This week I migrated out main server from Fedora 8 to Fedora 11. It
has been a stressful time, but things are mostly working. Samba and
LDAP weren't really a problem, but I've beat down the list of problems
to something Samba related.
(For the benefit of anyone else going this route, the biggest problem
by far was iptables. Maybe we had it turned off under FC8, but I
suspect it has grown some teeth. Pretty quickly you learn that when
faced with a new problem one first should shut down iptables and see
if it goes away.)
I spent half a day looking into why smbldap-useradd was generating an
error about a missing object. After saving copies of the PERL
scripts, I started adding print statements to them. It turns out that
I had dropped the 's' off of Groups in a dn.
Right now I can add machines to the domain, and then log in on
accounts pulled off the backup. I am pleasantly surprised that I
didn't have to edit the SIDs for the users. I did one account by hand
to test with, and then when I sat down to do the rest I saw that
something had gone in and fixed all the SIDs. Maybe I'm crazy, and
maybe I am imagining things.
But what I am stuck on at the moment is some sort of permissions
problem with user profiles. Perhaps someone can set me straight. I
have the split profile structure (profiles and profdata) as mentioned
in ch 5 of "Samba By Example". The files live on a NAS box, and are
exported via NFS. Root squashing is turned on. Smb.conf rexports
these to client machines.
I'm sure this is probably making my life harder, but we just don't
have the disk space on the server since there are people who don't
blink at putting 10G
on their desktop. I can ask them not to, but that doesn't help. I
give them a mounted home directory with tons of free disk space, but
they are addicted to the Windows desktop. In this case, "happy users"
means I need to accept
they are going to do this. We have folder redirection in place, and the
profiles on a nice big/fast disk.
The problem is that Windows does not have permission to work with these
directories. It seems like a trivial problem, but it isn't making any sense
and I am exhausted from no sleep this week. As root, I can run access files
in the folders. With samba's debugging set at 10 for a client, it
appears that the accesses are performed as root but failing.
If I have a folder set to 2770 owned by the user, and the user's primary
group, Windows cannot access the share. If I give the world access,
Windows is happy. If I move the profile out of the way, Windows
creates a new one with
2755 and the same owner/group. When one tries to log out and log back
in, Windows has a fit about corrupted recycle bins, which I take to
mean that it doesn't have write permission. Samba by example suggests
750 for the profdata subdirectories, and Windows is definitely unhappy
with that.
If anyone has any suggestions, I would very much like to hear them.
Jon Doran
University of North Texas LARC
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
