samba - Feb 2024 - Windows text file encoding vs Unix Samba server

On Thu, 1 Feb 2024 14:40:54 +0100
tlaronde at kergis.com wrote:
> On Thu, Feb 01, 2024 at 01:00:25PM +0000, Rowland Penny via samba
> wrote:
> > On Thu, 1 Feb 2024 13:30:56 +0100
> > Thierry LARONDE via samba <samba at lists.samba.org> wrote:
> > 
> > > Hello,
> > > 
> > > I have a NetBSD (currently kernel 9.2 without kernel ACL support)
> > > server serving files via Samba to, mainly, a heterogeneous
> > > network of MS Windows nodes with various versions, but the (new)
> > > problem I face does not depend on the MS version or the cifs
> > > protocol version.
> > > 
> > > It used to work with Samba 3.6.* but it doesn't with 4.18.9
(the
> > > Samba version installed).
> > > 
> > > Even when the Windows' user has full control other a (Unix)
file,
> > > in some cases: apparently always text or considered as text
> > > files, some programs can't modify the file that the user
totally
> > > controls and we have to save under another pathname, before
> > > removing the old file and putting the new version in its stead.
> > > 
> > > I thought, at the beginning, that there had something to do with
> > > the names of temporary files (unable to create the temporary or
> > > to rename the temporary). But there is no problem with the
> > > temporary names (they are created).
> > > 
> > > There is no problem when a program handles a binary file (the
> > > program can modify the file).
> > > 
> > > So I begin to suspect that this has something to do with
> > > localisation: that the Unix file is declared, by default, to have
> > > a certain encoding for a certain lang or that, in fact, nothing
> > > is declared related to encoding or lang, so that the Windows
> > > client considers it can not deal with a text file whose lang and
> > > encoding is unknown or for a combination it does not support.
> > > 
> > > Is there something l10n/i18n related indeed in the CIFS protocol?
> > > 
> > > TIA for any tip or any link to documentation that may shed some
> > > light on the subject!
> > 
> > I don't think you have given us enough information here to even
> > guess at an answer.
> > 
> > What Windows versions are you using ?
> From Windows 7 (Pro) to Windows 11 (Pro). But same problem on every
> Windows client
> 
> > How are you running Samba ?
> with winbindd(8), nmbd(8) and smbd(8)
> 
> > Is there an AD domain involved ?
> No.
> 
> > What 'program' or 'programs' are involved ?
> Notepad; LibreOffice (when creating an xlsx or exporting to pdf);
> sam (pdf 2 pdf converter).
> 
> > Could it be a 'locking' problem ?
> 
> The problem is that there is a problem, but that I'm trying to
> identify what is wrong. So may be locking, but how can I know?
> 
> What is strange, is that the very same user can create a file; can
> delete a file; but can't modify a file if it is not a binary file.
> 
> > What is in your smb.conf ?
> 
> Here it is (some network or user values edited):
> 
> ---8<---
> # Version 4.18.9
> #
> #======================= Global Settings
> ===================================== [global]
> workgroup = AGROUP
> server string = Samba %v (%h)
> server role = standalone
> security = user
> 
> idmap config * : backend = autorid
> idmap config * : range = 100000-299999
You are running Samba as a standalone server, so the 'idmap config'
lines will require winbind, which isn't normally run on a standalone
server, mainly because you would need to join the server to a domain.
I notice you say you are running winbind, why ?
> passdb backend = smbpasswd
smbpasswd was replaced by tdbsam years ago, before 3.6 if I recall
correctly.
> 
> hosts allow = 192.168.xxx.0/24 127.
> 
> local master = no
> domain master = no
> preferred master = no
> 
> min protocol = core
> max protocol = SMB3
> client min protocol = core
> client max protocol = SMB3
> ntlm auth = true
> hide dot files = No
> acl group control = no
> 
> # Does it make any difference? The current kernel has no ACL support
> # while the filesystem can have---but not mounted with support.
> #
> acl map full control = yes
Well both the 'acl' parameters are the defaults and may be doing things
that you do not realise, I suggest you read 'man smb.conf' about the
two parameters.
> 
> blocking locks = no
> 
> log level = 2
> 
> #============================ Share Definitions
> ============================== [shared]
> comment = This Unix dir is shared with Windows clients
> path = /some/dir
> writable = yes
> printable = no
> valid users = one_user
> write list = one_user
> force group = users
> vfs objects = acl_xattr
If your kernel has no ACL support, it might be pointless to set that
vfs object.
> inherit owner = yes
> inherit permissions = yes
> --->8---
> 
> > There have been a lot of changes since 3.6.x
> 
> No doubt about that! ;-)
It might be worth while considering setting up a Samba AD domain, this
may be worth it if you have a lot of computers, at least your clients
sound like they could join a domain.

