Follow us on...
Follow us on Twitter Follow us on Facebook
Register
Page 1 of 2 12 LastLast
Results 1 to 8 of 12
  1. #1
    AdamRuck is offline Registered User
    Join Date
    Feb 2008
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Samba shares and HFS extended attributes

    Hi everyone!

    If there is a better place to post my question, please let me know!

    I'm using Mac OSX server leopard as a Primary Domain Controller. The general flow of how the PDC works, is that when you sign on the PDC your roaming profile gets copied to your computer, and when you log out, your roaming profile gets copied back to the server.

    There are certain user actions, that end up writing files with extended attributes back to the roaming profile on logout. For example, on a windows XP machine, you can change the view of any folder to "thumbs". By default windows caches the preview into a file called thumbs.db. Here is what it looks like on the server.

    -----------------------------------------------------------------------------------------
    fuji:My Pictures root# pwd
    /Users/Profiles/aruck/My Documents/My Pictures
    fuji:My Pictures root# ls -al@
    total 64
    drwxr-xr-x+ 8 aruck staff 272 Feb 8 10:49 .
    drwxr-xr-x+ 7 aruck staff 238 Jan 7 10:55 ..
    -rwxr--r--+ 1 aruck staff 183 Jan 7 10:58 Desktop.ini
    -rwxr--r--+ 1 aruck staff 887 Nov 20 15:50 Sample Pictures.lnk
    -rwxr--r--@ 1 aruck staff 12288 Feb 8 10:52 Thumbs.db
    :ENCRYPTABLE:$DATA 1
    -rwxr--r--+ 1 aruck staff 3132 Jan 25 15:53 bike 1.jpg
    -rwxr--r--+ 1 aruck staff 2999 Jan 25 15:54 bike 2.jpg
    -rwxr--r--+ 1 aruck staff 3015 Jan 25 15:54 bike 3.jpg
    ------------------------------------------------------------------------------------------

    So, windows can write files with extended attributes just fine.

    The problem, is that windows *can't read them back*!

    Here is what happens when I try and login with that thumbs.db in my roaming profile.

    --------------------------------------------------------------------------------------------------
    Windows cannot copy file \\fuji\profiles\aruck\My Documents\My Pictures\Thumbs.db to location C:\Documents and Settings\aruck.ETHOSTREAM\My Documents\My Pictures\Thumbs.db. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
    --------------------------------------------------------------------------------------------

    It's not a permission problem, I can copy other files from the My Pictures folder, to the same destination folder with no problems. All of the files in the source folder have the same permissions. Here is the error message I get from windows, if I try and copy the file manually

    "Cannot copy Thumbs: Cannot Read from the source file or disk"

    /var/log/samba/log.smbd shows

    --------------------------------------------------------------------
    aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
    aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
    aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
    aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
    aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
    aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
    aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
    aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
    ---------------------------------------------------------------------------------------------------

    It doesn't look like samba is throwing any errors.

    Is there any way I can disable samba's ability to write files with extended attributes?

    Thanks in advance!

    Adam Ruck

  2. #2
    Go3iverson is offline Registered User
    Join Date
    Mar 2003
    Location
    Chicago, IL
    Posts
    1,071
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Adam,

    A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.

    Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.

    Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.

    Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

    Michael

  3. #3
    AdamRuck is offline Registered User
    Join Date
    Feb 2008
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hi there,

    Thanks for responding!

    Quote Originally Posted by Go3iverson View Post
    Adam,

    A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.
    If you look at my first quote you can see that I have done a ls -al@ on a directory that contains files with extended attributes. There are several commands I can use to remove the extended attribute, however it is not reasonable for me(or my other System Administrators) to do that every time after someone logs out of their profile.

    What I'm looking for is some way to insure that

    a) Those extended attributes never get there in the first place

    or

    b) Fix either windows or smbd to make files with extended attributes not an issue.

    Quote Originally Posted by Go3iverson View Post
    Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.
    The department in my company that needs roaming profiles has more techs than computers, so they are forced to play musical chairs. Also, it should be noted that this issue isn't limited to just the login action of windows. Copying a file manually from a samba share hosted on the PDC, to anywhere on the local computer, will fail if the file has extended attributes. This occurs even after a successful login.

    Quote Originally Posted by Go3iverson View Post
    Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.
    That is a good idea, thank you. We frequently add and replace computers. Is there some way to make this a group policy?

    It should be noted that only solves part of my problem though. When you create bookmarks in certain web browsers, the web pages icon gets stored as an extended attribute. That also causes things to break.

    Quote Originally Posted by Go3iverson View Post
    Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

    Michael
    Of course

    Thank you for your help.

    Regards,

    Adam

  4. #4
    AdamRuck is offline Registered User
    Join Date
    Feb 2008
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Go3iverson View Post
    Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails.
    Hi again,

    As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

    If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.

  5. #5
    Go3iverson is offline Registered User
    Join Date
    Mar 2003
    Location
    Chicago, IL
    Posts
    1,071
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by AdamRuck View Post
    Hi again,

    As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

    If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.
    Yes, that is a per user setting. Depending on your environment, it's easier said than done.

  6. #6
    dherbert is offline Registered User
    Join Date
    Feb 2008
    Posts
    1
    Thanks
    0
    Thanked 3 Times in 1 Post
    Hi - we had the same problem under 10.5.2 server - seems deactivating the streams support vfs module in samba did the trick:

    /etc/smb.conf:

    vfs objects = darwinacl, darwin_streams
    ...
    ; The darwin_streams module gives us named streams support.
    stream support = yes
    ea support = yes

    replace with (i.e. remove darwin_streams)

    vfs objects = darwinacl
    ...
    ; The darwin_streams module gives us named streams support.
    stream support = no
    ea support = no


    For some reason it seems the alternate data streams (ADS) support in this new version of samba is broken - the windows clients can happily write files with streams (which get saved locally server-side as an extended atttribute), but they can't *copy* the file back - this is a big problem when roaming profiles are concerned. We just turned stream support off. It means the stream data gets stripped, but that hasn't presented a problem as yet..
    -David

  7. The Following 3 Users Say Thank You to dherbert For This Useful Post:

    caseybarker (April 22nd, 2009),macgeeknz (August 8th, 2009),tyski (April 1st, 2009)

  8. #7
    Rooktoven is offline Registered User
    Join Date
    Apr 2008
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    dh--

    We have a program that was choking on what seemed to be open permissions. This fixed it. Dumping Streams fixed it. Thanks.

  9. #8
    grigora is offline Registered User
    Join Date
    Aug 2008
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    also, be careful when using the "veto files" option in the share setup (smb.conf on server side).
    if there's a line in smb.conf (server side) saying:
    veto files = /.*/
    this would prevent mac os-x from creating/using hidden files (dot files) for extended attributes and you will get errors like: could not copy extended attributes and the operation will fail.

 

 
Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •