samba - Feb 2005 - fake_perms and read-only profiles

I tried using the fake_perms module to set up some read-only profiles 
and couldn't get it to work.  Could someone please point out what I'm 
doing wrong?

I created a copy of my regular [profiles] share with the fake_perms 
module loaded:
[staticprofiles]
    path = /staticprofiles
    invalid users = root
    browseable = yes
    csc policy = disable
    veto oplock files = /prf*.tmp/
    vfs object = fake_perms

I created the staticprofiles directory and a subdirectory for the 
account named "alumni":
mkdir /staticprofiles
mkdir /staticprofiles/alumni
chown alumni:users /staticprofiles/alumni

I set the alumni account to use the staticprofiles share instead of the 
profiles share that everyone else uses:
pdbedit -u alumni -p '\\myserver\staticprofiles'

It's my understanding that under this setup, the alumni account would be 
unable to write to \\myserver\staticprofiles\alumni via Samba but that 
it wouldn't get any errors when it tries to write.  But that's not what 
happens.  If the alumni account has write permissions to the 
/staticprofiles/alumni directory, then it can write to it via Samba.  If 
it doesn't have permissions, then it gets an access denied error when it 
tries to write.

Am I doing something wrong?  Or do I misunderstand what fake_perms is 
supposed to do?

Josh Kelley

On Tue, 2005-02-22 at 09:17 -0500, Josh Kelley wrote:
> I tried using the fake_perms module to set up some read-only profiles 
> and couldn't get it to work.  Could someone please point out what
I'm
> doing wrong?
> 
> I created a copy of my regular [profiles] share with the fake_perms 
> module loaded:
> [staticprofiles]
>     path = /staticprofiles
>     invalid users = root
>     browseable = yes
>     csc policy = disable
>     veto oplock files = /prf*.tmp/
>     vfs object = fake_perms
> 
> I created the staticprofiles directory and a subdirectory for the 
> account named "alumni":
> mkdir /staticprofiles
> mkdir /staticprofiles/alumni
> chown alumni:users /staticprofiles/alumni
No, the chown should be root:root
> I set the alumni account to use the staticprofiles share instead of the 
> profiles share that everyone else uses:
> pdbedit -u alumni -p '\\myserver\staticprofiles'
> 
> It's my understanding that under this setup, the alumni account would
be
> unable to write to \\myserver\staticprofiles\alumni via Samba but that 
> it wouldn't get any errors when it tries to write.  But that's not
what
> happens.  If the alumni account has write permissions to the 
> /staticprofiles/alumni directory, then it can write to it via Samba.  If 
> it doesn't have permissions, then it gets an access denied error when
it
> tries to write.
> 
> Am I doing something wrong?  Or do I misunderstand what fake_perms is 
> supposed to do?
The profile is intended to be read-only, and the ntuser.dat should be
renamed ntuser.man to give the client the hint.  This ensures the client
doesn't try to write back, and the real FS permissions ensures that they
can't.

The thing being faked is the copied permissions that the client uses on
the client NTFS filesystem.  If the permissions were read-only to the
user, the profile copy would fail (write into read-only dir).

fake_perms actually shares much of it's behaviour with 'profile acls
yes', and I probably should have just fixed that behaviour, but
anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20050224/c5040bcc/attachment.bin