Setting up SMB to respect ACL

Similar Messages

• Windows rename on SMB share ignores ACLs

  We're getting ready to put ACLs on our file server into production use, and I was checking to make sure that the file sharing experience for Windows users via SMB mounts would match what OS X users see via AFP mounts to the same shared folders and files.
  I've discovered that when Windows users rename files and folders via SMB mounts, the permissions are controlled by the POSIX privileges of the enclosing folder, and ACLs privileges appear to be completely ignored. I have a simple test case where I prepare a shared test folder that grants a particular user full access via an ACL, but no access via POSIX (this is deliberate). Via AFP on an OS X system, the user can do whatever they want on the share, as you'd expect. They have no problems renaming or deleting items; their ACL privileges are properly observed. However, when the same user logs onto a Windows system and access the share via SMB, if they create a folder or file, they won't be able to rename it. The only way to get around that appears to be to grant them POSIX read/write privileges on the enclosing folder (not on the item itself). For this one operation, it would appear that POSIX privileges are observed, but ACLs are being ignored. [This has been submitted to Apple as a Bug Report (Problem ID 6143881).]
  We're running OS X Server 10.5.2, but plan to upgrade to OS X Server 10.5.4 once our ACLs are running in a production setting. I wonder if other folks see the same problem with renaming files or folders in Windows with SMB shares in OS X Server 10.5.4.
  On my server, on an AFP+SMB share, I create a test folder with the following privileges:
  ls -led path/to/testfolder # Show POSIX settings & ACLs for test folder
  drwx------+ 2 root wheel 68 Aug 12 11:25 testfolder
  0: user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit
  These privileges can be set via the following commands. Within an AFP+SMB share, create a test folder as follows:
  sudo mkdir -p /path/to/testfolder
  cd /path/to/testfolder
  sudo chmod -R -N . # Remove any inherited ACLs from testfolder
  sudo chmod u=rw+X,go= . # Set POSIX privileges to octal 700
  sudo chown root:wheel . # Set POSIX owner & group
  sudo chmod +a "user:myuser allow list,addfile,search,delete,add_subdirectory,delete_child,readattr,writeattr,readextattr, writeextattr,readsecurity,writesecurity,chown,file_inherit,directoryinherit"
  From Windows, navigate to the testfolder on the SMB share. You can do this as a Network Place, Mapped Network Drive, or by explicitly navigating to
  \\myserver\myshare\path\to\testfolder
  Create a new folder in Windows Explorer. It will come up by default named "New Folder". Try to rename it and you'll get a Windows error: "Error Renaming File or Folder. Cannot rename New Folder: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."
  Run the Note Pad accessory. Create a file in the testfolder named "Foo.txt". Try to rename it in Windows Explorer. Same problem.
  If you perform equivalent operations on an OS X System via AFP mount to the same test folder, you won't have any problems; the ACL privileges will be correctly granted.
  The only workaround I've been able to come up with to grant Windows users "rename" privileges on our SMB mounts is to do so by enabling read/write POSIX privileges on the enclosing folder ("testfolder"). You can either:
  1) Make the user the POSIX owner of the enclosing folder, and grant the owner read/write access, or
  2) Set the POSIX group to a group the user is a member in, grant that group read/write access, or
  3) Enable POSIX world read/write access (careful!).
  Without POSIX read/write privileges to the enclosing folder, it would appear that Windows users on SMB shares can't rename files or folders. Interestingly, they can upload folder hierarchies with arbitrarily named files and folders and won't run into problems; it's specifically when items are renamed when they already exist that you may run into problems.

  Just an FYI: I received a response to my bug report. Apple reports that this problem has probably already been addressed in OS X Server 10.5.3, so it's likely this issue will disappear when I update my server from 10.5.2 to 10.5.4.
  If you look at http://support.apple.com/kb/HT1142, there's this item:
  File Services
  The smb.conf file is updated to include the line "acl check permissions = no" in order to provide expected permissions behavior for Windows clients connecting to the SMB service.

