Samba Config Help - Permissions?
 

I am replacing an old system running RH9 with a new one running CentOS5, this system is a fileserver only.

On the old RH9 system I had it configured so that one Samba user had no password, this user has read only access to the server and is the Windows user on my Mame arcade system (no keyboard so it's impossible to have a password on that system).

I can not figure out how to get it configured the same way on my new CentOS5 system. I created the user, deleted the user's password, added the user to the Samba Users list, and still no go.

Can someone please provide a bit of assistance on this???

I'd like to add to this and also post the smb.conf as requested.

I was just testing further and found that a user, apape, has read access to some shares (data, and mp3) yet not write access, and this user does not have any access to another share (rosanne). The user apape is in the following groups: apape, rmusel, root. Also the user apape has no access to their own home directory.

To further add to this, the user rmusel has read access to data and mp3 as they should. This user has no access to rosanne nor their own home directory.

Clearly something is off on my permissions, I just do not know what. I have the same share settings as I did in the RH9 system and everything there worked perfectly. :(

Here's what is in my smb.conf file.

It's probably SELinux - try it with it off

setenforce 0

and if that works, put it back on (setenforce 1), then read the SELinux notes in your config

It does appear as though SELinux is in part the issue.
I just found some additional info! It looks like Samba is alright, it's SELinux that is the issue. Without disabling it all together, how do I resolve this? Yes, I know that there's a line there stating how to fix it...that's only for this one file though, I need this resolved for ALL files already on the file server as well as ALL files that will be placed on it in the future. Here's the info from the SELinux Troubleshooter log.

Summary
SELinux is preventing samba (/usr/sbin/smbd) "rename" to New Text Document.txt (root_t).

Detailed Description
SELinux denied samba access to New Text Document.txt. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use New Text Document.txt as a samba repository it could indicate either a bug or it could signal a intrusion attempt.A

llowing Access
You can alter the file context by executing chcon -R -t samba_share_t New Text Document.txt

The following command will allow this access:chcon -R -t samba_share_t New Text Document.txt

Additional Information
Source Context: system_u:system_r:smbd_t
Target Context: system_u:object_r:root_t
Target Objects: New Text Document.txt [ file ]
Affected RPM Packages: samba-3.0.25b-1.el5_1.4 [application]
Policy RPM: selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Enforcing
Plugin Name: plugins.samba_share
Host Name: warehouse.apape.net
Platform: Linux warehouse.apape.net 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:34:18 EDT 2008 i686 i686
Alert Count: 6
Line Numbers:
Raw Audit Messages :
avc: denied { rename } for comm="smbd" dev=dm-0 egid=500 euid=500 exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name=4E6577205465787420446F63756D656E742E747874 pid=11516 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:root_t:s0 tty=(none) uid=500

Guessing a bit here, but let's see how we go. Assume the directory you are working on in /smb

#chcon -t samba_share_t /smb

and either

#chcon -t samba_share_t /smb/*

or

#restorecon /smb

I think that should fix both current and future problems.

If not, you can turn SELinux off for samba with setsebool -P spamd_disable_trans 1

A couple questions..can you please tell me what each of the above *con commands does? How will this fix issues with any new files placed on the shares?

I know nothing about SELInux.

I'm no expert either, but manage to work within it. See http://fedoraproject.org/wiki/SELinux for a great resource on the whole concept.

From the samba config (or at least mine)

Edit - you can check the context of any dile/directory prior to changing it with the -Z argument to ls (ie ls -lZ gives long format with context)

Looks like everything with SELinux is all good now. Although I do still have an issue with access to one share. The /data and /mp3 are working perfectly (even with SELinux turned on) as best as I can tell, even my Mame system with the user that has no password is working now! On the other hand the /rosanne share will not allow any access by any user (even rmusel who is the owner) what so ever!

In case anyone asks what the ownership of this directory is, here it is:

drwxr-xr-x 6 rmusel rmusel 4096 Jun 7 23:35 rosanne

So as you can see the ownership is correct as is the set up in the smb.conf to the best of my knowledge. Any thoughts/ideas how to resolve this?

Try

setsebool -P spamd_enable_home_dirs 1

if you are talking about /home/rosanne

Nope, not talking about /home/rosanne talking about /rosanne and I've already enabled homes by using

setsebool -P samba_enable_home_dirs on

My smb.conf file is in my first post above if that would help any.

Not sure if this is the cause, but you're setting a goup level write list, but the group doesn't have write permissions to the directory. I know you are forcing the use, hence my doubt.

I'd still try either setting write list = rmusel or chmod'ing g+w to /rosanne and see what happens.

Anything in the logs?

Also - is /rosanne on the same partition as the other working shares?

Check ls -lZ /rosanne as well

The fact that /rosanne does not have write permission for the group should not matter especially since nobody even has read access. This directory is set up the same as the other shares which are working properly, below is the output of an ll command (as per the smb.conf the other shares are /data and /mp3):

What log(s) would you like to see info from? Also, here's the output of an ls -lZ command as requested:

Not quite sure what you mean that nobody has read access. Anyone has read access at the OS level, and the supposed action of your share definition would be to give anyone in the rmusel group write access (which implies read btw). Samba can do some apparently odd things and allowing rights to a group that the directory won't allow may (and I stress may rather than will) could be the issue.

Things I'd try.

Change

"write list = @rmusel" to "write list = rmusel"

Try a definition you know works and adjust that, do something like

Then add controls one by one

Also, you didn't answer the partition issue - is /roseanne on the same partition/moint point as /mp3? "mount" will tell you

By 'nobody has access' I mean via Samba nobody has any access at all, not even to read the share. When anybody, even rmusel, attempts to access /rosanne from a Windows system via Samba they get an error something like '\\warehouse\rosanne not available....you may not have permission.....check with your administrator....the group name could not be found.'

After changing "write list = @rmusel" to "write list = rmusel" the same kind of error is being thrown as above (yes, I did restart the smb serveice after making the change).

The definitions for /rosanne are near identical to those of /data already. I'll do a chmod on /rosanne to 774 and see if that helps any.

Here's the output of the the mount command:

Update: I did chmod on /rosanne to 774 and am getting the same results.

Did you try a revised share definition as suggested?