samba - Nov 2015 - widelinks_warning - but unix extensions *are* off

> On 02.11.2015, at 16:25, Rowland Penny <rowlandpenny241155 at
gmail.com> wrote:
> 
> Well he didn't write what I asked for, can you please post your entire
smb.conf, please do not use testparm, please post as is (although you can
sanitise any sensitive info)
Sorry, missed that part. Here we go.
Regards, Thomas

[global]
  available = yes
  smb2 leases = yes
  dbwrap_tdb_mutexes:* = yes

  fruit:resource = xattr
  kerberos method = system keytab

  smb ports = 445

  log level = 0
  log file =/usr/local/samba-4.2.5/var/logs_per_client/log.%m

  max open files = 262144

  realm = D.SOME.ORG.TLD
  workgroup = D
  security = ADS
  disable netbios = yes
  local master = no
  domain master = no

  host msdfs = no

  idmap config * : backend = tdb
  idmap config * : range = 1000000-1999999
  idmap config D : backend  = nss
  idmap config D : range = 1000-999999
  idmap negative cache time = 0

  netbios name = FSRV
  server signing = auto
  create mask = 0644
  server string   hide dot files = yes
  hide files = /Maildir/$RECYCLE.BIN/desktop.ini
  load printers = no
  printing = bsd
  printcap name = /dev/null
  deadtime = 15

  interfaces = 192.168.222.77/32
  bind interfaces only = yes

  unix extensions = no

  map untrusted to domain = yes

  username map script = /usr/local/samba-4.2.5/etc/samba/mapcomputers.sh

  shadow:snapdir = .zfs/snapshot
  shadow:sort = desc
  shadow:localtime = yes
  shadow:format = %Y%m%d%H%M
  wide links = yes

  vfs objects = full_audit
  full_audit:prefix = %u|%I|%m|%S
  full_audit:success = mkdir rename rmdir pwrite
  full_audit:failure = none
  full_audit:facility = LOCAL7
  full_audit:priority = NOTICE

  aio read size = 1
  aio write size =1

[homes]
  path = /pool1/home/%S
  read only = no
  browseable = no
  create mask = 0640
  directory mask = 0750
  ea support = yes
  store dos attributes = yes

  vfs objects = shadow_copy2 fruit streams_xattr zfsacl full_audit
  nt acl support = yes
  inherit acls = no

[group]
  read only = no
  path = /pool1/group
  hide unreadable = yes
  comment = Group spaces of %U
  create mask = 0660
  directory mask = 0770
  force create mode = 0660
  force directory mode = 0770
  ea support = yes
  store dos attributes = yes
  map archive = No
  map hidden = No
  map system = No
  map readonly = No
  vfs objects = fruit streams_xattr zfsacl
  acl map full control = False
  nt acl support = no
  inherit acls = no

[web]
  read only = no
  path = /pool1/web
  hide unreadable = yes
  comment = Web spaces
  create mask = 0664
  directory mask = 0775
  force create mode = 0664
  force directory mode = 0775
  ea support = yes
  store dos attributes = yes
  map archive = No
  map hidden = No
  map system = No
  map readonly = No
  vfs objects = zfsacl full_audit
  acl map full control = False
  nt acl support = no
  inherit acls = no

[data]
  path = /pool1/data
  hide unreadable = yes
  read only = no
  ea support = yes
  store dos attributes = yes
  map archive = No
  map hidden = No
  map system = No
  map readonly = No
  vfs objects = zfsacl full_audit
  acl map full control = False
  nt acl support = no
  inherit acls = no

On 02/11/15 17:08, Thomas Werschlein wrote:
>> On 02.11.2015, at 16:25, Rowland Penny <rowlandpenny241155 at
gmail.com> wrote:
>>
>> Well he didn't write what I asked for, can you please post your
entire smb.conf, please do not use testparm, please post as is (although you can
sanitise any sensitive info)
> Sorry, missed that part. Here we go.
> Regards, Thomas
>
> [global]
>    available = yes
>    smb2 leases = yes
>    dbwrap_tdb_mutexes:* = yes
>
>    fruit:resource = xattr
>    kerberos method = system keytab
>
>    smb ports = 445
>
>    log level = 0
>    log file =/usr/local/samba-4.2.5/var/logs_per_client/log.%m
>
>    max open files = 262144
>
>    realm = D.SOME.ORG.TLD
>    workgroup = D
>    security = ADS
>    disable netbios = yes
>    local master = no
>    domain master = no
>
>    host msdfs = no
>
>    idmap config * : backend = tdb
>    idmap config * : range = 1000000-1999999
>    idmap config D : backend  = nss
>    idmap config D : range = 1000-999999
>    idmap negative cache time = 0
>
>    netbios name = FSRV
>    server signing = auto
>    create mask = 0644
>    server string >    hide dot files = yes
>    hide files = /Maildir/$RECYCLE.BIN/desktop.ini
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    deadtime = 15
>
>    interfaces = 192.168.222.77/32
>    bind interfaces only = yes
>
>    unix extensions = no
>
>    map untrusted to domain = yes
>
>    username map script = /usr/local/samba-4.2.5/etc/samba/mapcomputers.sh
>
>    shadow:snapdir = .zfs/snapshot
>    shadow:sort = desc
>    shadow:localtime = yes
>    shadow:format = %Y%m%d%H%M
>    wide links = yes
>
>    vfs objects = full_audit
>    full_audit:prefix = %u|%I|%m|%S
>    full_audit:success = mkdir rename rmdir pwrite
>    full_audit:failure = none
>    full_audit:facility = LOCAL7
>    full_audit:priority = NOTICE
>
>    aio read size = 1
>    aio write size =1
>
> [homes]
>    path = /pool1/home/%S
>    read only = no
>    browseable = no
>    create mask = 0640
>    directory mask = 0750
>    ea support = yes
>    store dos attributes = yes
>
>    vfs objects = shadow_copy2 fruit streams_xattr zfsacl full_audit
>    nt acl support = yes
>    inherit acls = no
>
> [group]
>    read only = no
>    path = /pool1/group
>    hide unreadable = yes
>    comment = Group spaces of %U
>    create mask = 0660
>    directory mask = 0770
>    force create mode = 0660
>    force directory mode = 0770
>    ea support = yes
>    store dos attributes = yes
>    map archive = No
>    map hidden = No
>    map system = No
>    map readonly = No
>    vfs objects = fruit streams_xattr zfsacl
>    acl map full control = False
>    nt acl support = no
>    inherit acls = no
>
> [web]
>    read only = no
>    path = /pool1/web
>    hide unreadable = yes
>    comment = Web spaces
>    create mask = 0664
>    directory mask = 0775
>    force create mode = 0664
>    force directory mode = 0775
>    ea support = yes
>    store dos attributes = yes
>    map archive = No
>    map hidden = No
>    map system = No
>    map readonly = No
>    vfs objects = zfsacl full_audit
>    acl map full control = False
>    nt acl support = no
>    inherit acls = no
>
> [data]
>    path = /pool1/data
>    hide unreadable = yes
>    read only = no
>    ea support = yes
>    store dos attributes = yes
>    map archive = No
>    map hidden = No
>    map system = No
>    map readonly = No
>    vfs objects = zfsacl full_audit
>    acl map full control = False
>    nt acl support = no
>    inherit acls = no
>
>
'unix extensions' is supposed to be set as a global option and if turned
on, is supposed to automatically turn off 'wide links'. However
'wide
links' has been set to on, but globally rather than on a share by share 
basis, this should turn off the warning message you are getting, but 
isn't. Perhaps the reason is the way you have set 'wide links', try 
using it on a share by share basis and see if it stops the messages. If 
that doesn't work, you could try adding 'allow insecure wide links'
to
the global section of your smb.conf