• Setting up SMB

  I usually stream movies through a Dune player. The movies are streamed via SMB through a Windows laptop. Can I do this through Awesome WM setup on a different computer on Virtualbox? Any help would be much appreciated. Apologies if this should be posted in a different forums.

  I'm not sure to understand.
  Even if i understand right, i can't figure out why you would like to run a Samba server on a virtual box ?
  And i don't see any link with Awesome.
  Anyway, here is all you need to install and set up samba :
  https://wiki.archlinux.org/index.php/Sa … e_mounting

• How can I set up SMB file sharing to share my PC external hard drive on my Mac with no password protection?

  I am having the worst trouble with two things. I am very aware how to get the server to show up via SMB, but every time I log off the Macbook, the server's disappear. OK, so I went into "System Preferences" and hit "Users and Accounts" and added the server as a log in item. Worked well, except how do I stop that password prompt from coming up? I am using a Guest account with no password but I continue to get the password prompt. There is nowhere to hit remember password or anything. I have the option to remember the password in the keychain but I have no way of preventing the pop up.
  Another issue I'm having is I have a Canon Pixma MP620 printer connected to my PC through USB. Three other PC's can connect wirelessly to print through the home network. My Mac does not find the printer, and when I manually add it, it recognizes it but WILL NOT print. It comes up with error messages like Authentican Required and connection issues between printers.
  I have no password protection on my PC and have enabled sharing of all devices and folders through the Homegroup on the PC. I just can't figure it out. I am new to Mac and would love to get these two things figured out.
  Thanks in advance for reading!

  Hi Bengt, Thanks for your input, much appreciated.
  I have a WD 1TIG hard drive and are using usb connection, is it possible to use fire wire with these? I have had trouble with a lot of the videos I Imported, once they downloaded the file in the viewer window showed up blank and when I mouse over them it places a picture of another file in the window and wont drag and drop into the movie window, like their corrupted or something? Had to delete just about all of them and start again. Also is it possible to select a bunch of videos in the viewer window as to change the dates to the correct dates? All I have been able to do is "select all" which is no help.

• Samba - Can't write to a share with "unix extensions = no" set in smb.

  Hello @all!
  Unfortunately, I have a problem, writing to a samba share which I'm unable to solve.
  My /etc/samba/smb.conf :
  [global]
  workgroup = w
  server string = server
  security = user
  load printers = no
  log file = /var/log/samba/%m.log
  max log size = 50
  dns proxy = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes
  unix extensions = no
  # if I comment above line, I can write to /home/shareuser/writable
  follow symlinks = yes
  wide links = yes
  [writable]
  comment = test
  writable = yes
  valid users = shareuser
  path=/home/shareuser/writable
  shareuser has valid passwd and smbpasswd (-a)
  I mount the share like this:
  mount -t cifs //server/writable mountpoint/ -o username=shareuser
  With
  unix extensions = yes
  , I can write to the share.
  With
  unix extensions = no
  , I can't write to the share.
  What I try to achieve in the end, is to have a writable password protected share, which forwards file permissions to clients and also allows them to access directories and files which are symlinked into the share directory (both from linux and windows clients if that's even possible).
  PS: I also posted this on stackexchange.com (http://unix.stackexchange.com/questions … n-smb-conf)
  PPS: Since I'm using systemd without syslog I had to create the /var/log/samba directory before smbd logged anything.
  Thank you in advance for any help
  Last edited by MCH (2012-09-23 20:59:41)

  First off, don't use finalize(). It is never guaranteed to actually run.
  Just add a cleanup() method to your Account class that flushes and closes the writer; and call it before you exit main().
  Now, as for your Date problem
  java.util.Date certainly does have a no-args constructor.
  java.sql.Date does not.
  Make sure you aren't getting a name collision. (Hint: If you're doing import java.foo.* Stop Doing That. just import the classes you need)

• Outbound party Settings picking fallback setting instead of the respective party agreement

  I have an applicaiton generate the COPARN EDI message but the values for the UNB segment is being fetched from the EDIFACT fallback settings instead of the Party Agreement settings. I have added the send port filter in the party agreement but still the
  Fallback settings is being chosen. Kindly advice what should be done to pick the sender and receiver values from the party agreement settings.
  Regards, Vivin.

