Samba shares and HFS extended attributes

[AdamRuck]

Hi everyone!

If there is a better place to post my question, please let me know!

I'm using Mac OSX server leopard as a Primary Domain Controller. The general flow of how the PDC works, is that when you sign on the PDC your roaming profile gets copied to your computer, and when you log out, your roaming profile gets copied back to the server.

There are certain user actions, that end up writing files with extended attributes back to the roaming profile on logout. For example, on a windows XP machine, you can change the view of any folder to "thumbs". By default windows caches the preview into a file called thumbs.db. Here is what it looks like on the server.

-----------------------------------------------------------------------------------------
fuji:My Pictures root# pwd
/Users/Profiles/aruck/My Documents/My Pictures
fuji:My Pictures root# ls -al@
total 64
drwxr-xr-x+ 8 aruck staff 272 Feb 8 10:49 .
drwxr-xr-x+ 7 aruck staff 238 Jan 7 10:55 ..
-rwxr--r--+ 1 aruck staff 183 Jan 7 10:58 Desktop.ini
-rwxr--r--+ 1 aruck staff 887 Nov 20 15:50 Sample Pictures.lnk
-rwxr--r--@ 1 aruck staff 12288 Feb 8 10:52 Thumbs.db
:ENCRYPTABLE:$DATA 1
-rwxr--r--+ 1 aruck staff 3132 Jan 25 15:53 bike 1.jpg
-rwxr--r--+ 1 aruck staff 2999 Jan 25 15:54 bike 2.jpg
-rwxr--r--+ 1 aruck staff 3015 Jan 25 15:54 bike 3.jpg
------------------------------------------------------------------------------------------

So, windows can write files with extended attributes just fine.

The problem, is that windows *can't read them back*!

Here is what happens when I try and login with that thumbs.db in my roaming profile.

--------------------------------------------------------------------------------------------------
Windows cannot copy file \\fuji\profiles\aruck\My Documents\My Pictures\Thumbs.db to location C:\Documents and Settings\aruck.ETHOSTREAM\My Documents\My Pictures\Thumbs.db. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator.
--------------------------------------------------------------------------------------------

It's not a permission problem, I can copy other files from the My Pictures folder, to the same destination folder with no problems. All of the files in the source folder have the same permissions. Here is the error message I get from windows, if I try and copy the file manually

"Cannot copy Thumbs: Cannot Read from the source file or disk"

/var/log/samba/log.smbd shows

--------------------------------------------------------------------
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db read=Yes write=No (numopen=2)
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
aruck opened file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA read=Yes write=No (numopen=3)
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db:ENCRYPTABLE:$DATA (numopen=2) NT_STATUS_OK
aruck closed file Profiles/aruck/My Documents/My Pictures/Thumbs.db (numopen=1) NT_STATUS_OK
---------------------------------------------------------------------------------------------------

It doesn't look like samba is throwing any errors.

Is there any way I can disable samba's ability to write files with extended attributes?

Thanks in advance!

Adam Ruck

 

[Go3iverson]

Adam,

A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.

Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.

Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

Michael

 

[AdamRuck]

Hi there,

Thanks for responding!

Adam,

A couple of things to look at. First, you can check the actual permission as Mac OS X sees them. On the server, navigate in the terminal to the share and perform a ls -l to get the long attributes. They are probably going to be viewed as attribute files, as denoted by a "@" at the end of the permissions. You could look into xattr to manipulate the attributes of the file. This, though, can be a bit longwinded as you'd have to inspect all the instances.

If you look at my first quote you can see that I have done a ls -al@ on a directory that contains files with extended attributes. There are several commands I can use to remove the extended attribute, however it is not reasonable for me(or my other System Administrators) to do that every time after someone logs out of their profile.

What I'm looking for is some way to insure that

a) Those extended attributes never get there in the first place

or

b) Fix either windows or smbd to make files with extended attributes not an issue.

Another idea would be to eliminate the "roaming" part of the profile. If you are interested in that (depending on your needs), you could look into the smb.conf file and change the logon path value to be empty (ie "logon path = "). If you are interested in that, be sure to test this out on a test server and not on your live server.

The department in my company that needs roaming profiles has more techs than computers, so they are forced to play musical chairs. Also, it should be noted that this issue isn't limited to just the login action of windows. Copying a file manually from a samba share hosted on the PDC, to anywhere on the local computer, will fail if the file has extended attributes. This occurs even after a successful login.

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails. I believe you can also try adding veto files = /Thumbs.db/ to the smb.conf file to eliminate them as well.

That is a good idea, thank you. We frequently add and replace computers. Is there some way to make this a group policy?

It should be noted that only solves part of my problem though. When you create bookmarks in certain web browsers, the web pages icon gets stored as an extended attribute. That also causes things to break.

Remember, try all of these ideas on a test server that is not critical to your environment to see how they interact with your specific needs and installation! If you feel that this is a bug, you should report it to Apple at bugreport.apple.com!

Michael

Of course

Thank you for your help.

Regards,

Adam

 

[AdamRuck]

Finally, the happy medium solution, would be to tell the clients to stop caching the thumbnails. You can do that on the Windows clients by going to My Computer -> Tools -> Folder Options -> View -> Checkbox "Do Not Cache Thumbnails.

Hi again,

As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.

 

[Go3iverson]

Hi again,

As it turns out, this solution doesn't work at all. If I log onto a machine as Administrator, and change the default view settings for all folders, that only affects the Administrator user.

If I log out of Administrator, and log in as a different user, that users default view options are unaffected. To put it simply, it seems as though folders view options are per user, and I don't know of any way to change it globally for all users on a machine.

Yes, that is a per user setting. Depending on your environment, it's easier said than done.

 

[dherbert]

Hi - we had the same problem under 10.5.2 server - seems deactivating the streams support vfs module in samba did the trick:

/etc/smb.conf:

vfs objects = darwinacl, darwin_streams
...
; The darwin_streams module gives us named streams support.
stream support = yes
ea support = yes

replace with (i.e. remove darwin_streams)

vfs objects = darwinacl
...
; The darwin_streams module gives us named streams support.
stream support = no
ea support = no


For some reason it seems the alternate data streams (ADS) support in this new version of samba is broken - the windows clients can happily write files with streams (which get saved locally server-side as an extended atttribute), but they can't *copy* the file back - this is a big problem when roaming profiles are concerned. We just turned stream support off. It means the stream data gets stripped, but that hasn't presented a problem as yet..
-David

 

[Rooktoven]

dh--

We have a program that was choking on what seemed to be open permissions. This fixed it. Dumping Streams fixed it. Thanks.

 

[grigora]

also, be careful when using the "veto files" option in the share setup (smb.conf on server side).
if there's a line in smb.conf (server side) saying:
veto files = /.*/
this would prevent mac os-x from creating/using hidden files (dot files) for extended attributes and you will get errors like: could not copy extended attributes and the operation will fail.

 

[tyski]

dh--

I don't chime in on forum threads too much, but given the number of extremely frustration and low-level problems with Leopard Server and severe lack of useful answers on various forums, this post was so nice to see--straightforward and it works. Thanks!

 

[Zissixroark]

I'm new to the forum. Nice post.

 

[p0ddie]

hi there,

sorry for bumping this up more than a year later, but I ran into the same problem as described here.

I'm on 10.5.6 server and my windows clients had the same issues with the Thumbs.db files. My users couldn't load their profile from the server because Thumbs.db was <same error as the thread starter>.

So I edited smb.conf in changing both "yes" to "no".

After restarting the smb service, the issue with Thumbs.db was gone, but now there is a new issue: Windows can't save a profile to the server because it tells me that /User Data/Templates (I hope it's Templates, I have German Windows XP systems here - folder contains some very small files with .wav, .xls endings, one was called excel4.xls) can't be read (reason: path not found) and then doesn't save anything from the profile.

If I turn no/no back to yes/yes, everything is back to "normal".

I checked, the /Templates folder is definetly in the user account on the server, permissions are fine as far as I can tell, tested with several user accounts.

Anyone had this experience? Thanks!

 

[Marcin K]

Hi,

I have experienced similar problems when trying to copy files to my new iMac from XP over samba, getting 'not enough disk space' errors. (with heaps of space available )

Strangely I only had issues with old jpg files. Copying them to new files and renaming didn't help, so initially I assumed the problem was with file headers being blocked by something in the OSX samba config.

After trying a few things, I found that taking out darwin_streams from the config and disabling stream support as suggested in this thread fixed things. This has nothing to do with the file format, so still a bit odd... perhaps something to do with these files being copied around in windows 98, 2000 and XP over the years and accumulating lots of ADS rubbish?

Anyway, thought this might be helpful for anyone else moving old files from windows to mac and seeing very strange problems like this.