On Tue, 2005-02-22 at 09:17 -0500, Josh Kelley wrote:> I tried using the fake_perms module to set up some read-only profiles
> and couldn't get it to work. Could someone please point out what
I'm
> doing wrong?
>
> I created a copy of my regular [profiles] share with the fake_perms
> module loaded:
> [staticprofiles]
> path = /staticprofiles
> invalid users = root
> browseable = yes
> csc policy = disable
> veto oplock files = /prf*.tmp/
> vfs object = fake_perms
>
> I created the staticprofiles directory and a subdirectory for the
> account named "alumni":
> mkdir /staticprofiles
> mkdir /staticprofiles/alumni
> chown alumni:users /staticprofiles/alumni
No, the chown should be root:root
> I set the alumni account to use the staticprofiles share instead of the
> profiles share that everyone else uses:
> pdbedit -u alumni -p '\\myserver\staticprofiles'
>
> It's my understanding that under this setup, the alumni account would
be
> unable to write to \\myserver\staticprofiles\alumni via Samba but that
> it wouldn't get any errors when it tries to write. But that's not
what
> happens. If the alumni account has write permissions to the
> /staticprofiles/alumni directory, then it can write to it via Samba. If
> it doesn't have permissions, then it gets an access denied error when
it
> tries to write.
>
> Am I doing something wrong? Or do I misunderstand what fake_perms is
> supposed to do?
The profile is intended to be read-only, and the ntuser.dat should be
renamed ntuser.man to give the client the hint. This ensures the client
doesn't try to write back, and the real FS permissions ensures that they
can't.
The thing being faked is the copied permissions that the client uses on
the client NTFS filesystem. If the permissions were read-only to the
user, the profile copy would fail (write into read-only dir).
fake_perms actually shares much of it's behaviour with 'profile acls
yes', and I probably should have just fixed that behaviour, but
anyway...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050224/c5040bcc/attachment.bin