPY
=====C:\>robocopy temp \\srv04\backup\temp6 /MIR /copyall

Gives me no errors; however, ACLs are lost (Everyone, root, wheel show up;
nothing else does)

Net rpc share migrate shares
===========================This looks like a REALLY cool way to accomplish what
I want to do; however,

% net rpc share migrate shares Scanned -S srv02 -U Administrator%Power832

gives me the following error:

migrating: [Scanned], path: D:\SPub\Scanned Images, comment: , without
share-ACLs
cannot add share: WERR_ACCESS_DENIED

(same thing happens if I include acls in the migration)

Any suggestions?

Regards,
Tom Wolfe

My smb.conf file:

[global]
        winbindusedefaultdomain   = Yes
        addsharecommand          
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
        deletesharecommand       
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
        passwordserver            = PDCSERVER
        idmapuid                  = 10000-100000
        winbindcachetime          = 3600
        realm                     = DOMAIN.COM
        templatehomedir           = /home/%U
        winbindnestedgroups       = Yes
        allowtrusteddomains       = No
        workgroup                 = DOMAIN
        changesharecommand       
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
        idmapbackend              = idmap_rid:DOMAIN =10000-100000
        templateshell             = /bin/sh
        winbindseparator          = +
        security                  = ADS
        idmapgid                  = 10000-100000
        log level = 3
        max log size = 0
        log file = /var/log/samba/PDCSERVER.log

 [backup]
        adminusers                = administrator
        readonly                  = no
        writable                  = yes
        path                      = /home/backup
                                                      

=========Note: Much of my search discovered many posts similar to my own
questions
that were answered by exhortations to RTFM or "search the list
archives!",
or (usually) plain silence ... well, I followed the advice and found it
wasn't at all easy--but these caveats did at least keep me from making a
plea for help until now!

For other users struggling to get this done (FreeBSD, Samba, ACLs,
copying/backing up from Windows to FreeBSD), the progress I've made so far
has been helped by:

- Samba official How-to & list archives, of course...
- a good, simple how-to at
http://web.irtnog.org/Members/xenophon/freebsd/winbind as a guideline for
setting up samba with ACLs on FreeBSD 5.3...

- To get ACLs working: FreeBSD 5.1+, which uses UFS2 by default, requires
"tunefs -a enable /usr" (or replace /usr with the whatever you want to
add
acl support to; add it to /etc/rc and reboot if you're doing it remotely) to
set my /usr file system up for ACLs...; lower than 5.1 apparently requires
additional kernel configuration entries:
options         UFS_EXTATTR
options         UFS_EXTATTR_AUTOSTART
... see NOTES, see FreeBSD how-tos on rebuilding kernel (super simple); see
http://nixdoc.net/man-pages/FreeBSD/man7/ffs.7.html

- after some struggle I can now modify ACLs from windows & setfacl -- change
permissions, add misc. users, etc.

Tom,

Thanks for the feedback. I will make sure that some of the information in your 
email gets into the documentation. The implementation and use of ACLs with 
UNIX/Linux is very complex. The OS, the file system, the implementation of 
the file system, and the compilation of Samba, must all support ACLs.

As you explore the use of ACLs it becomes apparent that many smb.conf 
parameters can affect the behavior of ACLs. For example, the default create 
mask can really mess things up on some systems.

I am working to complete the second edition of the HOWTO this week-end. Your 
input is timely. Thanks.

- John T.

