samba - Oct 2013 - write problem from mac osx 10.8.5 clients to samba 4

Hi?

I have setup a samba 4 DC with mixed client environment.
My problem is that the mac osx client are unable to write to a samba 4 share.

I tested mac osx clients on a normal windows 7 share and it works fine
I tested mac osx clients on a samba 3.5 .. share and everything works fine.

As i am in a professional environment and all the windows clients are already
binded to the samba 4 domain i can not step back to samba3.

My mac osx clients are binded and im able to view/edit active directory from the
mac.

My only issue is that i can not write to the samba 4 shares. i have verified all
about permissions, and my thought is that mac osx confuses unix and acl rights.

Is there a workaround or a special thing to do regarding UID map GUID map

please be aware that i'm not a mac specialist, but have to handlwith it
because of professional reasons.

i am searching a solution for weeks now and really need some help !

Kind regards

I'm not sure if this is still an issue in modern versions of OS X, but in
past you have had to disable unix extensions on the server if UID/GIDs
didn't match up with what the client had. It really sucks that there's
not
another workaround, especially for off-domain Macs.

Personally, I've been running netatalk for OS X clients. While it sucks to
have to maintain another service, the OS X SMB driver has always been
pretty awful and the improvement in performance has been well worth the
cost.


On Thu, Oct 3, 2013 at 8:04 AM, Athan DE JONG <athan.dejong at yahoo.fr>
wrote:
> Hi
>
> I have setup a samba 4 DC with mixed client environment.
> My problem is that the mac osx client are unable to write to a samba 4
> share.
>
> I tested mac osx clients on a normal windows 7 share and it works fine
> I tested mac osx clients on a samba 3.5 .. share and everything works fine.
>
> As i am in a professional environment and all the windows clients are
> already binded to the samba 4 domain i can not step back to samba3.
>
> My mac osx clients are binded and im able to view/edit active directory
> from the mac.
>
> My only issue is that i can not write to the samba 4 shares. i have
> verified all about permissions, and my thought is that mac osx confuses
> unix and acl rights.
>
> Is there a workaround or a special thing to do regarding UID map GUID map
>
> please be aware that i'm not a mac specialist, but have to handlwith it
> because of professional reasons.
>
> i am searching a solution for weeks now and really need some help !
>
> Kind regards
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hey Athan, I was able to deploy OSX in a samba4 environment. Here is my
procedure:

go to System Preferences > User and Groups and create a new account with
admin privileges. This will be developed into a default profile for domain
users. Log out and in with the user.

Open Keychain Access and delete "Login"

Spend some time opening all the applications on the operating system,
registering all welcome prompts, and performing all necessary
updates/changes.

***THIS MAY BE WHAT YOU'RE LOOKING FOR"***
Go back to System Preferences > User and Groups. Right-click the
appropriate account > Advanced Options: set the Home Directory to
smb://[REALM_OF_DC]/$USER

Open a terminal:
sudo rm /Users/[new_default_account]/Library/Caches/*
sudo rm -rf /System/Library/User\ Template/English.lproj/*
cd /System/Library/User\ Template/English.lproj/
sudo rsync -rav /Users/[new_default_account]/ . (that's a period, so
you're
copying into the present working directory above)

Apple > Recent items > Clear Menu
Reboot into your normal Admin account.
Disk utility > repair disk permissions
Delete the account that's been set up.

As Admin, let's bind to the domain controller. Head back to Users and
Groups and head to Login Options.
Edit Network Account Server > Open Directory Utility > Active Directory
Bind to your active directory FQDN.
Under User Experience, uncheck both "Create mobile account at login"
and
"Force local home directory on startup disk."

The one other clincher, I think, was going to the ADUC snap-in and mapping
the home directory for all users.


On Thu, Oct 3, 2013 at 6:04 AM, Athan DE JONG <athan.dejong at yahoo.fr>
wrote:
> Hi
>
> I have setup a samba 4 DC with mixed client environment.
> My problem is that the mac osx client are unable to write to a samba 4
> share.
>
> I tested mac osx clients on a normal windows 7 share and it works fine
> I tested mac osx clients on a samba 3.5 .. share and everything works fine.
>
> As i am in a professional environment and all the windows clients are
> already binded to the samba 4 domain i can not step back to samba3.
>
> My mac osx clients are binded and im able to view/edit active directory
> from the mac.
>
> My only issue is that i can not write to the samba 4 shares. i have
> verified all about permissions, and my thought is that mac osx confuses
> unix and acl rights.
>
> Is there a workaround or a special thing to do regarding UID map GUID map
>
> please be aware that i'm not a mac specialist, but have to handlwith it
> because of professional reasons.
>
> i am searching a solution for weeks now and really need some help !
>
> Kind regards
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi jason

I had setup a fresh installation
of a SAMBA4 AD without RFC2307 and my mac osx client can read/write
to the shares.