  Not sure if you have already done the step below, you need to associate the Send Port with the Agreement.
  - In the outgoing Agreement tab (you->them) choose: Interchange Settings | Send Ports
  - Choose the Send Port where you use the EDISend Pipeline
  - Restart your Host Instance(s)
  Morten la Cour

• Has anyone successfully set up scan to smb to mac os 10.7.x from a Konica Minolta bizhub

  Has anyone successfully set up scan to smb to mac os 10.7.x from a Konica Minolta bizhub. I'm using 10.7.3 on MacBook Pro. Don't care what model bizhub is being used as I have access to many. I've seen the posts for FTP workarounds but want to use SMB if that is an option. Any suggestions? Thank you!

  petermtnbk wrote:
  I've read other discussions that have suggested changing the format of the username and password when having login problems. I'm not familiar with NT-Status Codes. Could changing the format of the username make any difference? Something like... "workgroup/username" or "username@domain" or "domain/username" or some other combination of workgroup, domain, username, computername.
  The issue has nothing to do with the format of the user authentication. What you are reading is about the Lion Mac connecting to a Windows computer that is part of domain or workgroup. The method changed slightly compared to Snow Leopard.
  KM does support FTP so that is still an option, but I would ideally would like to set up SMB scanning. I'm not sure if KM is going to support AFP anytime soon.
  With the lack of SMB support and KM offering no alternative at this stage then I suggest you look at using FTP. While Lion removed the option to enable FTP via the Sharing pane in System Preferences, it can still be enabled via Terminal using the following command
  sudo -s launchctl load -w /System/Library/LaunchDaemons/ftp.plist
  You will be prompted to authenticate using your Mac's admin account & password. Once this is done, you can then configure the address on the copier to push scan using FTP. The keys are;
  The host name requires just the IP address. No leading slashes like SMB
  The path will be the folder that you want to scan to, also entered without a leading slash. For example, Desktop
  The user name will be the short name of the account who's folder you want to scan to.
  The only other option may be WebDAV if the KM supports it. We have this with our imageRUNNER ADVANCE and with a document scanned to a shared folder in the copier hard drive, we can then connect to that folder by using Finder's > Go > Connect to Server facility. You then just enter
  http://ipaddress/share
  which connects you to the shared folder and lets you see the document you scanned. You also have the facility to set subfolders for security of users documents.

• Files loose ACLs on SMB.

  I have noticed that all the files viewed via SMB dont have their custom attributes or metadata associated with them. i.e. they loose their ACLs.
  when I right-click on any file on the SMB drive, and check the properties then I
  get the message "Failed to load properties from server" on the iFS Attributes tab and the iFS Versioned tabs.
  Please, let me know if you are aware of this and give me an ETA on when it will be fixed. This is really important for my Company because, without ACLs via SMB then file management for our users cannot be conducted.
  Thanks..
  null

  Hi Joyce,
  I have the oracle IFS utilities installed.
  My issue doesn't have to do with using the iFS utilities. It is a general issue that I have opened a tar on and have been trying to make it a priority level 1 issue.
  None of the files that I view via SMB have any ACLs. This may have to dao with the SMB protocol or how Microsoft Office files are opened on the SMB drive. For futher clarification on this issue please, check tar # 13252436.999.
  I really think this is an issue that needs immediate attention, especiall for companies like mine who want to use this product for clients who will mostly access files via SMB.
  Thanks..