At the very least, set up your standalone server correctly, turn off
winbind and see how you go on.

Rowland

On Thu, Feb 01, 2024 at 03:24:40PM +0000, Rowland Penny via samba
wrote:
> > > 
> > > What Windows versions are you using ?
> > From Windows 7 (Pro) to Windows 11 (Pro). But same problem on every
> > Windows client
> > 
> > > How are you running Samba ?
> > with winbindd(8), nmbd(8) and smbd(8)
> > 
> > > Is there an AD domain involved ?
> > No.
> > 
> > > What 'program' or 'programs' are involved ?
> > Notepad; LibreOffice (when creating an xlsx or exporting to pdf);
> > sam (pdf 2 pdf converter).
> > 
> > > Could it be a 'locking' problem ?
> > 
> > The problem is that there is a problem, but that I'm trying to
> > identify what is wrong. So may be locking, but how can I know?
> > 
> > What is strange, is that the very same user can create a file; can
> > delete a file; but can't modify a file if it is not a binary file.
> > 
> > > What is in your smb.conf ?
> > 
> > Here it is (some network or user values edited):
> > 
> > ---8<---
> > # Version 4.18.9
> > #
> > #======================= Global Settings
> > ===================================== [global]
> > workgroup = AGROUP
> > server string = Samba %v (%h)
> > server role = standalone
> > security = user
> > 
> > idmap config * : backend = autorid
> > idmap config * : range = 100000-299999
> 
> You are running Samba as a standalone server, so the 'idmap config'
> lines will require winbind, which isn't normally run on a standalone
> server, mainly because you would need to join the server to a domain.
> I notice you say you are running winbind, why ?
Because I first run without (with a configuration that was working
with Samba 3.6.*) and it was not working. I had then no winbindd(8)
running.

Trying to test, on the Unix server, with smbclient(1), at least,
adding winbindd(8) I had supplementary informations.

I tested: winbindd is not a problem, since it doesn't work without it
either...
> 
> > passdb backend = smbpasswd
> 
> smbpasswd was replaced by tdbsam years ago, before 3.6 if I recall
> correctly.
Yes, I read that in the documentation. But it is still supported, and
I tested tdbsam also with no difference (smbpasswd is just, if I'm not
mistaken, a front-end; so should not change a lot of things). BTW, I
removed the databases and re-created user and password. Without any
change.
> 
> > 
> > hosts allow = 192.168.xxx.0/24 127.
> > 
> > local master = no
> > domain master = no
> > preferred master = no
> > 
> > min protocol = core
> > max protocol = SMB3
> > client min protocol = core
> > client max protocol = SMB3
> > ntlm auth = true
> > hide dot files = No
> > acl group control = no
> > 
> > # Does it make any difference? The current kernel has no ACL support
> > # while the filesystem can have---but not mounted with support.
> > #
> > acl map full control = yes
> 
> Well both the 'acl' parameters are the defaults and may be doing
things
> that you do not realise, I suggest you read 'man smb.conf' about
the
> two parameters.
> 
I read it. But I'd like to know if there is some good documentation,
somewhere (I don't mean that it has to be served by samba.org) about
the MS Windows side about ACL, users, groups, permissions and mapping
to POSIX like equivalents.

I bought a book about Active Directory and for the moment, 95% of the
writing is advertising for Azure ("AD is deprecated; for the threats
you need to go in the cloud") so I'm almost as clueless as I was
before starting the reading...
> > 
> > blocking locks = no
> > 
> > log level = 2
> > 
> > #============================ Share Definitions
> > ============================== [shared]
> > comment = This Unix dir is shared with Windows clients
> > path = /some/dir
> > writable = yes
> > printable = no
> > valid users = one_user
> > write list = one_user
> > force group = users
> > vfs objects = acl_xattr
> 
> If your kernel has no ACL support, it might be pointless to set that
> vfs object.
> 
smbclient(1) speaks more verbosely with this set.
> > inherit owner = yes
> > inherit permissions = yes
> > --->8---
> > 
> > > There have been a lot of changes since 3.6.x
> > 
> > No doubt about that! ;-)
> 
> It might be worth while considering setting up a Samba AD domain, this
> may be worth it if you have a lot of computers, at least your clients
> sound like they could join a domain.
> 
> At the very least, set up your standalone server correctly, turn off
> winbind and see how you go on.
I read the wiki and started simple since "standalone" is supposed to
be straightforward. But the simple doesn't work while it was working
with 3.6.

I guess I will have to read the sources to understand what is going
on...

Thanks nonetheless,
-- 
        Thierry Laronde <tlaronde +AT+ kergis +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C