« Extended attributes, Office 2007 clients via SMB from Xsan | Main | Snow Leopard's Samba adds unwanted directives to shares »

ACLs not being properly honored in Samba with XP clients


NB: Snow Leopard Server (10.6) handles directives on shares differently than with Leopard Server. Please also read this article if you are using Mac OS X Server 10.6 and Samba for new information on how to address the issues below.

Back in January 2008, I began to notice troublesome behavior with Windows clients connecting to my Mac OS X Server 10.5 fileserver.  When some Windows clients, particularly Windows XP users, try to connect to a share, they can create a folder but can't change the name of the folder from "New Folder". Also, they can drop a file on the share, but not change that name, either. This always happened when activity was performed at the root level of the network share, while subfolders behaved as expected. If the network share had 777 (rwxrwxrwx) at the root level, all worked well, which indicated a permissions issue, not so much a communication issue. BUt it's the ACLs that caused grief.  I posted this to the Mac OS X Server list hosted by Apple.

Troubleshooting tips
One good tool is to use smbstatus to confirm the shares are valid and to see if people are working with files (indicated by being locked). You can also run the shares command to see your sharepoints. Double-check your ACLs by doing an ls -l@ and observe the output. Increase the verbosity of Samba logging by editing your /etc/smb.conf file, increasing the integer slightly, between one and ten (though five and above becomes very, very noisy).

Probable Solution
If you read the man page for smb.conf and search for nt acl support; you'll see information about how Samba matches Windows NT permissions to POSIX-style permissions. This was the method used by Windows XP, while later versions of Windows used the more Windows-like ACLs which is analogous to Mac OS X ACLs. The net effect was that XP read the permissions in an undesirable way, paying attention to Samba's method instead of Mac OS X Server's method. We want the server OS to control access, not Samba.

Edit your /etc/smb.conf file to add nt acl support = no where appropriate — at the end of the file below the notes, in its own [Global]section. Do not edit the hooked /var/db/smb.conf file because that's associated with Server Admin (which writes to an XML file while another process converts that into a Samba conf file — change it here and it will likely get wiped).

See also
• Samba in 10.6 adds two directives to any share that must be manually overridden. • (Somewhat deprecated) Samba + OpenLDAP + Kerberos + AFP + Leopard = ♥
Guide
• Samba and extended attributes
• Samba and ADS
Hiding directories in Samba that have spaces in the name
• Scary Excel "Share Workbook" feature behavior with Samba (See also Apple KB article.)
Invalid characters in extended attributes on Samba directories

TrackBack

TrackBack URL for this entry:
http://www.stanford.edu/group/macosxsig/cgi-bin/mt/mt-tb.cgi/87

Comments (1)

Windows Server 2003 is an upgrade of Windows 2000 Server.Windows XP was Microsoft’s move to provide an upgrade to various desktop/workstation OS versions like Windows 2000 Professional,Windows ME and Windows 98.Windows XP is a pretty good desktop/workstation OS as long a you keep it protected and do regular maintenance to it.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


About

This page contains a single entry from the blog posted on January 7, 2010 10:18 AM.

The previous post in this blog was Extended attributes, Office 2007 clients via SMB from Xsan.

The next post in this blog is Snow Leopard's Samba adds unwanted directives to shares.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en