[prev in list] [next in list] [prev in thread] [next in thread]
List: netatalk
Subject: Re: [Netatalk-admins] Strange permission issues
From: Josh Beard <josh () signalboxes ! net>
Date: 2011-11-22 18:31:19
Message-ID: 4ECBEA77.5070209 () signalboxes ! net
[Download RAW message or body]
To reply to my own post with more information:
I'm running into an issue where logging into a machine as an LDAP user
and *mounting a share* as the user, I do not have permission to write to
a directory that has the correct POSIX and ACLs set. Mounting the same
share as the same user on a machine that's logged into with a local
account, I do have permission to write to the same location.
Still hoping for some insight, and I'm willing to volunteer this
environment for testing :D
Thanks,
Josh
On 11/21/2011 09:01 AM, Josh Beard wrote:
> Greetings,
>
> I've recently implemented a Linux box with an EXT4 filesystem (with
> ACLs) and netatalk 2.2.1 to replace some of our temperamental Mac OS X
> servers.
>
> Unfortunately, I'm experiencing a number of bizarre permission issues.
> I have about 100 users that are using network homes via AFP here (via
> Open Directory) from predominately Mac OS X 10.6.8 clients.
> Additionally, I'm piloting netatalk with a shared folder where many
> users of the same group are dropping files and one person is
> administering it.
>
> For all of this, I've attempted to implement POSIX ACLs. For the most
> part, the network homes are working fairly well. However, I did come
> across one particular issue today - user tried to drag a file from their
> desktop into a directory on their desktop, but Finder gave the obscure
> error: "The operation can't be completed because an unexpected error
> occurred (error code -50)." syslog on the server has something like:
>
> Nov 21 08:34:43 topeka afpd[17859]:
> ea_open('/media/store/homes/hs/students/studentsusername/Desktop/.AppleDouble/dployment.jpeg::EA'):
> bogus EA header file
> Nov 21 08:34:43 topeka afpd[17859]:
> ea_copyfile('/media/store/homes/hs/students/studentsusername/Desktop/dployment.jpeg'/'dployment.jpeg'):
> ea_open error:
> '/media/store/homes/hs/students/studentsusername/Desktop/dployment.jpeg'
>
> In the case of the shared folder, there are all kinds of oddities
> there. For instance, users are unable to drop files into a directory
> there unless they put it inside a directory first and then copy the
> directory to the share. This seems intermittent, and I typically don't
> see syslog entries related to this.
>
> The user that I've delegated "full control" over the shared folder to is
> also often unable to remove files that are dropped there, despite ACLs
> being set to allow it.
>
> Frequently, users that are members of a permitted group get Finder's "no
> access" symbol when trying to, for example, drag a file to a mounted
> share that they have write access to.
>
> Usually, these types of actions seem possible when performing them
> locally on the server (e.g. via an SSH session with a shell).
>
> I'm not terribly sure where to begin with pinning any of this down, or
> what kinds of "best practices" for permissions/ACLs might be.
>
> Once I get these types of quirks straightened out, I plan on
> implementing netatalk network-wide for around 2000 users.
>
> Any kind of insight is much appreciated!
>
>
> Here's what afpd -V reports:
>> afpd 2.2.1 - Apple Filing Protocol (AFP) daemon of Netatalk
>>
>> <snip>
>>
>> afpd has been compiled with support for these features:
>>
>> AFP versions: 2.2 3.0 3.1 3.2 3.3
>> DDP(AppleTalk) Support: No
>> CNID backends: cdb dbd last tdb
>> SLP support: No
>> Zeroconf support: Yes
>> TCP wrappers support: Yes
>> Quota support: Yes
>> Admin group support: Yes
>> Valid shell checks: Yes
>> cracklib support: Yes
>> Dropbox kludge: No
>> Force volume uid/gid: No
>> ACL support: Yes
>> EA support: ad | sys
>> LDAP support: Yes
> Here's the relevant entries in AppleVolumes.default:
>
> This share is where the mentioned shared directory is located (note:
> I've tried ea:sys as well with similar results):
>> /media/store/homes/hs/staff "hs_staff"
>> allow:@od_hsusers,@od_hsstudents,@od_itstaff options:usedots,upriv
>> ea:ad volcharset:UTF8
> This share is where the user's network homes are located (again, I've
> also used ea:sys here with similar weird results):
>> /media/store/homes/hs/students "hs_students"
>> allow:@od_hsusers,@od_hsstudents,@od_itstaff options:usedots,upriv ea:ad
> Here's the ACLs/Permissions for one of the folders in the share:
> # file: Review1/
> # owner: kclark #<-- This user should have full access to anything
> being dropped here
> # group: od_kclark1 #<-- The users dropping to this share are members
> of this group (LDAP))
> user::rwx
> user:kclark:rwx
> group::rwx
> mask::rwx
> other::rwx
> default:user::rwx
> default:user:kclark:rwx
> default:group::rwx
> default:mask::rwx
> default:other::rwx
>
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Netatalk-admins mailing list
Netatalk-admins@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/netatalk-admins
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic