Mac OS X SIG

Enable Logging with 10.7 SMBX (Windows File Sharing)

2011-08-01T23:13:41Z

Apple replaced Samba with SMBX, their home-cooked application for Windows File Sharing. By default, it doesn't do much logging. If you want to review logs, you'll have to edit the launchd item. Add the two extra ProgramArgument keys in bold below.

beteblanche:~ noahabrahamson$ sudo vi /System/Library/LaunchDaemons/com.apple.smbd.plist

...

    ProgramArguments
    
            /usr/sbin/smbd
            -debug
            -stdout

Now you can use syslog -w to review your logs in Terminal in real time.

syntax differences between autofs and mount_smbfs

2011-03-29T18:59:30Z

If you are trying to establish static CIFS (aka SMB) mounts on your Mac, here are a couple hints that might save some time and effort.

If you need to specify the domain (say, if you are using Active Directory credentials), you need to escape the semicolon that divides the domain and the username. So if your map file is /etc/auto_smb, then you could use something like this example.

	localmountpoint   -fstype=smbfs  ://DOMAIN\;username:password@nas.stanford.edu/sharepoint\$    

You also need to escape the dollar sign if have such a character on your remote server's sharepoint (plus any funky characters in your password). Thanks Adam! If you do not, you'll get errors like

		/sbin/mount_smbfs[2017] : smb_mount: mount failed to nas.stanford.edu/sharepoint : syserr = No such file or directory    

and the icon in the Mac's Finder will be a broken alias. Note that you may need to enable verbose logging (which isn't terribly verbose) in /etc/autofs.conf file to get these messages in your system.log file.

If you're using mount_smbfs (or mount -t smbfs) via command line, on the other hand, it's unnecessary to escape the trailing $, but acceptable.

It would seem that your autofs map file could have the username, domain and password configured on a different file, as measure of security. This is normally done like this:

	localmountpoint   -fstype=smbfs,credentials=/path/to/file  ://nas.stanford.edu/sharepoint\$    

But that will result in an error message, like

com.apple.automountd[341]: mount_smbfs: -o credentials: option not supported

...so it's important to safeguard the map file if you're going to expose the credentials in plain text (chown root:wheel and chmod to 600).

In the man page for mount_smbfs, the wording suggests we could use the -N flag to bypass a password prompt and instead have mount_smbfs consult /etc/nsmb.conf. It says, "

	Do not ask for a password. At run time, mount_smbfs reads the ~/Library/Preferences/nsmb.conf file for additional configuration parameters and a password. If no password is found, mount_smbfs prompts for it."    

However, the man page for nsmb.conf gives no indication that the password could be a valid key.

kickstart vs serveradmin for ARD ON/OFF

2010-12-03T19:25:43Z

I've always used the kickstart command to manage ARD. But little did I know that it can be managed using serveradmin too.

/usr/sbin/serveradmin settings info:enableARD = yes

...does the trick too!

Flipped mouse buttons, plist and MS Remote Desktop Connection

2010-12-02T19:37:44Z

For a while, I used a mouse with my laptop. Because I was dealing with some wrists issues, I had the buttons flipped so that the main clicking button was on the right side, and the "right click" button was actually on the left side. Over time, I lost the mouse and resumed using the trackpad.

What drove me nuts, however, was how my Microsoft Remote Desktop Connection connections still were programmed with the flipped buttons. Even though my trackpad on my Mac was now set back to the default arrangement, whenever I connected to a Windows machine, my buttons continued to be flipped. And since I connected to these particular Windows servers from different Macs, I had to keep flipping the right/left preference in Windows each time changed Macs.

Unfortunately, there's no evident way to reset your mouse button settings on a Mac laptop via the normal PreferencePane in System Preferences if you don't actually have a mouse attached. No mouse, no GUI.

I searched high and low for where that setting is kept so that I could reverse it, so my RDC connections would also be returned to normal too. For your information, the right/left mouse button configuration is configured in ~/Library/Preferences/ByHost/.GlobalPreferences.[yourMACaddress].plist. That's a hidden, binary-encoded plist that's unique to your Mac hardware, in your home folder.

To edit this file, you will need to convert it to XML using the plutil terminal command, then modify the structure using your favorite text editor. You could also just delete it and a new, default one will be created, but this is a big plist with lots of discrete preference settings. Or, you could use the Property List Editor.app included with Xcode. TextMate will also allow you to convert and edit the file accordingly.

diskutil command line secureErase options

2010-11-16T21:03:48Z

When I need to decommission a hard drive, it's necessary for me to to securely wipe the data prior to disposal. Stanford's data wiping policy is publicly accessible from the internet (though woefully out of date with the product recommendations—Mac OS 8 anyone?). It's usually not enough just to delete the files using the Finder or the rm command, since that action merely hides your files and makes their blocks eligible for possible future write-overs. Inexpensive file recovery software can usually return data when you simply delete files this way, to say nothing of real forensics software.
]]> You may know that your Mac's Disk Utility program has the "Secure Erase" option, where you can choose from three degrees of security. You can zero-out the data, which means the computer erases your data and writes over the drive with zeros. This is a minimal, but sometimes acceptable, data sanitization effort. You can also choose the seven-pass Department of Defense wipe, which takes longer, but makes data recovery nearly impossible. Then there's the 35-pass wipe, for the hyper vigilant and possibly neurotic.

Here is Apple's KB article on securely erasing a disk: http://support.apple.com/kb/TA24002

What you may not know is that the diskutil command line tool has two additional options. In addition to the single-pass zero-out, you can choose a single-pass write over with random numbers. I would expect that process to take as long as a zero-out effort with Disk Utility. I'm not sure exactly sure what the benefit here is, except that it would remove the known delta between the state prior to the zero-out and the zeros. That is, if you used forensic analysis to examine a drive and it's all zeros, and your sophisticated tools detect prior states, it's reasonable to understand that that prior state is likely true (since we know that the new state will always be a zero).

The other option with diskutil is what Apple labels a "DoE [Department of Energy] three-pass secure erase". I don't know much about this option.

Here is the man page for diskutil and the secureErase option; you can also just type diskutil secureErase at the prompt for the associated help.

Retrieving the password for Server Admin-generated Keys

2010-08-23T22:34:16Z

With Mac OS X Server, you can use Server Admin and the Certificate Assistant tools to create your private key for your server. In fact, when you start the server up, out of the box, one has already been created for you. You can use this key to create a certificate signing request (CSR) to send to your certificate authority (CA) to sign. If you do this, you will get a spiffy signed cert back, appropriate for securing your web server, chat server or a variety of other uses.

If you try to use this cert with your own version of Apache, however, you will encounter the default situation where httpd will ask for the password of that .crt file during the startup procedure.

Many admins choose to delete the password from this certificate to eliminate administrator intervention when restarting the service. The usual way this is done is to run the command openssl rsa -in /path/to/mycert.crt -out /output/path/ofmyclean.crt. (or the variant, openssl rsa -in key.pem -out newkey.pem if you are working with .pem-format certificates, which are the default if you use Server Admin.app to generate certs).

To run this command, you need to know the original password.

Intuitively, you might think that the password MOSXS uses to create this private key (and thus used to create the signed cert) would be the initial root password, or maybe the first eight characters of the serial number. Instead, it's a randomly generated password created by the system.

You can retrieve this password using the Keychain Access application. Search for the "Mac OS X Server certificate management" object of the type "application password". Double-click to examine this object and to reveal the password used by the system.

With this information, you can proceed with the openssl command to delete the password from your signed certificate. Note that you needn't have to worry about this if you're using the built-in Mac OS X services, since those programs will automatically consult the Keychain to get the password for the .crt file when starting up.

Binding your 10.6 Mac to the Campus OpenLDAP directory

2010-08-23T18:36:08Z

These instructions are Snow Leopard-specific. First, download the Stanford Directory Utility Template installer. It will install a property list file into your home directory, which will make configuring your Mac to use the campus OpenLDAP directory system even easier than before. This template holds the record and attribute matching information, so you don't need to edit much.

Next, launch Directory Utility. It's located in /System/Library/CoreServices folder. Edit the LDAPv3 service to add a new directory system. For the server name, enter ldap.stanford.edu in the field. The program will query the campus OpenLDAP directory, then ask you to choose a template for LDAP mapping. Since you just installed the Stanford LDAP template, choose that from the pull-down menu. Enter cn=accounts,dc=stanford,dc=edu for the searchbase.

You can configure other options as you see fit. You should also install the Kerberos Configuration Utility from the Essential Stanford Software site.

Chassis lock on Xserve prevents bootup

2010-02-23T18:15:06Z

I'm sure there are parameters here that I'm not acknowledging, but this is something that justifies jotting down for posterity. One of the Xserves I manage (Early 2009) has a quad fibre card with connections to two fibre different switches (an Emulex and Qlogic SanBox). If the server's chassis is locked (as if to prevent accidental ejection of the internal hard drives), bootup is prevented; all I get is a blinking folder on the screen. Unlock the chassis and the machine boots normally. In my experience, it doesn't seem to matter how the server was shutdown or started up, via LOM or at the console.

Though this behavior seems reasonable, it's still undesirable. After all, what's the point of remote lights-out reboots if you can't reboot, even when your machine is configured properly. Oftentimes, chassis are locked to prevent accidents, which increase in likelihood when a server is in a high traffic area. I suggest the desired behavior should be is for the system to note its state prior to the shutdown, and permit booting only when that state is maintained.

Level II Oplocks and Snow Leopard Server Samba

2010-01-26T19:28:56Z

If you do a testparm on your /etc/smb.conf file on Mac OS X Server 10.6, there's a good chance you'll see this message:

Level II oplocks can only be set if oplocks are also set.

You can read about "level2" or "level 2" opportunistic locking here in the official Samba HOWTO document (though it's written for v3.2 and Apple ships 3.0, I find it's almost entirely compatible and, in the least, quite informative). Here is what the document says,

Level2 Oplocks provides opportunistic locking for a file that will be treated as read only. Typically this is used on files that are read-only or on files that the client has no initial intention to write to at time of opening the file.

Level 2 oplocks appear to be something set to "true" or "on" by default. While Server Admin allows for enabling (plain old) oplocks and strict oplocks, there's no interface for setting level 2 oplocks off. But as the message indicates, it's effectively disabled without enabling locking in the first place.

If you do enable oplocks via Server Admin, and find the need to not have level 2 oplocks enabled too (for some odd reason — perhaps you're neurotically conscientious of your testparm output) you will need to specify this option explicitly on the share realm, not the global realm.

Hand-edit your /etc/smb.conf file, following the convention indicated by Apple (that is, make your changes at the bottom of the conf file, using [My Sharepoint] instead of [global], setting

level2 oplocks = no [or false, if you prefer]

For example,

			; Site-specific parameters can be added below this comment.

			; END required configuration.

			[global]

			    realm = stanford.edu

			    acl check permissions = no

			    nt acl support = no 

			    veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/        
	
			[Projects]

			    path = /Shares/Projects     

			    acl check permissions = no 

			    nt acl support = no

			    level2 oplocks = no

Remember that Apple recommends using oplocks only on shares accessed via SMB only.

Snow Leopard's Samba adds unwanted directives to shares

2010-01-14T22:53:18Z

Update: Be sure to add the path of the share in your 10.6 edits suggested below.

There's an important behavioral difference between the version of Samba in Mac OS X Server 10.5 (Version 3.0.25b-apple) Snow Leopard's (Version 3.0.28a-apple) in the way it handles processing the /etc/smb.conf file and manages shares.

With 10.5 you could edit your /etc/smb.conf file include at least two directives in your custom [global] parameter set "acl check permissions = no" and "nt acl support = no" to address issues with locking and access. In some environments, these are very important to have, especially some Office documents and Windows XP clients.

With 10.6 however it appears you can't entirely rely on including these in your custom [global] section any longer, as recommended by Apple. You may need to append a share-specific parameter set with these two directives instead.