Rowland

> On 02.11.2015, at 20:25, Rowland Penny <rowlandpenny241155 at
gmail.com> wrote:
> 
> On 02/11/15 17:08, Thomas Werschlein wrote:
>>> On 02.11.2015, at 16:25, Rowland Penny <rowlandpenny241155 at
gmail.com> wrote:
>>> 
>>> Well he didn't write what I asked for, can you please post your
entire smb.conf, please do not use testparm, please post as is (although you can
sanitise any sensitive info)
>> Sorry, missed that part. Here we go.
>> Regards, Thomas
>> 
>> [global]
>>   available = yes
>>   smb2 leases = yes
>>   dbwrap_tdb_mutexes:* = yes
>> 
>>   fruit:resource = xattr
>>   kerberos method = system keytab
>> 
>>   smb ports = 445
>> 
>>   log level = 0
>>   log file =/usr/local/samba-4.2.5/var/logs_per_client/log.%m
>> 
>>   max open files = 262144
>> 
>>   realm = D.SOME.ORG.TLD
>>   workgroup = D
>>   security = ADS
>>   disable netbios = yes
>>   local master = no
>>   domain master = no
>> 
>>   host msdfs = no
>> 
>>   idmap config * : backend = tdb
>>   idmap config * : range = 1000000-1999999
>>   idmap config D : backend  = nss
>>   idmap config D : range = 1000-999999
>>   idmap negative cache time = 0
>> 
>>   netbios name = FSRV
>>   server signing = auto
>>   create mask = 0644
>>   server string >>   hide dot files = yes
>>   hide files = /Maildir/$RECYCLE.BIN/desktop.ini
>>   load printers = no
>>   printing = bsd
>>   printcap name = /dev/null
>>   deadtime = 15
>> 
>>   interfaces = 192.168.222.77/32
>>   bind interfaces only = yes
>> 
>>   unix extensions = no
>> 
>>   map untrusted to domain = yes
>> 
>>   username map script =
/usr/local/samba-4.2.5/etc/samba/mapcomputers.sh
>> 
>>   shadow:snapdir = .zfs/snapshot
>>   shadow:sort = desc
>>   shadow:localtime = yes
>>   shadow:format = %Y%m%d%H%M
>>   wide links = yes
>> 
>>   vfs objects = full_audit
>>   full_audit:prefix = %u|%I|%m|%S
>>   full_audit:success = mkdir rename rmdir pwrite
>>   full_audit:failure = none
>>   full_audit:facility = LOCAL7
>>   full_audit:priority = NOTICE
>> 
>>   aio read size = 1
>>   aio write size =1
>> 
>> [homes]
>>   path = /pool1/home/%S
>>   read only = no
>>   browseable = no
>>   create mask = 0640
>>   directory mask = 0750
>>   ea support = yes
>>   store dos attributes = yes
>> 
>>   vfs objects = shadow_copy2 fruit streams_xattr zfsacl full_audit
>>   nt acl support = yes
>>   inherit acls = no
>> 
>> [group]
>>   read only = no
>>   path = /pool1/group
>>   hide unreadable = yes
>>   comment = Group spaces of %U
>>   create mask = 0660
>>   directory mask = 0770
>>   force create mode = 0660
>>   force directory mode = 0770
>>   ea support = yes
>>   store dos attributes = yes
>>   map archive = No
>>   map hidden = No
>>   map system = No
>>   map readonly = No
>>   vfs objects = fruit streams_xattr zfsacl
>>   acl map full control = False
>>   nt acl support = no
>>   inherit acls = no
>> 
>> [web]
>>   read only = no
>>   path = /pool1/web
>>   hide unreadable = yes
>>   comment = Web spaces
>>   create mask = 0664
>>   directory mask = 0775
>>   force create mode = 0664
>>   force directory mode = 0775
>>   ea support = yes
>>   store dos attributes = yes
>>   map archive = No
>>   map hidden = No
>>   map system = No
>>   map readonly = No
>>   vfs objects = zfsacl full_audit
>>   acl map full control = False
>>   nt acl support = no
>>   inherit acls = no
>> 
>> [data]
>>   path = /pool1/data
>>   hide unreadable = yes
>>   read only = no
>>   ea support = yes
>>   store dos attributes = yes
>>   map archive = No
>>   map hidden = No
>>   map system = No
>>   map readonly = No
>>   vfs objects = zfsacl full_audit
>>   acl map full control = False
>>   nt acl support = no
>>   inherit acls = no
>> 
>> 
> 
> 'unix extensions' is supposed to be set as a global option and if
turned on, is supposed to automatically turn off 'wide links'. However
'wide links' has been set to on, but globally rather than on a share by
share basis, this should turn off the warning message you are getting, but
isn't. Perhaps the reason is the way you have set 'wide links', try
using it on a share by share basis and see if it stops the messages. If that
doesn't work, you could try adding 'allow insecure wide links' to
the global section of your smb.conf
> 
> Rowland
Thanks for pointing out that 'wide links' is a per share option. We
(mis-)used it as global option ever since samba 3.5.x, when the default for
'wide links' changed. Made it a share option now. I'll report back
if it stopped the messages.

Best, Thomas