• Cannot switch SMB codepage setting

  Hi all,
  This is my first post. Sorry for my poor English.
  In "Server Admin" tool - "SMB" service - "Advanced" settings page,
  I'd like to switch the setting for SMB codepage from "Latin US (437)" to "Japanese SJIS (932)", but I can't.
  When I choose "Japanese SJIS (932)" and click "Save", the setting is reset to "Latin US (437)" automatically.
  I've never seen such a phenomenon in my Panther Server (v10.3.9) environment.
  Is this my mistake or not?
  FYI;
  I've installed my Leopard Server newly, and its structure is "Advanced".
  AFP, DHCP, FTP and SMTP are also run.
  Finally, so sorry if the question like this has already been solved in another discussion page/s.
  Message was edited by: Fanoar

  I can confirm that I have the same problem be it any type of configuration in 10.5.0 and 10.5.1 servers. Manually editing /etc/smb.conf didn't change it in the admin interface. (Line: dos charset = 437). After manual edit, change in admin still doesn't change it in the smb.conf. But it stays okay in the smb.conf file, stopped and started SMB service and it stays correct in the smb.conf file. However,...
  manually editing /var/run/smb.conf changed it for admin interface.
  Which is included from /etc/smb.conf. This will overrule the other value as this include statement comes later... Touching the admin interface changes back /var/run/smb.conf line: dos charset = CP437. So the big question is, where does the admin interface get this default from?

• Issue in PowerShell with setting inheritance

  I have a script that I need some assistance in configuring permission inheritance on a collection of folders and subfolders
  Here's what I have so far:
  cls
  Set-Location "C:\Set-ACL"
  $log = "C:\Set-ACL\Folders.txt"
  #Gets the ACL's from a folder with correct permissions set
  $ACL = Get-Acl -Path "C:\Folder\subfolder\subfolder\subfolder"
  $Folders = Get-ChildItem -Path "E:\Folder\Subfolder\*\*" | Select-String -pattern "01-"
  $Folders >> $log
  Start-Process $log -Wait
  #Function to pause script while ignoring certain keys like Ctrl etc.
  'Function Pause4user($M = "Press any key to continue setting ACL's Ctrl + C to quit . . . ") { If ($psISE) { $S = New-Object -ComObject "WScript.Shell"; $B = $S.Popup("Click OK to continue.", 0, "Script Paused", 0); Return }; Write-Host -NoNewline $M; $I = 16, 17, 18, 20, 91, 92, 93, 144, 145, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183; While ($K.VirtualKeyCode -Eq $Null -Or $I -Contains $K.VirtualKeyCode) { $K = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") }; Write-Host }'
  Pause4user
  foreach ($Folder in $Folders)
  Set-ACL -Path $Folders -AclObject $ACL
  Write-Host "ACL's Set"
  Remove-Item $log
  The issue i'm finding is that the permissions I have defined in the variable $ACL are not passed to all subfolders and using -recurse after the Get-ChildItem looks like it would do the job but doesnt work because of the 260 character limit in the path.
  Is there a way to set the permissions on the folders returned in the $Folders variable and inherit these permissions to everything underneath it therefore not running into the path limit?
  P.S. Go easy on the script it was put together quickly!
  Thanks in advance

  Hi Jack,
  you can enforce childfolders accepting inheritance by getting their respective Acl, und using the
  SetAccessRuleProtection method on the target folders.
  If path length is escalating, you may want to consider doing one of these:
  Temporarily create junctions to shorten the path.
  Redesign your storage to be (or appear) more flat
  I think there are other tools out there that can handle the path issue, but I don't have one at hand I can recommend - I have never had to design paths that long.
  Cheers,
  Fred
  Ps.: Some shameless advertisement:
  This function will create junctions for you, if you need something for that. You can remove them afterwards like any other shortcut.
  There's no place like 127.0.0.1

• How to set up user account and share folders

  We are a family of four sharing our first iMac. I would like to set up one account for my wife and I and one account for my kids on which I plan to enable Parental Controls.
  I have struggled with setting up my kids user account. After setting up a Standard account for the kids - I noticed none of our music or files were visible in the kids accounts. I spent 20 min on the phone with Apple and the tech was clueless. He had me copying my music folder all over the computer until I had about 6 copies of the same folder. I did figure out how to move the music library to SHARED folder and redirect iTunes source folder to the same shared folder.
  My problem now - when I copy my documents to the SHARED folder my kids can see the files and open them, but they can not save them. How do I give the kids account read write privileges?
  Should I set up a GROUP account instead?
  I need the best way to have two or three users who can access all data on the same iMac, while giving me the ability to enable Parental Controls on the accounts.