For example, at the end of /etc/smb.conf file:

	; Site-specific parameters can be added below this comment.

	; END required configuration.
	
	[global]

	    veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/    

	[Test Share]

	    path = /Shares/Test Share

	    acl check permissions = no

	    nt acl support = no

I have a few ideas about what the problem might be.

]]> Samba distributions include a command called testparm; here is the man page for it. It checks the integrity of an smb.conf file, much like apachectl configtest does with Apache.

Running the testparm command yields different output when executed on a 10.5 or 10.6 machine. In 10.5, you do not see your shares in the output; in 10.6, you do. The results give insight into how Apple changed the way network shares are configured and implemented in Samba.

In the /etc/smb.conf file in 10.5, there's a usershare path = /var/samba/shares directive that hooks to a directory that contains discrete files for each sharepoint created using Server Admin. With 10.6, there's an include = /var/db/samba/smb.shares hook that instead points to a single file with all your shares, also as established by Server Admin. In 10.5, the testparm output doesn't show your shares; in 10.6, it does. What's going on?

The testparm command processes the /etc/smb.conf file the same way that smbd does, which is precisely the point. It processes not only the main conf file, but how smbd will see things after all the configuration hooks are taken into account. Interestingly, as 10.6 displays your shares, it shows acl check permissions = Yes and nt acl support = Yes. Strange.

Well, it's not strange that they're set to Yes (that's the default). It's strange because its explicitness suggests these control parameters are associated with the [share] realm. If that's the case, attempting to negate these parameters in the [global] realm (as suggested here) won't be (or shouldn't be) effective. Directive values are concentric; if you have a value set in the [global] realm, it will be overridden by any identical but conflicting directive in the tighter [share] realm.

If my understanding is correct, the fix used with 10.5 needs to be further refined for 10.6. We can still negate parameters above by appending the same control parameter, but with a different value, further down the /etc/smb.conf file. Apple wants us to do this at the end, underneath the comments section (which tacitly implies they won't munge your hand edits in future updates). We just need the same directive, but this time not in the [global] realm, but in the [share] realm, something like this example, which has additions in both realms:

; Site-specific parameters can be added below this comment.
; END required configuration.
[global]
    veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/

[Test Share]
    acl check permissions = no
    nt acl support = no

So what's up? Well, my theory is that the usershare path inclusion for defining shares (like in 10.5) meant that any user with access to the directory specified in the path could effectively create a share. If you could write to that directory, you could create a file to tell smbd to present a share on the network. That's the point of the usershare directive: to empower non-root users.
But parameters like acl check permissions and nt acl support are very powerful and hugely affect filesystem access, so allowing non-root users to change all the variables on shares specified in the usershare path might be disallowed. In this case, the defaults for acl check permissions and nt acl support are Yes, and since I theorize you can't change these when also using usershare path, that effectively makes them global, overridable only by editing the restrictive/protected main smb.conf file.
In 10.6 though, Apple uses an include parameter instead to hook shares created by Server Admin. But wat remains unclear is why acl check permissions and nt acl support are still sticking closely to each share. Why does it take such an explicit un-doing of the default parameter? Defaults, when not explicit to the [share] realm, should also be un-doable at the [global] realm. So, to force Mac admins to make unique entries at the end of our /etc/smb.conf files seems the way to go for now.
At least, this is my hypothesis at this point.

ACLs not being properly honored in Samba with XP clients

2010-01-07T18:18:01Z

NB: Snow Leopard Server (10.6) handles directives on shares differently than with Leopard Server. Please also read this article if you are using Mac OS X Server 10.6 and Samba for new information on how to address the issues below.

Back in January 2008, I began to notice troublesome behavior with Windows clients connecting to my Mac OS X Server 10.5 fileserver. When some Windows clients, particularly Windows XP users, try to connect to a share, they can create a folder but can't change the name of the folder from "New Folder". Also, they can drop a file on the share, but not change that name, either. This always happened when activity was performed at the root level of the network share, while subfolders behaved as expected. If the network share had 777 (rwxrwxrwx) at the root level, all worked well, which indicated a permissions issue, not so much a communication issue. BUt it's the ACLs that caused grief. I posted this to the Mac OS X Server list hosted by Apple.

]]> Troubleshooting tips

One good tool is to use smbstatus to confirm the shares are valid and to see if people are working with files (indicated by being locked). You can also run the shares command to see your sharepoints. Double-check your ACLs by doing an ls -l@ and observe the output. Increase the verbosity of Samba logging by editing your /etc/smb.conf file, increasing the integer slightly, between one and ten (though five and above becomes very, very noisy).

Probable Solution

If you read the man page for smb.conf and search for nt acl support; you'll see information about how Samba matches Windows NT permissions to POSIX-style permissions. This was the method used by Windows XP, while later versions of Windows used the more Windows-like ACLs which is analogous to Mac OS X ACLs. The net effect was that XP read the permissions in an undesirable way, paying attention to Samba's method instead of Mac OS X Server's method. We want the server OS to control access, not Samba.

Edit your /etc/smb.conf file to add nt acl support = no where appropriate — at the end of the file below the notes, in its own [Global]section. Do not edit the hooked /var/db/smb.conf file because that's associated with Server Admin (which writes to an XML file while another process converts that into a Samba conf file — change it here and it will likely get wiped).

See also
• Samba in 10.6 adds two directives to any share that must be manually overridden. • (Somewhat deprecated) Samba + OpenLDAP + Kerberos + AFP + Leopard = ♥
Guide
• Samba and extended attributes
• Samba and ADS
• Hiding directories in Samba that have spaces in the name
• Scary Excel "Share Workbook" feature behavior with Samba (See also Apple KB article.)
• Invalid characters in extended attributes on Samba directories

Extended attributes, Office 2007 clients via SMB from Xsan

2009-12-17T07:51:51Z

We recently deployed Mac OS X 10.6.2 Server, sharing files on an Xsan volume via Samba to Windows users with Office 2007. When these PC users try to download or open the file, however, they got this warning, "Error Copying File or Folder. Cannot copy FILENAME: Cannot find the specified file. Make sure you specify the correct path and file name."

Some forums suggested adding two parameters at the very end of your /etc/smb.conf file:

[global]
ea support = yes
stream support = no

I've edited this entry to reflect some changes in late 10.6 Samba releases. Further, with the right smb.conf configuration, the changes below to various EAs don't need to be made.

We I noticed that I could download the .doc files to my Mac via AFP, make a neglible modification and save the file, then upload it back to the SAN, my Windows colleagues could then view the file. When I did an ls -l@ on the file, I could see that this process added the com.apple.ResourceFork extended attribute. At this point, the modified Office files could be opened by my PC friends.

So, ironically, rather than deleting the EAs, I needed to apply this EA to the right files. It's probably OK to write this EA on each file and directory, but that's a little heavy handed. So instead, I executed this command:

find /Shares/Docs -name "*.doc" -print0 | xargs -0 sudo xattr -w com.apple.ResourceFork  

This will find the files with the .doc extension in my /Shares/Docs, add the extended attribute, and make everyone happy.

If you want to make it more thorough, you could try:

find . \( -name "*.doc" -or -name "*.docx" -or -name "*.xls" -or -name "*.xlsx" -or -name "*.ppt" -or -name "*.pptx" \) -print0 | xargs -0 xattr -w com.apple.ResourceFork   

One possible issue, though, is that if you apply this command too high up the hierarchy, it seems to make a problem. You might get this error: unable to execute /usr/bin/xattr: Argument list too long

You may wish to recursively apply this further down the directory tree.

Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)

2009-11-13T05:44:32Z

WebAuth (cf developer link) can be built cleanly on Mac OS X Server 10.6 with no additional flags or configuration edits. Just ./configure, make and sudo make install. Because of the changes in Snow Leopard server, you can now use WebAuth while continuing to use Apple's Server Admin.app tool to manage your web server.

This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)

Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.

]]>

To compile WebAuth you'll need both remctl and wallet (necessary if you're a Stanford affiliate, so you can create stanford.edu keytabs).
To compile anything, you need Apple's free Xcode developer tools.
Modules live in /usr/libexec/apache2. The WebAuth build process properly uses apsx to sort things in the proper location.
The main httpd.conf live in /etc/apache2 while virtual hosts are called sites and live in /etc/apache2/sites. There is no extras directory, so all the other conf files live in /etc/apache2 too (plus there's no man or bin directories here either — those files are in their OS locations).
Unlike tweaks on /etc/smbd.conf, you can make your httpd.conf edits anywhere. If your parameters conflict with what's entered via Server Admin, the entry closest to the end of the conf file wins.
Your WebAuth folder, then, also lives in /etc/apache2.
The user/group that httpd runs as is _www (aka www); this is already in the default httpd.conf, along with entries specific to the HFS filesystem and other unique Mac OS X attributes like forked files.
Once you install the WebAuth modules, you can use Server Admin.app to enable/disable them. This still all writes to httpd.conf. The don't appear automatically. Either add them graphically using Server Admin or write them out manually in the httpd.conf file.
Apache is started using a launchd item at /System/Library/LaunchDaemons/org.apache.httpd.plist.
The default webroot is /Library/WebServer/Documents — think of this as the htdocs directory.
SSL certificates live in /etc/certificates; Server Admin creates httpd.conf files with proper paths to this directory, but you need to make hand edits if you have intermediate certificates.
Certificates are commonly managed using Server Admin.app too.
Although you'll see /private/etc/apache2/servermgr_web_apache2_config.plist, don't mess with this. That's what Server Admin.app writes to; if you edit this, you'll break the internet. The thing that takes Server Admin's XML values and schmooshes it into httpd.conf is /usr/share/servermgrd/bundles/servermgr_web.bundle/Contents/MacOS/servermgr_web.
Don't hook stanford-webauth.conf using an include in httpd.conf. Instead, for some odd reason, you need to write out all those values in httpd.conf itself (wherever, but mine are at the end of the conf file).

WebAuthLdapKeytab webauth/keytab
WebAuthLdapTktCache webauth/krb5cc_ldap
WebAuthLdapHost ldap.stanford.edu
WebAuthLdapBase cn=people,dc=stanford,dc=edu
WebAuthLdapAuthorizationAttribute suPrivilegeGroup
WebAuthKeyring "/etc/apache2/webauth/keyring"
WebAuthKeytab "/etc/apache2/webauth/keytab"
WebAuthServiceTokenCache webauth/service_token_cache
WebAuthLoginURL https://weblogin.stanford.edu/login/
WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/
WebAuthWebKdcPrincipal service/webkdc@stanford.edu
WebAuthSSLRedirect on
WebAuthDebug off

Don't put WebAuth access restrictions parameters in your main httpd.conf. Server Admin.app will complain (accurately) it can't create charts and graphs to display in that applications monitoring window. This is because it's effectively prohibited by WebAuth itself. You'll see a message like this in your system.log.

Nov 12 00:23:26 crc-resources servermgrd[86]: servermgr_web: In request for status, web service returned unexpected response code: 500; Server Admin Web graphs may be inaccurate.

You need to move your WebAuth parameters to the specific vhost file in /etc/apache2/sites instead. This needs to be a hand-edit, since Server Admin doesn't permit raw editing of the configuration files.
Using mod_webauthldap.so, you need to create a symlink where /usr/webauth is created to point to /etc/apache2/webauth. There is probably a flag that could be used to compile this module differently, but the symlink works just as well.
You can set ACLs on the web-hosted directories and on /etc/apache2/webauth using Server Admin if you create a symlink targeted to some directory otherwise visible to the Finder.

That's it. We use WebAuth on a Snow Leopard server quite well, with different parts of the file system served to different groups. Some web roots are also AFP and CIFS shares, which permit read/write to authenticated users. Another nice feature available with the built-in Apache 2.2 service is that administration can be controlled by service access controls, allowing granular privileges to users and groups designated either web server admins or monitors. It's a more elegant solution to use Apple tools on Mac web servers without having to resort to building and managing your own Apache installation and fighting with Webmin for GUI management.

