samba - Feb 2007 - Solaris 10 and "store dos attributes"

I'm having trouble with files being marked read-only in Windows because the
Solaris file owner does not have write-permissions on the file; group-write is
allowed:

-r--rw----   1 user  group      32 Feb 13 14:19 testfile.txt

I thought that setting "store dos attributes = yes" for this share
would allow
the "read only" setting to be stored in extended attributes, but it
doesn't seem
to be working - does Solaris 10 support extended attributes as needed by Samba?

I'm using Samba 3.0.24 on Solaris 10, configuration file or the share below:

[TEST]
   comment = server vartmp
   path = /var/tmp
   browseable = yes
   public = yes
   guest ok = yes
   writable = yes
   force create mode = 0664
   force directory mode = 0775
   map hidden = no
   map system = no
   map archive = no
   ea support = yes
   store dos attributes = yes

Thanks in advance -- James

Hi!

I have problems with my Samba 3.0.24 on my Solaris 10 machine.
I hope u can help me?
I "google'd" a lot and asked many people but nobody can help me.

So... I have...
Solaris 10 with Samba 3.0.24
Kerberos installed
OpenLDAP installed
OpenSSL installed

I configured and compiled Samba 3.0.24 (Options: ./configure
--prefix=/usr/local/samba --with-winbind --with-ads --with-ldap
--with-krb5=/usr/local --with-acl-support )

Know i want Samba to be a member of the ADS Domain.
I maked an "Keytab"-File with the following command on the Windows
2003 Domaincontroller:
C:\>ktpass -princ host/FQDN@XXX.XXXX.DE -mapuser XXX\user1  -pass ***** -out
c:\user1.keytab

After this i configured  SWAT...and SWAT was working good.

Then i registered the "Keytab"-File with the following commands:
#/usr/local/sbin/ktutil
#ktutil: rkt /usr/local/krb5/usr1.keytab
#ktutil: wkt /usr/local/krb5/krb5.keytab

I set copied the "libnss_winbind.so" and set the symbolic links.
#cp .../samba-3.0.24/source/nsswitch/libnss_winbind.so  /usr/lib
#ln -s libnss_winbind.so libnss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.1
#ln -s libnss_winbind.so nss_winbind.so.2

After this is configured Kerberos...edited "krb5.conf" like this:

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
        ticket_lifetime = 24000
        default_realm = XXX.XXXX.DE
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        default_tkt_enctypes = des-cbc-crc des-cbc-md5

[realms]
NTBV.BZ-FREIBURG.DE = {
                kdc = server1.xx.xxxx.de
                kdc = server2.xx.xxxx.de
                admin_server = server1.xx.xxxx.de
                default_domain = xx.xxxx.de
        }

[domain_realm]
        .mn.freinet.de = XXX.XXXX.DE
        mn.freinet.de = XXX.XXXX.DE

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

Now i edited the "/etc/nscd.conf", I added the following:
...
#       logfile                 /var/adm/nscd.log
        enable-cache            hosts           no
        enable-cache            passwd        no
        enable-cache            group           no
...

And the "/etc/nsswitch.conf" i edited too:
....
passwd:     files winbind
group:      files winbind
....

Via "SWAT", i configured Samba like this:

# Samba config file created using SWAT
# from 172.16.124.6 (172.16.124.6)
# Date: 2006/09/11 15:14:18
[global]
	workgroup = XX
	realm = XX.XXXX.DE
	netbios name = test1
	server string = SambaTest
	interfaces = 192.168.20.19
	bind interfaces only = Yes
	security = ADS
	password server = server1.xx.xxx.de
	log file = /user/local/samba/log/log.%m
	ldap ssl = No
	idmap uid = 5000-100000000
	idmap gid = 5000-100000000
	template homedir = /usr/local/samba/%D/%U
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	force create mode = 0775
	force directory mode = 06775
[medianet]
	comment = TestShare
	path = /shared
	valid users = @XX\group1,@XX\group4
	read only = No

Then I Registered the Server in the Active Directory:
#kinit domainadmin
Password for domainadmin@XX.XXXX.DE: 
#
#./net ads join
Using short domain name - XX
Joined 'test1' to realm 'XX.XXXXX.DE'#


Then i tested the following:

