Samba Config Help - Permissions?
I am replacing an old system running RH9 with a new one running CentOS5, this system is a fileserver only.
On the old RH9 system I had it configured so that one Samba user had no password, this user has read only access to the server and is the Windows user on my Mame arcade system (no keyboard so it's impossible to have a password on that system). I can not figure out how to get it configured the same way on my new CentOS5 system. I created the user, deleted the user's password, added the user to the Samba Users list, and still no go. Can someone please provide a bit of assistance on this??? I'd like to add to this and also post the smb.conf as requested. I was just testing further and found that a user, apape, has read access to some shares (data, and mp3) yet not write access, and this user does not have any access to another share (rosanne). The user apape is in the following groups: apape, rmusel, root. Also the user apape has no access to their own home directory. To further add to this, the user rmusel has read access to data and mp3 as they should. This user has no access to rosanne nor their own home directory. Clearly something is off on my permissions, I just do not know what. I have the same share settings as I did in the RH9 system and everything there worked perfectly. :( Here's what is in my smb.conf file. Code:
# This is the main Samba configuration file. You should read the |
It's probably SELinux - try it with it off
setenforce 0 and if that works, put it back on (setenforce 1), then read the SELinux notes in your config |
It does appear as though SELinux is in part the issue.
I just found some additional info! It looks like Samba is alright, it's SELinux that is the issue. Without disabling it all together, how do I resolve this? Yes, I know that there's a line there stating how to fix it...that's only for this one file though, I need this resolved for ALL files already on the file server as well as ALL files that will be placed on it in the future. Here's the info from the SELinux Troubleshooter log. Summary SELinux is preventing samba (/usr/sbin/smbd) "rename" to New Text Document.txt (root_t). Detailed Description SELinux denied samba access to New Text Document.txt. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use New Text Document.txt as a samba repository it could indicate either a bug or it could signal a intrusion attempt.A llowing Access You can alter the file context by executing chcon -R -t samba_share_t New Text Document.txt The following command will allow this access:chcon -R -t samba_share_t New Text Document.txt Additional Information Source Context: system_u:system_r:smbd_t Target Context: system_u:object_r:root_t Target Objects: New Text Document.txt [ file ] Affected RPM Packages: samba-3.0.25b-1.el5_1.4 [application] Policy RPM: selinux-policy-2.4.6-106.el5_1.3 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.samba_share Host Name: warehouse.apape.net Platform: Linux warehouse.apape.net 2.6.18-53.1.21.el5 #1 SMP Tue May 20 09:34:18 EDT 2008 i686 i686 Alert Count: 6 Line Numbers: Raw Audit Messages : avc: denied { rename } for comm="smbd" dev=dm-0 egid=500 euid=500 exe="/usr/sbin/smbd" exit=-13 fsgid=500 fsuid=500 gid=0 items=0 name=4E6577205465787420446F63756D656E742E747874 pid=11516 scontext=system_u:system_r:smbd_t:s0 sgid=0 subj=system_u:system_r:smbd_t:s0 suid=0 tclass=file tcontext=system_u:object_r:root_t:s0 tty=(none) uid=500 |
Guessing a bit here, but let's see how we go. Assume the directory you are working on in /smb
#chcon -t samba_share_t /smb and either #chcon -t samba_share_t /smb/* or #restorecon /smb I think that should fix both current and future problems. If not, you can turn SELinux off for samba with setsebool -P spamd_disable_trans 1 |
Quote:
I know nothing about SELInux. |
I'm no expert either, but manage to work within it. See http://fedoraproject.org/wiki/SELinux for a great resource on the whole concept.
From the samba config (or at least mine) Quote:
|
Looks like everything with SELinux is all good now. Although I do still have an issue with access to one share. The /data and /mp3 are working perfectly (even with SELinux turned on) as best as I can tell, even my Mame system with the user that has no password is working now! On the other hand the /rosanne share will not allow any access by any user (even rmusel who is the owner) what so ever!
In case anyone asks what the ownership of this directory is, here it is: drwxr-xr-x 6 rmusel rmusel 4096 Jun 7 23:35 rosanne So as you can see the ownership is correct as is the set up in the smb.conf to the best of my knowledge. Any thoughts/ideas how to resolve this? |
Try
setsebool -P spamd_enable_home_dirs 1 if you are talking about /home/rosanne |
Nope, not talking about /home/rosanne talking about /rosanne and I've already enabled homes by using
setsebool -P samba_enable_home_dirs on My smb.conf file is in my first post above if that would help any. |
Not sure if this is the cause, but you're setting a goup level write list, but the group doesn't have write permissions to the directory. I know you are forcing the use, hence my doubt.
I'd still try either setting write list = rmusel or chmod'ing g+w to /rosanne and see what happens. Anything in the logs? Also - is /rosanne on the same partition as the other working shares? Check ls -lZ /rosanne as well |
The fact that /rosanne does not have write permission for the group should not matter especially since nobody even has read access. This directory is set up the same as the other shares which are working properly, below is the output of an ll command (as per the smb.conf the other shares are /data and /mp3):
Code:
[root@warehouse /]# ll Code:
[root@warehouse /]# ls -lZ |
Quote:
Things I'd try. Change "write list = @rmusel" to "write list = rmusel" Try a definition you know works and adjust that, do something like Code:
[roseanne] Also, you didn't answer the partition issue - is /roseanne on the same partition/moint point as /mp3? "mount" will tell you |
By 'nobody has access' I mean via Samba nobody has any access at all, not even to read the share. When anybody, even rmusel, attempts to access /rosanne from a Windows system via Samba they get an error something like '\\warehouse\rosanne not available....you may not have permission.....check with your administrator....the group name could not be found.'
After changing "write list = @rmusel" to "write list = rmusel" the same kind of error is being thrown as above (yes, I did restart the smb serveice after making the change). The definitions for /rosanne are near identical to those of /data already. I'll do a chmod on /rosanne to 774 and see if that helps any. Here's the output of the the mount command: Code:
[root@warehouse /]# mount |
Update: I did chmod on /rosanne to 774 and am getting the same results.
|
Did you try a revised share definition as suggested?
|
All times are GMT -5. The time now is 06:10 PM. |