  Do this:
  Here's how to set it up by using ACLs:
  1. Create a new folder in /Users/Shared. Call it "Sharefolder".
  2. Log in to an Admin account, open Terminal and paste in all of this at the same time:
  chmod -R +a "everyone allow delete,chown,list,search,add_file,\
  addsubdirectory,delete_child,file_inherit,directoryinherit" \
  /Users/Shared/Sharefolder
  That will automatically make everything copied or created to the sharefolder writable by all users. Note: After setting this up, if you have existing files that you want to move to the sharefolder, hold down the option key when dragging them in. That will make new copies of them in the sharefolder. Dragging existing files in (i.e. simply moving them there) won't cause the ACL to inherit properly and they won't be writable by all users. Files that are copied or +newly created+ in the sharefolder shouldn't have this problem.
  Make sure you keep good backups. One user accidentally deleting a shared file will affect everybody else who uses it.

• MS Access querying SQL Server: How to configure Network ACL?

  I need to set up a highly restrictive ACL for access to a particular SQL server in our network.  This ACL will reside on our core switch at the "front door" of our network and permit access to the SQL server only using the ports that
  are necessary.  The purpose is to A) Try to keep unauthorized users from gaining access to the host server and B) Should someone somehow gain unauthorized access to the host server. keep them from being able to "hop off" to other PC's on
  the network. 
  The server will be accessed by clients using MS Access to query the SQL database and bring back reports.  A few admins are actually able to make minor changes to the database such as updating a user list or location list. In other words, both
  read and write access is needed to the SQL database.
  I know that the default SQL server port is 1433, but according to a Microsoft Support article I read, "client ports are assigned a random value between 1024 and 5000".
  I was really hoping I could just put something like "permit PC1 access to SQL Server on Port 1433" in my ACL, but after reading the MS Support article it sounds like I've got to allow almost 4,000 ports through?
  Could someone help demystify this for me so I can build the right ACL?

  The tool to use is SQL Server Configuration Management.
  But what you can configure is which port SQL Server listens to. Which port the client listens to is not controllable as far as I know. But that can of course be many, since a client can have many connections to SQL Server. (And the range is not
  restricted to 1024-5000. I connected over TCP locally, and I see this with netstat -a
    TCP    127.0.0.1:6621         NATSUMORI:ms-sql-s     ESTABLISHED
  Then again, I don't see why you would have to open any ports for the clients at all. I have never heard of this being a problem.
  Erland Sommarskog, SQL Server MVP, [email protected]

• How to pass querystring value to swfobject and set it in adobe flash

  Hi,
  I must tell that I have not much knowledge about flash.
  I have a flash slideshow on my homepage which displays news by a xml file under http://bit.ly/q48UmE and I am using slideshowpro for it. That slideshow xml file path must be set within adobe flash program.
  Xml file path is under http://bit.ly/pBeaUX if you would add ?lang=en, it would output english version.
  What I need in here, when a language is changed from language selector at header, News must be set as selected language respectively. My question is how to get querystring value and pass it to adobe flash so it is changed and set according to the selected language.
        var flashvars = {
        var params = {
          bgcolor: "#000000",  
          allowfullscreen: "true",
          wmode:"transparent",
        var attributes = {}
            swfobject.embedSWF("swf/slideshowpro.swf", "flashcontent", "550", "400", "10.0.0", false, flashvars, params, attributes);
            //attributes.addVariable("dil", "<%=request.querystring("lang")%>");
  Any help much appreciated

  Since there are only two languages to choose from, you could simply use a Javascript document.write() function to write out the alternate object and embed section of that page when/if the user selects English. In any case, you don't want to use Flash vars(). There is no way to get the Flash movie to read a new value after the movie has loaded. You could store the language value change in a Javascript variable and then read that variables value from the Flash movie.
  If you are changing out the entire movie when the language is changed, I would use the first method: Javascript document.write(). If you have both the Turkish and English language content in the same movie then I would use the second method and have Flash read a variable from the language selector. You can use the ExternalInterface class for that.

• Note Board web part to display comments for explicit Document Set

  I guess my question falls under 'Other customization' hence my post here.
  Scenario:
  I have a Document Set content type enabled for a library. At the moment I have a few "folders" [document sets] that contain their respective documents.
  I edited a Document Set welcome page to include a Note Board web part. I edited the Note Board web part by adding a 'URL for note' to be a URL of a random Document Set welcome page while in edit mode.
  (Basically, I went to a 'ABC' document set page, clicked edit page, copied URL from address bar, closed that page, went to 'Customize Welcome Page' for all document sets in that library, edited Note Board web part by pasting the link into its 'URL for note'
  field) 
  Problem:
  Currently, all comments are shared between all document sets (folders). When I go to 'ABC' document set and post a comment, I can see my ABC specific comments in e.g. 'XYZ' document set.
  I want to have comments specific to each document set displayed on a respective page for that document set.
  Solution?
  I realize that I must have gotten an URL for a Note Board web part wrong and it does not filter comments explicit to each document set but fetches the comments from whole the library. My url is currently:
  https://intranet.domain/sitecollection/library/Forms/Machine%20Process%20Pack/docsethomepage.aspx?ID=2&FolderCTID=0x0120D520009EDF2E3A3112B041AC6EC1D4133D77550000C297D6CB32E349A435E04924DC6C58&List=7b052f9c-7e35-4251-b66d-3bcdd2950014&RootFolder=%2Fuk%5Fqhse%2FProcess%20Packs%2FSigma%202345&RecSrc=%2Fuk%5Fqhse%2FProcess%20Packs%2FSigma%202345&PageView=Shared&InitialTabId=Ribbon.WebPartPage&Visi
  I know I have to strip this URL from some parameters, presumably leaving just ID, FolderCTID, List and RootFolder.
  Could someone actually tell me exactly how my URL should look like if I want to display comments only for a given document set on its welcome page?
  Thanks!

  Hi,
  According to your post, my understanding is that you wanted to display comments only for a given document set on its welcome page, not display for all the document sets.
  If so, you should not set the “URL for note” field in the Note Board web part, you can just leave it blank, then when you post a comment in one document set, the others would not display the comment.
  Thanks & Regards,
  Jason
  Jason Guo
  TechNet Community Support

• How to control a Load Balanced set in IaaS VMs using Text files

  Hi,
  I would like to control the Load Balanced nodes Using a resource to probe like active.txt  in IIS than a Endpoint on the Management Portal.
  The reason i need this is because the engineers in my team will have access to VMs but not to Management servers.
  Any info on it is very helpful.
  Thanks

  Hi,
  You can Control the access to the Load Balanced Set by using Network ACL. A Network Access Control List (ACL) is a security enhancement available for your Azure deployment. An ACL provides the ability to selectively permit or deny traffic for a virtual machine
  endpoint. This packet filtering capability provides an additional layer of security. 
  Using Network ACLs, you can do the following:
  Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint. 
  Blacklist IP addresses
  Create multiple rules per virtual machine endpoint
  Specify up to 50 ACL rules per virtual machine endpoint
  Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest)
  Specify an ACL for a specific remote subnet IPv4 address.
  Network ACLs can be specified on a Load balanced set (LB Set) endpoint. If an ACL is specified for a LB Set, the Network ACL is applied to all Virtual Machines in that LB Set. For example, if a LB Set is created with “Port 80” and the LB Set contains 3 VMs,
  the Network ACL created on endpoint “Port 80” of one VM will automatically apply to the other VMs.
  Hope this helps !
  Regards,
  Sowmya