On Saturday 14 May 2005 09:53, Tom Wolfe wrote:
> Hello:
>
> I've been working for a few days on getting a FreeBSD 5.3 server up and
> running as a samba data backup server.
>
> My goal is to schedule periodic backups of our file server. After reading
> recommendations (e.g. by Mr. Terpstra) I've focused my attempts aroung
> robocopy, xxcopy, net rpc share migrate shares.
>
> However, I'm running into stumbling blocks that seem to involve a
problem
> with permissions to write to ACLs -- but only when trying to transfer files
> from Windows to Samba.
>
> Before you pass this by as another "can't change ACLs" post:
YES, using
> Windows Explorer I CAN add files, view & change ACLs, etc to the samba
> share folders/files (see bottom of this message to see what I can do so
> far) as user DOMAIN\administrator. I've also tried forcing user as root
(in
> smb.conf) to see if that would work (it doesn't).
>
> ROBOCOPY
> =======> C:\>robocopy temp \\srv04\backup\temp6 /MIR /copyall
>
> gives me the following:
> 	                   3	C:\temp\
> 2005/05/14 09:20:24 ERROR 5 (0x00000005) Copying NTFS Security to
> Destination Directory C:\temp\
> Access is denied.
>
> XXCOPY
> =====> C:\>robocopy temp \\srv04\backup\temp6 /MIR /copyall
>
> Gives me no errors; however, ACLs are lost (Everyone, root, wheel show up;
> nothing else does)
>
> Net rpc share migrate shares
> ===========================> This looks like a REALLY cool way to
accomplish what I want to do; however,
>
> % net rpc share migrate shares Scanned -S srv02 -U Administrator%Power832
>
> gives me the following error:
>
> migrating: [Scanned], path: D:\SPub\Scanned Images, comment: , without
> share-ACLs
> cannot add share: WERR_ACCESS_DENIED
>
> (same thing happens if I include acls in the migration)
>
> Any suggestions?
>
> Regards,
> Tom Wolfe
>
> My smb.conf file:
>
> [global]
>         winbindusedefaultdomain   = Yes
>         addsharecommand           >
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
>         deletesharecommand        >
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
>         passwordserver            = PDCSERVER
>         idmapuid                  = 10000-100000
>         winbindcachetime          = 3600
>         realm                     = DOMAIN.COM
>         templatehomedir           = /home/%U
>         winbindnestedgroups       = Yes
>         allowtrusteddomains       = No
>         workgroup                 = DOMAIN
>         changesharecommand        >
/usr/local/share/examples/samba/scripts/perl/modify_samba_config.pl
>         idmapbackend              = idmap_rid:DOMAIN =10000-100000
>         templateshell             = /bin/sh
>         winbindseparator          = +
>         security                  = ADS
>         idmapgid                  = 10000-100000
>         log level = 3
>         max log size = 0
>         log file = /var/log/samba/PDCSERVER.log
>
>  [backup]
>         adminusers                = administrator
>         readonly                  = no
>         writable                  = yes
>         path                      = /home/backup
>
>
> =========> Note: Much of my search discovered many posts similar to my
own questions
> that were answered by exhortations to RTFM or "search the list
archives!",
> or (usually) plain silence ... well, I followed the advice and found it
> wasn't at all easy--but these caveats did at least keep me from making
a
> plea for help until now!
>
> For other users struggling to get this done (FreeBSD, Samba, ACLs,
> copying/backing up from Windows to FreeBSD), the progress I've made so
far
> has been helped by:
>
> - Samba official How-to & list archives, of course...
> - a good, simple how-to at
> http://web.irtnog.org/Members/xenophon/freebsd/winbind as a guideline for
> setting up samba with ACLs on FreeBSD 5.3...
>
> - To get ACLs working: FreeBSD 5.1+, which uses UFS2 by default, requires
> "tunefs -a enable /usr" (or replace /usr with the whatever you
want to add
> acl support to; add it to /etc/rc and reboot if you're doing it
remotely)
> to set my /usr file system up for ACLs...; lower than 5.1 apparently
> requires additional kernel configuration entries:
> options         UFS_EXTATTR
> options         UFS_EXTATTR_AUTOSTART
> .. see NOTES, see FreeBSD how-tos on rebuilding kernel (super simple); see.
> http://nixdoc.net/man-pages/FreeBSD/man7/ffs.7.html
>
> - after some struggle I can now modify ACLs from windows & setfacl --
> change permissions, add misc. users, etc.
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.