Justin Zachor
2004-Nov-29 21:37 UTC
[Samba] root ownership on some profile files cause login errors
Here's another question related to how to use masks --
In my PDC area I specify:
logon path = \\netapp\profiles\%u
This puts server-based (roaming) profiles on my Network Appliance (which
itself is an SMB/PDC client).
A previous admin here left this commented section:
#[profiles]
# path = /var/lib/samba/profiles # path = /netapp/profiles ???
# read only = no
# create mask = 0600
# directory mask = 0700
So, is this the sytax for masks?
Do I add "create mask = 0744" -OR- "force create mask =
0744"?
Where do I put it? Anywhere in smb.conf?
Should the mask be 0077? (it's a mask, not chown notation, right??)
PS, When I had Windows login trouble, these perms tweaks fixed it:
/home/profiles# chown -R <user> <user>
/home/profiles# chmod -R 700 <user>
NOTE: We're using Samba as a PDC fine with the below smb.conf. So I
don't want to muck up permission by adding an improper mask statement.
So Again, this permissions issue only came up when I copied a profile
from a local Win2K box to the PDC profile dir using local administrator
"Copy To..." feature under System | User Profiles (control panel).
Thanks again!
-JAZ
joec wrote:> Try this:
> net mask = 0744 (or 755 depending on what you want the permissions to be)
> directory mask = 0755
>
> Check a samba book for the correct options, but that is how I did the trick
on my network at home.
>
> Joe
>
> Justin Zachor <zachor-samba@gamelogic.com> wrote :
>
>
>>On a newly migrated profile (migrated onto Samba server, from local)
>>some files/dirs get root ownership.
>>
>>How can I stop this from happening, without having to manually adjust
>>the permissions? Should I use "force create mode =
0600" or
>>"force
>>directory mode = 0700"? If so, then where?
>>
>>For example
>>drwx------ 2 root daemon 4096 Nov 12 14:58 S-1-5-21-515...
>>
>>"Windows cannot copy file \\netapp\profiles\user\Application
>>Data\Microsoft\Protect\S-1-5-21-515...\ to location C:\Documents and
>>Settings\user.FOOBAR\Application
>>Data\Microsoft\Protect\S-1-5-21-515...\. Contact your network
>>administrator.
>>
>>DETAIL - Access is denied."
>>
>>"Windows cannot load the profile and is logging you on with a
>>temporary profile. Changes you make to this profile will be lost when
>>you log off."
>>------------smb.conf--------------
>>[global]
>>
>># -- BEGIN PDC --
>> domain logons = yes
>> logon path = \\netapp\profiles\%u
>> logon drive = H:
>> logon home = \\netapp\%u\.winprofile
>> logon script = logon.bat
>>
>> add user to group script = /usr/sbin/usermod -G %g %u
>> add machine script = /usr/sbin/adduser --firstuid 9001 \
>> --lastuid 9500 \
>> --gid 9000 --home /dev/null --shell /bin/false \
>> --no-create-home \
>> --disabled-password --gecos "%u Samba Machine
Account" \
>> --force-badname %u
>> admin users = @ntadmins
>> workgroup = FOOBAR
>># -- END PDC --
>>
>> invalid users = root
>><snip> (many misc settings here -- omitted for ease of
reading)
>>
>>[netlogon]
>> comment = Network Logon Service
>> browseable = no
>> path = /var/lib/samba/netlogon
>> read only = yes
>> write list = @ntadmins
>>#[profiles]
>># path = /var/lib/samba/profiles # path = /netapp/profiles ???
>># read only = no
>># create mask = 0600
>># directory mask = 0700
>>[homes]
>> comment = Home Directories
>> browseable = no
>> force create mode = 0755
>> force directory mode = 0755
>> writable = yes
>>--------------------------------------------------------
>>Thanks in advance
Gerald (Jerry) Carter
2004-Nov-30 14:12 UTC
[Samba] root ownership on some profile files cause login errors
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin Zachor wrote: | Here's another question related to how to use masks -- | | In my PDC area I specify: | | logon path = \\netapp\profiles\%u I recommend %U and not %u for the 'logon path' in most cases | This puts server-based (roaming) profiles on my | Network Appliance (which itself is an SMB/PDC client). | | A previous admin here left this commented section: | | #[profiles] | # path = /var/lib/samba/profiles # path = /netapp/profiles ??? | # read only = no | # create mask = 0600 | # directory mask = 0700 | | So, is this the sytax for masks? | Do I add "create mask = 0744" -OR- "force create mask = 0744"? | Where do I put it? Anywhere in smb.conf? | | Should the mask be 0077? (it's a mask, not chown | notation, right??) the 'create mask' is a bitwise logical AND with the requested permissions. The force create mode is a bitwise logical OR. cheers, jerry - --------------------------------------------------------------------- Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrH+dIR7qMdg1EfYRAjXKAJ4xPwt+xqvQdlXEoSX2VfGB5Q1BRwCfUEDo yz722EST9QMNNcY5o9lPivw=85PN -----END PGP SIGNATURE-----