UPDATE: Be wary that Server Admin may write over /etc/apache2/sites/yourwebsite and remove the AuthType WebAuth directive. You'll see the notices in the Apache error log.

Hiding directories containing spaces in Samba

2009-10-20T23:27:38Z

When configuring Samba 3 to hide Mac-specific directories from Windows users, I typically edit /etc/smb.conf on my Mac OS X Server, using either

veto files =
hide files =

This worked fine — until it didn't. Seems I wasn't doing it properly.

There's a lot of (typically legacy) HFS detritus sprinkled around on a Mac server. When both AFP and SMB are enable, Windows users see these bits and pieces, much to their confusion. (These files and directories are invisible to Macs.)

Originally, I had this at the end of my smb.conf file, but once I added the final veto files = option below at the bottom, I was disappointed things didn't work as expected.

[global]
  veto files = /Thumbs.db/
  veto files = /.DS_Store/
  veto files = /.TemporaryItems/
  veto files = /Network Trash Folder/

It seems I was incorrectly adding the files and directories in my smb.conf file. That last line refers to a directory that has a space in the middle. When I did a

sudo serveradmin stop smb; serveradmin start smb

they still were there, staring out at me. (By the way, I'm not confident in the smbcontrol reload-config command, since smbd is controlled by launchd on a Mac. I just do a quick severadmin command.) NB: The slashes have nothing to do with the filename or with a path. See this entry in the SMB book from O'reilly. They're there just so smbd properly parses out when an entry starts and ends. But it's the space that tripped things up.
So it seems what I needed to do was to group all the files and directories into one line, like what's below.

  veto files = /Thumbs.db/.DS_Store/.TemporaryItems/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/Network Trash Folder/  

That was the trick. I'm not sure why, because seemingly the individual entries should work just as well as the string of filenames. Now those Mac filenames are now hidden from my Windows users.

Removing ADS for Samba Users

2009-10-16T18:02:14Z

Occasionally, I get a call that my Windows users connected to my Samba server on Mac OS X Server 10.5 can't manipulate a file. They get various errors when trying to open or download the file. The problem seems to be random but consistent; some files show problems, others are fine — even in the same directory.

Consider whether the problem is related to Windows NTFS alternate data streams (ADS). (See also the Wikipedia article.) You can see whether this is the case using the Terminal.

[root@hsd-data-server 10:48:10 /Files/Annoyances]# ls -l@
total 184
-rw-r--r--@ 1 bobjones  finances  26112 Sep 21 09:13 FY_10_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 
-rw-r--r--@ 1 janedoe  finances  62464 Sep 21 09:13 FY_11_budget.xls  
 :ZONE.IDENTIFIER:$DATA	   26 

The extended attribute is the :ZONE.IDENTIFIER:$DATA part and needs to be whacked off. It's expendable. One command uses the xattr command. (Note that you'll need to escape the dollar sign.)

xattr -d :ZONE.IDENTIFIER:\$DATA senate.xls

There are (at least) two additional ways to handle these.

]]> One way is script out a recursive command to run against a directory tree. This blog gives an example of a shell script to execute.

Perhaps the best way is to modify your /etc/smb.conf file to ignore these altogether. Here's an example of the smb.conf file I use on my servers. The critical part here is the last line. Pay special attention to the commented instructions from Apple at the end of the document about where to put your additions (otherwise they risk being wiped out.).

; Site-specific parameters can be added below this comment.
; END required configuration.
[global]
    use kerberos keytab = yes
    realm = stanford.edu
    acl check permissions = no
    veto files = /Thumbs.db/


    veto files = /.DS_Store/
    veto files = /.TemporaryItems/
    client use spnego = yes
    client NTLMv2 auth = no
    client lanman auth = no
    client plaintext auth = no
    lanman auth = no
    log level = 1
    nt acl support = no

This will obviate the need to selectively use the xattr command; I've found no negative consequences of this addition.