When i was first setting up the Production
server i followed the samba wiki witch says :

The --use-rfc2307option enables your Samba AD automatically to store posix
attributes.
It also creates NIS information in the AD, that allows you to
administrate UIDs/GIDs and other Unix settings (on the ?Unix
attributes? tab in ADUC). It's easier if you enable this feature
during provisioning, than setting this up later by hand. And
even if you don't required it (yet), it's not affecting your
installation. 


 I
had found a lot of posts by googling around of people experimenting
samba issues on mac osx since apple uses their own implementation of
samba called SMBX.
 In
earlier samba versions 3.XXX the solution was to set use unix
attributes to "no" 


 So
it seems that my problem is quite similar to some unix attributes
issues. 


 I
mapped the UID/GID with no results : 


 Map
UID to uidNumber
Map both user GID and group GID to gidNumber 


 When
i compare the result from gentent passwd (on server)and the ID i get
from terminal logged mac user :  
 the
UID and GID results are the same. 


 So
I still wondering why the RFC2307 causes permission issues on mac osx
against the samba share. 


 Any
way, i want to thank you for your kindly help, and may start a new
issue on samba list, and pray to get some help :) 


 but
this will be tomorrow because at this time i only feel like transform
coffe into code. 


 Kind
regards, athan

?
De jong athan : 
MCTS(Microsoft certified technology specialist).


________________________________
 De?: Jason MacChesney <jason.macchesney at ecacs16.ab.ca>
??: Athan DE JONG <athan.dejong at yahoo.fr> 
Envoy? le : Lundi 7 octobre 2013 17h24
Objet?: Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
 


I did not use the --use-rfc2307 option. I used a fresh installation, not an
upgrade.
OSX - 10.8.5
I'm unable to test in my production environment. However in my test
environment (no roaming profiles) I can authenticate via SMB to mount the share.
After the shares are mounted I can write pretty much anywhere.



On Sat, Oct 5, 2013 at 7:57 PM, Athan DE JONG <athan.dejong at yahoo.fr>
wrote:

Hi Jason
>
>I used exactly the same procedure that you described. I forgot about
"CREATOR OWNER" but after test no changes.
>I googled a lot around and found many people experimenting issus whith the
mac osx SMBX implementation.
>
>
>can provide me some precisions that could help me eliminate cetains points :
>
>Did you provisioning samba with?The?--use-rfc2307 option ?
>What is the version of your Mac OSX ?
>Are you able to write from mac osx to another shared directory than the
"users home dir" ?
>
>Once again thanks for your detailled reply and help !
>?
>Kind regadrs, Athan
>
>
>
>
>________________________________
> 
>De?: Jason MacChesney <jason.macchesney at ecacs16.ab.ca>
>??: Athan DE JONG <athan.dejong at yahoo.fr> 
>Cc?: "samba at lists.samba.org" <samba at lists.samba.org> 
>Envoy? le : Vendredi 4 octobre 2013 19h31
>
>Objet?: Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
>
>
>
>Hey Athan, in order to do what you want this is what I would do in my
environment; I would create the share in my smb.conf. Then create the directory
on the server. I would populate a group for using the share, either on the
server using samba-tool or using the snap-in. Then jump over to my Windows 7
machine, go to \\MY_SERVER, right-click my share, tab>security, and set full
control permissions to CREATOR OWNER, SYSTEM, Domain Admins, and the group
that's been created for this share. I would then instruct the people in that
group that in order to access the share they need to open a finder, click GO
> Connect to Server. Then they would need to mount the share using
smb://MY_SERVER/SHARE ...they may need to enter their AD credentials at this
point.
>
>
>I have no idea what the map UID, GUID implications are in directory utility,
sorry! Good luck!
>
>
>
>On Fri, Oct 4, 2013 at 10:02 AM, Athan DE JONG <athan.dejong at
yahoo.fr> wrote:
>
>Hi Jason
>>
>>
>>Thanks?for?your?answer?!?
>>
>>
>>sorry?for?the?delay?of?my?reply?i'm?very?busy?this?times.
>>
>>
>>glad?to?hear?that?you?was?able?to?deploy?OSX?in samba !
>>
>>
>>so?your?mac?osx?is?bind-ed?and?you?can?read/write?to?your?home?directory?on?the?server??
>>
>>
>>can?you?read/write?to?another?samba?share??
>>
>>
>>My?problem?is?a?little?different?as?i'm?not?using?roaming?profiles.
The choice of samab 4 was that we later have to setup mail service on the same
server and so we will be able to use the AD for this later.
>>My?goal for the moment?is?to?share?a public?folder?for
a?specific?group?of?users?!
>>
>>
>>my?mac?osx?is?bind-ed?to?AD?i?am?able?to?read?and?delete?files
but?not?to?write?files?to?the?samba?share
>>My?mac user?has?full?acl?and?posix?righs?for?the?test
and?the?message?from?finder?is?that?i "dont have?access?to?some?of?the
items".
>>
>>
>>As?i'm?really?not?a
mac?specialist?i?was?asking?my?self?what?about?the?map?UID,GUID?options
in?the?Directory?utility advanced?options ?
>>
>>
>>Thanks again for your detailed answer, may you can give me another hint
:)
>>
>>
>>Kind regards, Athan
>>
>>
>>
>>________________________________
>> De?: Jason MacChesney <jason.macchesney at ecacs16.ab.ca>
>>??: Athan DE JONG <athan.dejong at yahoo.fr> 
>>Cc?: "samba at lists.samba.org" <samba at
lists.samba.org>
>>Envoy? le : Jeudi 3 octobre 2013 16h40
>>Objet?: Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4
>> 
>>
>>
>>Hey Athan, I was able to deploy OSX in a samba4 environment. Here is my
procedure:
>>
>>
>>go to System Preferences > User and Groups and create a new account
with admin privileges. This will be developed into a default profile for domain
users. Log out and in with the user.
>>
>>
>>Open Keychain Access and delete "Login"
>>
>>Spend some time opening all the applications on the operating system,
registering all welcome prompts, and performing all necessary updates/changes.
>>
>>
>>
>>**THIS MAY BE WHAT YOU'RE LOOKING FOR"**
>>Go back to System Preferences > User and Groups. Right-click the
appropriate account > Advanced Options: set the Home Directory to
smb://[REALM_OF_DC]/$USER
>>
>>
>>Open a terminal:?
>>sudo rm /Users/[new_default_account]/Library/Caches/*
>>sudo rm -rf /System/Library/User\ Template/English.lproj/*
>>
>>cd /System/Library/User\ Template/English.lproj/
sudo rsync -rav /Users/[new_default_account]/ . (that's a period, so
you're copying into the present working directory
above)
>>
>>
>>Apple > Recent items > Clear Menu
>>Reboot into your normal Admin account.?
>>
>>Disk utility > repair disk permissions
>>Delete the account that's been set up.?
>>
>>
>>
>>As Admin, let's bind to the domain controller. Head back to Users
and Groups and head to Login Options.
>>Edit Network Account Server > Open Directory Utility > Active
Directory
>>
>>Bind to your active directory FQDN.?
>>
>>Under User Experience, uncheck both "Create mobile account at
login" and "Force local home directory on startup disk."
>>
>>
>>The one other clincher, I think, was going to the ADUC snap-in and
mapping the home directory for all users.
>>
>>
>>
>>On Thu, Oct 3, 2013 at 6:04 AM, Athan DE JONG <athan.dejong at
yahoo.fr> wrote:
>>
>>Hi?
>>>
>>>I have setup a samba 4 DC with mixed client environment.
>>>My problem is that the mac osx client are unable to write to a samba
4 share.
>>>
>>>I tested mac osx clients on a normal windows 7 share and it works
fine
>>>I tested mac osx clients on a samba 3.5 .. share and everything
works fine.
>>>
>>>As i am in a professional environment and all the windows clients
are already binded to the samba 4 domain i can not step back to samba3.
>>>
>>>My mac osx clients are binded and im able to view/edit active
directory from the mac.
>>>
>>>My only issue is that i can not write to the samba 4 shares. i have
verified all about permissions, and my thought is that mac osx confuses unix and
acl rights.
>>>
>>>Is there a workaround or a special thing to do regarding UID map
GUID map
>>>
>>>please be aware that i'm not a mac specialist, but have to
handlwith it because of professional reasons.
>>>
>>>i am searching a solution for weeks now and really need some help !
>>>
>>>Kind regards
>>>--
>>>To unsubscribe from this list go to the following URL and read the
>>>instructions: ?https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>
>
>