Samba shares and HFS extended attributes

[AdamRuck]

Hi everyone!

If there is a better place to post my question, please let me know!

I'm using Mac OSX server leopard as a Primary Domain Controller. The general flow of how the PDC works, is that when you sign on the PDC your roaming profile gets copied to your computer, and when you log out, your roaming profile gets copied back to the server.

There are certain user actions, that end up writing files with extended attributes back to the roaming profile on logout. For example, on a windows XP machine, you can change the view of any folder to "thumbs". By default windows caches the preview into a file called thumbs.db. Here is what it looks like on the server.

-----------------------------------------------------------------------------------------
fuji:My Pictures root# pwd
/Users/Profiles/aruck/My Documents/My Pictures
fuji:My Pictures root# ls -al@
total 64
drwxr-xr-x+ 8 aruck staff 272 Feb 8 10:49 .
drwxr-xr-x+ 7 aruck staff 238 Jan 7 10:55 ..
-rwxr--r--+ 1 aruck staff 183 Jan 7 10:58 Desktop.ini
-rwxr--r--+ 1 aruck staff 887 Nov 20 15:50 Sample Pictures.lnk
-rwxr--r--@ 1 aruck staff 12288 Feb 8 10:52 Thumbs.db
:ENCRYPTABLE:$DATA 1
-rwxr--r--+ 1 aruck staff 3132 Jan 25 15:53 bike 1.jpg
-rwxr--r--+ 1 aruck staff 2999 Jan 25 15:54 bike 2.jpg
-rwxr--r--+ 1 aruck staff 3015 Jan 25 15:54 bike 3.jpg
------------------------------------------------------------------------------------------

So, windows can write files with extended attributes just fine.

The problem, is that windows *can't read them back*!

Here is what happens when I try and login with that thumbs.db in my roaming profile.

--------------------------------------------------------------------------------------------------
Windows cannot copy file \\fuji\profiles\aruck\My Documents\My Pictures\Thumbs.db to location C:\Documents and Settings\aruck.ETHOSTREAM\My Documents\My Pictures\Thumbs.db. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
--------------------------------------------------------------------------------------------

It's not a permission problem, I can copy other files from the My Pictures folder, to the same destination folder with no problems. All of the files in the source folder have the same permissions. Here is the error message I get from windows, if I try and copy the file manually

"Cannot copy Thumbs: Cannot Read from the source file or disk"

/var/log/samba/log.smbd shows

--------------------------------------------------------------------
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
---------------------------------------------------------------------------------------------------

It doesn't look like samba is throwing any errors.

Is there any way I can disable samba's ability to write files with extended attributes?

Thanks in advance!

Adam Ruck

[Go3iverson]

Adam,

A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.

Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.

Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

Michael

[AdamRuck]

Hi there,

Thanks for responding!

Quote:

Originally Posted by Go3iverson

Adam,

A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.

If you look at my first quote you can see that I have done a ls -al@ on a directory that contains files with extended attributes. There are several commands I can use to remove the extended attribute, however it is not reasonable for me(or my other System Administrators) to do that every time after someone logs out of their profile.

What I'm looking for is some way to insure that

a) Those extended attributes never get there in the first place

or

b) Fix either windows or smbd to make files with extended attributes not an issue.

Quote:

Originally Posted by Go3iverson

Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.

The department in my company that needs roaming profiles has more techs than computers, so they are forced to play musical chairs. Also, it should be noted that this issue isn't limited to just the login action of windows. Copying a file manually from a samba share hosted on the PDC, to anywhere on the local computer, will fail if the file has extended attributes. This occurs even after a successful login.

Quote:

Originally Posted by Go3iverson

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.

That is a good idea, thank you. We frequently add and replace computers. Is there some way to make this a group policy?

It should be noted that only solves part of my problem though. When you create bookmarks in certain web browsers, the web pages icon gets stored as an extended attribute. That also causes things to break.

Quote:

Originally Posted by Go3iverson

Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

Michael

Of course

Thank you for your help.

Regards,

Adam

[AdamRuck]

Quote:

Originally Posted by Go3iverson

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails.

Hi again,

As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.

[Go3iverson]

Quote:

Originally Posted by AdamRuck

Hi again,

As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.

Yes, that is a per user setting. Depending on your environment, it's easier said than done.

[dherbert]

Hi - we had the same problem under 10.5.2 server - seems deactivating the streams support vfs module in samba did the trick:

/etc/smb.conf:

vfs objects = darwinacl, darwin_streams
...
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes

replace with (i.e. remove darwin_streams)

vfs objects = darwinacl
...
; The darwin_streams module gives us named streams support.
stream support = no
ea support = no


For some reason it seems the alternate data streams (ADS) support in this new version of samba is broken - the windows clients can happily write files with streams (which get saved locally server-side as an extended atttribute), but they can't *copy* the file back - this is a big problem when roaming profiles are concerned. We just turned stream support off. It means the stream data gets stripped, but that hasn't presented a problem as yet..
-David

[Rooktoven]

dh--

We have a program that was choking on what seemed to be open permissions. This fixed it. Dumping Streams fixed it. Thanks.

[grigora]

also, be careful when using the "veto files" option in the share setup (smb.conf on server side).
if there's a line in smb.conf (server side) saying:
veto files = /.*/
this would prevent mac os-x from creating/using hidden files (dot files) for extended attributes and you will get errors like: could not copy extended attributes and the operation will fail.