#/usr/local/samba/bin/wbinfo -u
XX\user1
XX\user2
XX\user3
XX\user4

# /usr/local/samba/bin/wbinfo -g
XX\group1
XX\group2
XX\group3
XX\group4
XX\group5

#/usr/local/samba/bin/net ads info
LDAP server: 192.168.20.1
LDAP server name: server1.XX.XXXX.de
Realm: XX.XXXX.DE
Bind Path: dc=XX,dc=XXXX,dc=DE
LDAP port: 389
Server time: Tue, 12 Sep 2006 14:10:57 MEST
KDC server: 192.168.20.1
Server time offset: 0

# id "XX\user1"
uid=5000(XX\user1) gid=5000(XX\group4)
 
# ./wbinfo -r "XX\user1"
group3
group4

I created a Test Share, like in the Samba config.
Valid User/group for the Share was the group1 ("@XX\group1") and
group4 ("@XX\group2"), like configured in smb.conf.
The user user1 which have the primary-group group4 "XX\group4" and is
also member of the group3 "XX\group3"
must enter this share and should be allowed to enter it. Ok this works.

But when i want to enter an folder in this share, which i created in Solaris
(for example "/shared/testfolder") and added the ACL: #setfacl -m
g:"XX\group3":rwx /shared/testfolder, then the window on my windows
machine appears, that i have not the permission to enter it.

But the user1 have the primary-group group4 and the secondary-group group3. The
share have rights in samba (valid-users) for group4 and group1. the folder in
the share have via acl permissions set (rwx) for the group3, and in group3 is
the user 1 a member.

So, think nested groups or secondary groups are completely ignored.

I hope u can help me.

Best Regards, Bj?rn



__________________________________________________________________________________

                MediaNet GmbH Netzwerk- und Applikations-Service 
                      L?rracher Stra?e 5a, D-79115 Freiburg
            Telefon 0761/496-1400 - e-mail: info@medianet.freinet.de
       Gesch?ftsf?hrer: Meinhard Fleig - Handelsregister Freiburg HRB 4869
      Bankverbindung: Sparkasse Freiburg - BLZ 680 501 01 - Konto 211 085 7
__________________________________________________________________________________

The user wouldn't be able to write to the file at a command prompt
either..

schaefer@tomcat:~ -bash$ cat /etc/release 
                          Solaris 10 3/05 s10_74L2a X86
           Copyright 2005 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                            Assembled 22 January 2005

schaefer@tomcat:~ -bash$ id
uid=241(schaefer) gid=203(stuff)

schaefer@tomcat:~ -bash$ touch a_file.txt

schaefer@tomcat:~ -bash$ ls -ld a_file.txt 
-rw-r--r--   1 schaefer stuff          0 Feb 15 08:04 a_file.txt

schaefer@tomcat:~ -bash$ echo blah >> a_file.txt 

schaefer@tomcat:~ -bash$ chmod u-w,g+w a_file.txt 

schaefer@tomcat:~ -bash$ ls -ld a_file.txt 
-r--rw-r--   1 schaefer stuff          5 Feb 15 08:04 a_file.txt

schaefer@tomcat:~ -bash$ echo blah >> a_file.txt 
-bash: a_file.txt: Permission denied

-----Original Message-----
From: samba-bounces+tom=umsl.edu@lists.samba.org
[mailto:samba-bounces+tom=umsl.edu@lists.samba.org] On Behalf Of James
Sent: Wednesday, February 14, 2007 1:58 PM
To: samba@lists.samba.org
Subject: [Samba] Solaris 10 and "store dos attributes"

I'm having trouble with files being marked read-only in Windows because
the Solaris file owner does not have write-permissions on the file;
group-write is
allowed:

-r--rw----   1 user  group      32 Feb 13 14:19 testfile.txt

I thought that setting "store dos attributes = yes" for this share
would
allow the "read only" setting to be stored in extended attributes, but
it doesn't seem to be working - does Solaris 10 support extended
attributes as needed by Samba?

I'm using Samba 3.0.24 on Solaris 10, configuration file or the share
below:

[TEST]
   comment = server vartmp
   path = /var/tmp
   browseable = yes
   public = yes
   guest ok = yes
   writable = yes
   force create mode = 0664
   force directory mode = 0775
   map hidden = no
   map system = no
   map archive = no
   ea support = yes
   store dos attributes = yes

Thanks in advance -- James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba