Re: [Samba] Removed params 'force security mode' etc. What to use instead?
I hate to bump, but surely someone can offer some input on this. At least question 1? Thanks, Brian On 7/3/2013 2:56 PM, Brian H. Nelson wrote: I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the removal of the following config parameters: security mask force security mode directory mask force directory security mode I have a couple questions regarding this, and haven't really seen any good info on it, so... 1) Why were they removed? There doesn't seems to be any explanation in the bug notes or release notes. Maybe I'm missing something? (not judging, just confused) 2) What can be used instead? I don't see any comparable settings in samba to obtain the same effect (preventing clients from removing certain security bits from existing files, ie group permissions) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removed params 'force security mode' etc. What to use instead?
On Thu, Jul 11, 2013 at 10:25:56AM -0400, Brian H. Nelson wrote: I hate to bump, but surely someone can offer some input on this. At least question 1? Thanks, Brian On 7/3/2013 2:56 PM, Brian H. Nelson wrote: I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the removal of the following config parameters: security mask force security mode directory mask force directory security mode I have a couple questions regarding this, and haven't really seen any good info on it, so... 1) Why were they removed? There doesn't seems to be any explanation in the bug notes or release notes. Maybe I'm missing something? (not judging, just confused) They were confusing a lot of people, and no one answered the call on samba-technical for a use case when the proposal came to remove them. Using Windows ACL mappings instead seemed like a better solution. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removed params 'force security mode' etc. What to use instead?
On 05/07/13 16:10, Brian H. Nelson wrote: On 7/3/2013 4:54 PM, Jonathan Buzzard wrote: My guess is this is related to the Unix extensions. Basically certain versions of OS X; I can't remember which ones but 10.5 sticks in my mind but that might be related to symbolic links and it was 10.6 that was the problem, notice the file server does Unix extensions and then decides to go behind the Samba servers back and fiddle with the permissions. Indeed. Unfortunately (in this case) we had already disabled unix extensions a while back when 10.6.8/10.7 came out and we started seeing similar permission issues. I'm surprized that force security mode wouldn't work. That actually sounds like a bug if that's the case. I don't believe I ever actually tested it myself but we did pin that as another possible solution at that time. Hum, if Unix extensions are off, then I would try either putting some default POSIX ACL's on the folders or better still make sure the file system is mounted with extended attributes and use the acl_xattr module to do Windows ACL's and see if you cannot fix it that way. This seems to be a different but similar issue on some new machines with 10.8. I'm not yet sure if it's an OS issue or a application issue. So far, I've only seen it when a user 'packages' a project from Adobe InDesign. Many of the extra files in the 'package' (just a folder, not an archive or anything) end up without group permissions which is a big issue for them. My suggestion is to turn the debug level right up on your test setup and then trawl through it till you see exactly what is going on. It's time consuming but it was how I tracked down the Unix extension issue on Mac's issue and a similar wacky issue related to Office 2007/2010 and mapping of DOS attributes. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removed params 'force security mode' etc. What to use instead?
On 7/3/2013 4:54 PM, Jonathan Buzzard wrote: My guess is this is related to the Unix extensions. Basically certain versions of OS X; I can't remember which ones but 10.5 sticks in my mind but that might be related to symbolic links and it was 10.6 that was the problem, notice the file server does Unix extensions and then decides to go behind the Samba servers back and fiddle with the permissions. Indeed. Unfortunately (in this case) we had already disabled unix extensions a while back when 10.6.8/10.7 came out and we started seeing similar permission issues. I'm surprized that force security mode wouldn't work. That actually sounds like a bug if that's the case. I don't believe I ever actually tested it myself but we did pin that as another possible solution at that time. This seems to be a different but similar issue on some new machines with 10.8. I'm not yet sure if it's an OS issue or a application issue. So far, I've only seen it when a user 'packages' a project from Adobe InDesign. Many of the extra files in the 'package' (just a folder, not an archive or anything) end up without group permissions which is a big issue for them. Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Removed params 'force security mode' etc. What to use instead?
Hello list, I noticed that the fix for bug 9190 (inc in samba 4.0) resulted in the removal of the following config parameters: security mask force security mode directory mask force directory security mode I have a couple questions regarding this, and haven't really seen any good info on it, so... 1) Why were they removed? There doesn't seems to be any explanation in the bug notes or release notes. Maybe I'm missing something? (not judging, just confused) 2) What can be used instead? I don't see any comparable settings in samba to obtain the same effect (preventing clients from removing certain security bits from existing files, ie group permissions) I have a situation currently where it looks like I will need to implement the above 'force' settings in my samba 3.x environment to deal with some misbehaving OS X clients that insist on stripping group permissions from files in certain situations. I'd rather not start using settings that I know are removed in future versions, but I'm not sure of a better way. Can anyone recommend the best way to deal with this? Thanks! Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Removed params 'force security mode' etc. What to use instead?
On 03/07/13 19:56, Brian H. Nelson wrote: [SNIP] I have a situation currently where it looks like I will need to implement the above 'force' settings in my samba 3.x environment to deal with some misbehaving OS X clients that insist on stripping group permissions from files in certain situations. I'd rather not start using settings that I know are removed in future versions, but I'm not sure of a better way. Can anyone recommend the best way to deal with this? My guess is this is related to the Unix extensions. Basically certain versions of OS X; I can't remember which ones but 10.5 sticks in my mind but that might be related to symbolic links and it was 10.6 that was the problem, notice the file server does Unix extensions and then decides to go behind the Samba servers back and fiddle with the permissions. Here is the kicker however the force settings don't help. It would appear that you can override them using the Unix extensions. The only solution I could come up with was turning Unix extensions off. The basics are the SMB client in OS X seems to change it's behaviour with every major release, and a working config that deals with them all is hard to come by. The rewritten client in 10.7 was particularly bad especially in early point releases. From memory it did not become usable till 10.7.3 JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
