From: Greg Ercolano <erco@(email surpressed)>
Subject: [OSX/Admin] Tiger / mount_smbfs problems
   Date: Fri, 26 Aug 2005 21:30:48 -0700

The following was first posted on the Apple discussions board:
http://discussions.info.apple.com/webx?14@31.sd2laJjn7IM.6@.68b77715

...then deciding it really has to be a Apple related bug,
I recently reported it to Apple (bug #4234684).

I'll try to follow up here if there are any developments, or if any
of you admins have any opinions, feel free to add to this thread.

* * *
       Title: Permission problems with mount_smbfs
  Originator: Greg Ercolano
       State: Analyze
Created Date: 26-Aug-2005 09:22 PM

Since upgrading to Tiger, I've had trouble using it as a
client via mount_smbfs.

It mounts our samba oriented file server just fine, but it seems
that OSX 10.4.x only allows the mount point owner access to the server;
any other user (besides root) gets a 'permission denied' error.

**Even the user who the mount is authenticated as is denied access.**

This just seems very wrong; when 'sandro' owns the mount dir /smb/meade,
even if the dir is 777, when the dir is mounted, only sandro can access
the dir, even if it's mounted as 'fred':

---------------------------------------------------
# mkdir -m 777 /smb/meade ; chown sandro:sandro /smb/meade
# ls -lad /smb/meade
drwxrwxrwx 1 sandro sandro 16384 Jul 28 14:26 /smb/meade

# mount_smbfs //fred:fred@meade/net /smb/meade

# su fred -c 'ls -la /smb/meade'
ls: meade: Permission denied

# su sandro -c 'ls -la /smb/meade'
[directory listing displays]
---------------------------------------------------

If I umount the dir, and chown the mount dir to fred:fred,
then only fred can access it, regardless of which authentication info
is supplied to mount_smbfs.

In addition, OSX seems to ignore the 'group' and 'other' ownerships on
the mount dir. If the dir is owned to fred:jack, and the mount
authenticated with sandro, /only/ fred can access the mount (owner);
not jack (group), and not sandro (mount authentication).
The perms being 777 don't seem to matter, so it seems inconsistent
with itself.

** IMPORTANT OBSERVATION **
When I run tcpdump on the server (and client), no SMB packets
are hitting the wire when the 'permission denied' errors occur at the
client (ie. when doing 'ls -la /smb/meade'), which seems to imply this
is entirely a *client side issue* -- OSX's local permissions are preventing
the access, not the server.

Something seems very broken here; it seems like the smbfs kernel extension
library (/System/Library/Extensions/smbfs.kext?) might be at fault here.

BTW, all this works fine in Panther, so it seems very Tiger specific.
Tested on 10.4.1 and 10.4.2. I know for a fact this problem is preventing
many CGI companies from upgrading to Tiger, and has caused retreats to Panther.

Same results here - broken-ness. Client is 10.4.2 Server is 10.3.8.

Same error "Permission Denied".

Probably not but I wonder if this is in any way related to the problem
with write permissions on AFP and Tiger 10.4.1?

http://discussions.info.apple.com/webx?13@539.rCICa03A50v.1@.68b1ddfb/6

In that case upgrading to 10.4.2 seems to have sorted it on remote NFS
and SMB mounts here at least. I am able to create directories under
NFS and SMB.

Probably not though.....

Dylan



Greg Ercolano wrote:

> The following was first posted on the Apple discussions board:
> http://discussions.info.apple.com/webx?14@31.sd2laJjn7IM.6@.68b77715
> 
> ..then deciding it really has to be a Apple related bug,
> I recently reported it to Apple (bug #4234684).
> [..]

---
Dylan Penhale
Systems Administrator
Fuel International

Dylan Penhale wrote:

Probably not but I wonder if this is in any way related to the problem
with write permissions on AFP and Tiger 10.4.1?

http://discussions.info.apple.com/webx?13@539.rCICa03A50v.1@.68b1ddfb/6

	Mmm, interesting thread.

	I use NFS at my office entirely, and I've had no issues
	with security, using it as I do with locally configured accounts
	and matching uids/gids across the net.

	However, some folks do need AFP or even SMB, and for those folks
	issues like these do come up. I think the main reason is these
	protocols were simply not designed with multiuser access in mind %^/
	Updates are coming to change that situation, but it's in a state
	of flux right now, and that means a year or so of instability
	while the protocols shake out the bugs.

--
Greg Ercolano, erco@(email surpressed)
Rush Render Queue, http://seriss.com/rush/
Tel: (Tel# suppressed)
Cel: (Tel# suppressed)
Fax: (Tel# suppressed)

--=C

Courtney Irvin
Computers Et. Al.
Radar Studios




Greg Ercolano wrote:

Dylan Penhale wrote:

Probably not but I wonder if this is in any way related to the problem
with write permissions on AFP and Tiger 10.4.1?

http://discussions.info.apple.com/webx?13@539.rCICa03A50v.1@.68b1ddfb/6

    Mmm, interesting thread.

    I use NFS at my office entirely, and I've had no issues
    with security, using it as I do with locally configured accounts
    and matching uids/gids across the net.

    However, some folks do need AFP or even SMB, and for those folks
    issues like these do come up. I think the main reason is these
    protocols were simply not designed with multiuser access in mind %^/
    Updates are coming to change that situation, but it's in a state
    of flux right now, and that means a year or so of instability
    while the protocols shake out the bugs.

I'd be interested. Thanks Courtney

On Sep 2, 2005, at 1:15 PM, Courtney Irvin wrote:

If anyone is interested in using this method instead of using the mount command, I can post exactly how I have things set up.

. . . . . . . . . . . . . . . . . . . . . . . .
Gary Jaeger //  Core Studio
+   www.corestudio.com   +

Yes, me too. Would be nice if you could share your knowledge with us.

Thanks, Abraham

I'd be interested. Thanks Courtney

On Sep 2, 2005, at 1:15 PM, Courtney Irvin wrote:

If anyone is interested in using this method instead of using the mount command, I can post exactly how I have things set up.

. . . . . . . . . . . . . . . . . . . . . . . .

Gary Jaeger //  Core Studio

+   www.corestudio.com   +

--
Abraham Schneider
VFX Compositor

ARRI Film & TV Services GmbH
Tuerkenstr. 89
D-80799 Muenchen

Phone: +49 89 3809-1269
Mobile: +49 173 5719842
Email: aschneider@(email surpressed)

Thanks for the interest.

Property		Value(s)
name			<Server IP Address>:/<Share Name>
dir			/Network/<Server Name>
opts			url==smb://<username>:<password>@<Server IP Address>/<Share Name>
			nosuid
vfstype			url

Let me know what your results are. Send me an email directly.

--=C

Courtney@(email surpressed)
			





Abraham Schneider wrote:

Yes, me too. Would be nice if you could share your knowledge with us.

Thanks, Abraham

I'd be interested. Thanks Courtney

On Sep 2, 2005, at 1:15 PM, Courtney Irvin wrote:

If anyone is interested in using this method instead of using the mount command, I can post exactly how I have things set up.

. . . . . . . . . . . . . . . . . . . . . . . .

Gary Jaeger //  Core Studio

+   www.corestudio.com   +