Re: Arrgh! Permissions Problems

[Rick Stevens <rstevens vitalstream com>]

Greg Julius wrote:
> [minor snippage]
>
> > > > > Problem:
> > > > > The Win XP is perceiving the files to be read-only, and I can't 
> > > > > figure out why.
> > > > > Details:
> > > > > I maintain a couple of websites for different clients, and I am 
> > > > > creating mirror setups on my own Linux box to make it easy to do 
> > > > > development, test and whatnot.
> > > > > I can access the sites on my server via my browser and everything 
> > > > > just fine.  What's giving me problems is my placing files on the 
> > > > > Linux filesystem from my Windows system.
> > > > > I am running Samba, and have the following share set up (and 
> > > > > accordingly accessed in Windows).
> > > > > [websites]
> > > > >         path = /client/hostsetups
> > > > >         valid users = bullwinkle, rocky
> > > > >         force user = rocky
> > > > >         read only = No
> > > > >         create mask = 0775
> > > > >         force create mode = 0755
> > > > > Due to reasons of stupidity, my Window's id is bullwinkle and all 
> > > > > of my Linux presence is rocky.  I never use the bullwinkle id on 
> > > > > the Linux box directly, it's just the name of my window's id.
> > > > > The directory structure is such that each of the clients has a 
> > > > > directory under /client/hostsetups which is their root, and under 
> > > > > that is a www directory which is their webserver document root.
> > > > > The files in these directories are owned by the "client" with their 
> > > > > own ID and own Group (unique groups), defined in passwd and group 
> > > > > as appropriate.
> > > > > my ids, bullwinkle and rocky are both assigned group evilone as 
> > > > > their primary user group (500).
> > > > > Each of the other client's groups, have both of my id's listed 
> > > > > behind the definition: xclient1:x:509:rocky,bullwinkle
> > > > > The files are all defined (in the document root and below) as 
> > > > > -r-xrwxr-x (R-X to the owner and other, RWX to the group).  Even 
> > > > > the containing directory has this same permissions list.
> > > > > Why are these files only readable to Windows, and what can I do 
> > > > > about it?
> > > > > Should I be listing IDs behind the group definition, or other Groups?
> > > > > That is, should I be putting evilone as the name behind the 
> > > > > xclient1 definition?
> > > > > What I'd really like is to have samba force the user and group to 
> > > > > be the client's user and group, but without me having to 
> > > > > proliferate a slew of shares.  Is there a way to maintain one 
> > > > > share, and have samba force the user and client based upon the 
> > > > > directory?
> > > >
> > > >
> > > >
> > > > This smells exactly like a username issue, Greg.  You really should
> > > > make sure that the Samba server has the exact same login as the WinXP
> > > > system, since that's what XP is sending out.  Also keep in mind that
> > > > XPHome has limited network capacity. It won't do Windows domain-based
> > > > authentication, for example.
> > >
> > >
> > > Thanks for the reply Rick.
> > > I'm using XP Pro and Samba is my master domain controller.
> > > Can you offer any suggestions on how I can tell if Samba is 
> > > perceiving my XP userid to be different than my Linux userid?
> >
> >
> > You can check the logs in /var/log/samba to watch what happens during
> > authentication and such.
>
>
> Thanks!  I did that just now and I can see that "bullwinkle" is 
> validating and is being recognized as the appropriate uid and gid.
>
> > > If I go to the start button, I note that the username listed is the 
> > > same case as the userid in Linux (all lower).
> > > Samba finds the correct logon profile to use, which is based upon the 
> > > username signing on: bullwinkle.logon.bat so I think that's working ok.
> >
> >
> > It's hard to say without the logs, but my guess is that something isn't
> > authenticating.  In your above data, you said the Windows ID is
> > "bullwinkle", but your username in Linux is "rocky".  For the
> > authentication to work, "bullwinkle" must also be a Linux user (must
> > have an entry in /etc/passwd) and must also be added to the Samba
> > password database (via smbpasswd).  bullwinkle must also have the same
> > password in all three (Windows, Linux and Samba).
>
>
> I found it!
>
> I got a hint yesterday when I changed the permissions on a bunch of 
> files to have the rwx.  But I thought it was related to the owner id, 
> not to the w bit itself.
>
> Samba takes the owner's w bit and interprets no write permission to be 
> Read-only which is reported to the windows system asking about a file.  
> So, files and directories would be marked read-only and the windows 
> programs wouldn't even try to write.

Well, lack of write permissions would make it read-only, wouln't it? ;-)

> But if the owner had the w bit set (and so windows would think it was 
> writeable), if the samba user didn't have the appropriate permissions 
> (like belonging to the proper group), then the write would fail from the 
> unix end.

That would only fail if the samba user wasn't the owner AND didn't
belong to a group with write permission.  So I take you you're mapping
the Windows user "bullwinkle" to the Linux user "rocky" and "rocky"
isn't the owner of the files and isn't a member of a group with write
permission?

> It was the combination of these two things that kept giving me the 
> headache.  I'd have one or the other not quite right and so I'd get a 
> failure.

"Waskewy ownuh and gwoup pehmissions!  Oooooh!  Thew's something skewy
going on heah!" -- Elmer "Microsoft" Fudd

> Thank you Rick for your responses.  Between what you said, what the logs 
> didn't show (the window's programs weren't even trying to write so 
> nothing in the logs), and my changing of some permissions by 
> happenstance turned out to be the key to finding the real problem.  I 
> now have all of the directories set up correctly and I am able to write 
> from my windows desktop to the three other groups of files with no 
> problem.  Hot Dog!

Good deal!

> > You might also find information on this at the Samba site
> > (http://www.samba.org).
>
>
> The O'Rielly book is pretty good too!

Yeah.  I have an old copy (1st edition), but I have the latest
"Pocket Reference" book (which is really all I need).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-         Microsoft Windows:  Proof that P.T. Barnum was right       -
----------------------------------------------------------------------