samba - Apr 2015 - Allowing file permissions changes with mac os x clients.

Hi All,

at work all our clients are macs (10.10 yosemite). We are trying to move 
from the classical afp file server to a samba based file server. After a 
lot of testing, things now works more or less: a mac server acts as 
Kerberos+OpenLDAP and a linux debian 7 box is doing the file server with 
samba 4.2.0.

A client which has "joined" (which is bound in mac jargon) the 
OpenLDAP/Kerberos (the opendirectory) domain can mount shares and/or 
home directories on the samba server, leveraging Kerberos and that is 
very nice, thanks to SMB3 being implemented both in samba 4 and in osx 
10.10.

Yet their is no way the mac client can change the permissions of a file 
whether using the mac "Finder" application or using a classical
"chmod".
The former says only "you have custom permissions.", while the later 
returns 0 says nothing but changes nothing either. For the sake of the 
tests all the shared directories on the samba server are in 777 mode.

I tried vfs_fruit by adding
         vfs objects = catia fruit streams_xattr
         fruit:resource = file
         fruit:metadata = stream
         fruit:locking = none
         fruit:encoding = native
         fruit:aapl = yes
but with no luck (performances are way worse with these lines enabled 
when it should be the contrary... did not investigate that yet)

Here is my smb.conf:
[global]
         security = ads
         encrypt passwords = yes
         realm = OD.EXAMPLE.COM
         password server = od.example.com
         workgroup = OD
         kerberos method = dedicated keytab
         dedicated keytab file = /etc/krb5.keytab
         map to guest = never
         obey pam restrictions = no
         client min protocol = SMB3
         unix extensions = yes
         ea support = yes
         case sensitive = yes
         delete readonly = yes
         winbind enum users  = no
         winbind enum groups =  no
[homes]
         path = /mnt/users/%u
         comment = Home Directory for %U
         valid users = %S
         read only = no
         browseable = no
         hide unreadable = yes
         hide unwriteable files = yes

Any help would be much appreciated.
Jeremie

On 02/04/15 20:53, samba wrote:
> Hi All,
>
> at work all our clients are macs (10.10 yosemite). We are trying to 
> move from the classical afp file server to a samba based file server. 
> After a lot of testing, things now works more or less: a mac server 
> acts as Kerberos+OpenLDAP and a linux debian 7 box is doing the file 
> server with samba 4.2.0.
>
> A client which has "joined" (which is bound in mac jargon) the 
> OpenLDAP/Kerberos (the opendirectory) domain can mount shares and/or 
> home directories on the samba server, leveraging Kerberos and that is 
> very nice, thanks to SMB3 being implemented both in samba 4 and in osx 
> 10.10.
>
> Yet their is no way the mac client can change the permissions of a 
> file whether using the mac "Finder" application or using a
classical
> "chmod". The former says only "you have custom
permissions.", while
> the later returns 0 says nothing but changes nothing either. For the 
> sake of the tests all the shared directories on the samba server are 
> in 777 mode.
>
> I tried vfs_fruit by adding
>         vfs objects = catia fruit streams_xattr
>         fruit:resource = file
>         fruit:metadata = stream
>         fruit:locking = none
>         fruit:encoding = native
>         fruit:aapl = yes
> but with no luck (performances are way worse with these lines enabled 
> when it should be the contrary... did not investigate that yet)
>
> Here is my smb.conf:
> [global]
>         security = ads
>         encrypt passwords = yes
>         realm = OD.EXAMPLE.COM
>         password server = od.example.com
>         workgroup = OD
>         kerberos method = dedicated keytab
>         dedicated keytab file = /etc/krb5.keytab
>         map to guest = never
>         obey pam restrictions = no
>         client min protocol = SMB3
>         unix extensions = yes
>         ea support = yes
>         case sensitive = yes
>         delete readonly = yes
>         winbind enum users  = no
>         winbind enum groups =  no
> [homes]
>         path = /mnt/users/%u
>         comment = Home Directory for %U
>         valid users = %S
>         read only = no
>         browseable = no
>         hide unreadable = yes
>         hide unwriteable files = yes
>
> Any help would be much appreciated.
> Jeremie
Do you actually have an Active Directory domain controller ? security = 
ads is for AD

