Archive

Monthly Archives: June 2012

It is useful to have a mail server running on the server machine. For example, the S.M.A.R.T. monitoring daemon can let me know when a problem occurs with one of the disks. Here is very detailed guide on how to setup the postfix.

Setting up the server so files created on a share are always readable (and writeable) by a group proved to be a bit tricky. Lion clients tend to create files that are only accessible by the user who created them. It works well for private folders, but creates problems for common shares like media archives. If one user saves a photo on the common share another user cannot access it even if they are bot in the same group. So here are the steps to share the share:

  1. assign a common group to the share: sudo chgrp -R media /Volumes/Media
  2. set group suit bit on the directory, so files created in the directory have the required group ownership: sudo chmod g+s /Volumes/Media
  3. set ACL for the media group to allow reading and writing on the share and set the inheritance to files, folders, and descendants. You can it from a command line, I used Sandbox a free tool by Michael Watson.
  4. propagate the ACL permission down the share subtree. Use Sandbox.
  5. enable ACL for samba shares: sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

The new samba file sharing in Lion (and in Mountain Lion) breaks things sometime. I have a zfs drive that I’m sharing using samba from Lion and a strange thing is happening: I cannot see the share from the command line on another machine:

> mount -t smbfs '//user:pwd@server.local/Media' /Users/user/Media
mount_smbfs: server rejected the connection: Authentication error

However, if I go to the server, disable and enable file sharing, everything works as expected. I traced the problem to a race condition during the server OS startup. Apparently, file sharing starts up before some security configuration is finalized, so when I try to mount the share, the server fails to correctly authenticate the request (I see errors in kdc.log: NTLM domain not configured). If I restart the file sharing, all the prerequisites are in place and authentication succeeds. I added a small startup script to /Library/LaunchDaemons that restarts smbd after the system is done loading:

cat > com.me.restart_smb.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>com.me.restart_smb</string>
        <key>ProgramArguments</key>
        <array>
        <string>/bin/bash</string>
        <string>-c</string>
        <string>sleep 60;touch "/Library/Preferences/SystemConfiguration/com.apple.smb.server.plist"</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
</dict>
</plist>

Update: Do not forget to change the owner of the file to root and change the permissions:

sudo chown root:wheel com.me.restart_smb.plist
sudo chmod 0644 com.me.restart_smb.plist

It will ask you for an administrator password.