Rowland

On 04/02/2015 10:32 PM, Rowland Penny wrote:
> On 02/04/15 20:53, samba wrote:
>> Hi All,
>>
>> at work all our clients are macs (10.10 yosemite). We are trying to
>> move from the classical afp file server to a samba based file server.
>> After a lot of testing, things now works more or less: a mac server
>> acts as Kerberos+OpenLDAP and a linux debian 7 box is doing the file
>> server with samba 4.2.0.
>>
>> A client which has "joined" (which is bound in mac jargon)
the
>> OpenLDAP/Kerberos (the opendirectory) domain can mount shares and/or
>> home directories on the samba server, leveraging Kerberos and that is
>> very nice, thanks to SMB3 being implemented both in samba 4 and in osx
>> 10.10.
>>
>> Yet their is no way the mac client can change the permissions of a
>> file whether using the mac "Finder" application or using a
classical
>> "chmod". The former says only "you have custom
permissions.", while
>> the later returns 0 says nothing but changes nothing either. For the
>> sake of the tests all the shared directories on the samba server are
>> in 777 mode.
>>
>> I tried vfs_fruit by adding
>>         vfs objects = catia fruit streams_xattr
>>         fruit:resource = file
>>         fruit:metadata = stream
>>         fruit:locking = none
>>         fruit:encoding = native
>>         fruit:aapl = yes
>> but with no luck (performances are way worse with these lines enabled
>> when it should be the contrary... did not investigate that yet)
>>
>> Here is my smb.conf:
>> [global]
>>         security = ads
>>         encrypt passwords = yes
>>         realm = OD.EXAMPLE.COM
>>         password server = od.example.com
>>         workgroup = OD
>>         kerberos method = dedicated keytab
>>         dedicated keytab file = /etc/krb5.keytab
>>         map to guest = never
>>         obey pam restrictions = no
>>         client min protocol = SMB3
>>         unix extensions = yes
>>         ea support = yes
>>         case sensitive = yes
>>         delete readonly = yes
>>         winbind enum users  = no
>>         winbind enum groups =  no
>> [homes]
>>         path = /mnt/users/%u
>>         comment = Home Directory for %U
>>         valid users = %S
>>         read only = no
>>         browseable = no
>>         hide unreadable = yes
>>         hide unwriteable files = yes
>>
>> Any help would be much appreciated.
>> Jeremie
>
> Do you actually have an Active Directory domain controller ? security >
ads is for AD
>
> Rowland
>
Hi Rowland,

No, their is no AD, only a mac opendirectory which is based on openldap 
+ heimdal kerberos + some apple specific password manager. I actually 
set the security to ads because, reading the samba docs, it seems to be 
the only way to have samba authenticate against kerberos.

Jeremie

On Thu, Apr 02, 2015 at 09:53:52PM +0200, samba wrote:
> Hi All,
> 
> at work all our clients are macs (10.10 yosemite). We are trying to move
> from the classical afp file server to a samba based file server. After a
lot
> of testing, things now works more or less: a mac server acts as
> Kerberos+OpenLDAP and a linux debian 7 box is doing the file server with
> samba 4.2.0.
> 
> A client which has "joined" (which is bound in mac jargon) the
> OpenLDAP/Kerberos (the opendirectory) domain can mount shares and/or home
> directories on the samba server, leveraging Kerberos and that is very nice,
> thanks to SMB3 being implemented both in samba 4 and in osx 10.10.
> 
> Yet their is no way the mac client can change the permissions of a file
> whether using the mac "Finder" application or using a classical
"chmod". The
> former says only "you have custom permissions.", while the later
returns 0
> says nothing but changes nothing either. For the sake of the tests all the
> shared directories on the samba server are in 777 mode.
> 
> I tried vfs_fruit by adding
>         vfs objects = catia fruit streams_xattr
>         fruit:resource = file
>         fruit:metadata = stream
>         fruit:locking = none
>         fruit:encoding = native
>         fruit:aapl = yes
> but with no luck (performances are way worse with these lines enabled when
> it should be the contrary... did not investigate that yet)
it should work with those setting (chmod, not the Finder), not sure
why it doesn't. As you say performance is worse with vfs_fruit, I can
just guess there's something fundamentally broken somewhere, as
fruit/aapl should result in a tremendous directory listing performance
improvement, but shouldn't affect much else.

-Ralph

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de,mailto:kontakt at sernet.de