Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am replacing an old system running RH9 with a new one running CentOS5, this system is a fileserver only.
On the old RH9 system I had it configured so that one Samba user had no password, this user has read only access to the server and is the Windows user on my Mame arcade system (no keyboard so it's impossible to have a password on that system).
I can not figure out how to get it configured the same way on my new CentOS5 system. I created the user, deleted the user's password, added the user to the Samba Users list, and still no go.
Can someone please provide a bit of assistance on this???
I'd like to add to this and also post the smb.conf as requested.
I was just testing further and found that a user, apape, has read access to some shares (data, and mp3) yet not write access, and this user does not have any access to another share (rosanne). The user apape is in the following groups: apape, rmusel, root. Also the user apape has no access to their own home directory.
To further add to this, the user rmusel has read access to data and mp3 as they should. This user has no access to rosanne nor their own home directory.
Clearly something is off on my permissions, I just do not know what. I have the same share settings as I did in the RH9 system and everything there worked perfectly.
Here's what is in my smb.conf file.
Code:
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================
[global]
# ----------------------- Netwrok Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
workgroup = apape.net
server string = Samba Server Version %v
netbios name = Warehouse
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
hosts allow = 192.168.12. 127.
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
# logs split per machine
log file = /var/log/samba/%m.log
# max 50KB per log file, then rotate
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# Scurity can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
security = user
passdb backend = tdbsam
username map = /etc/samba/smbusers
null passwords = yes
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the login script name depends on the machine name
; logon script = %m.bat
# the login script name depends on the unix user used
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
; logon path =
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
dns proxy = no
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
; load printers = yes
cups options = raw
; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups
# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writeable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
; guest ok = no
; writeable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = +staff
# This shares rosanne for read/write access to all members of the group
# rmusel and forces the ownership of all files written to this directory
# to be owned by user rmusel and group rmusel
[rosanne]
comment = Rosanne's Directory
path = /rosanne
writeable = yes
guest ok = yes
; printable = no
write list = @rmusel
force group = rmusel
force user = rmusel
# This one shares the /mp3 directory to all users therefore
# allowing all machines on the internal network to access music.
[mp3]
comment = MP3 Server
path = /mp3
writeable = yes
guest ok = yes
; printable = no
read list = rmusel, player
create mask = 774 # sets -rwxrwxr-- permission
# This one shares the /data directory to members of the apape group for
# read/write access and to all other users for read access only.
[data]
comment = Data directory
path = /data
guest ok = yes
writeable = yes
; printable = no
write list = @apape
create mask = 774 # sets -rwxrwxr-- permission
It does appear as though SELinux is in part the issue.
I just found some additional info! It looks like Samba is alright, it's SELinux that is the issue. Without disabling it all together, how do I resolve this? Yes, I know that there's a line there stating how to fix it...that's only for this one file though, I need this resolved for ALL files already on the file server as well as ALL files that will be placed on it in the future. Here's the info from the SELinux Troubleshooter log.
Summary
SELinux is preventing samba (/usr/sbin/smbd) "rename" to New Text Document.txt (root_t).
Detailed Description
SELinux denied samba access to New Text Document.txt. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use New Text Document.txt as a samba repository it could indicate either a bug or it could signal a intrusion attempt.A
llowing Access
You can alter the file context by executing chcon -R -t samba_share_t New Text Document.txt
The following command will allow this access:chcon -R -t samba_share_t New Text Document.txt
Guessing a bit here, but let's see how we go. Assume the directory you are working on in /smb
#chcon -t samba_share_t /smb
and either
#chcon -t samba_share_t /smb/*
or
#restorecon /smb
I think that should fix both current and future problems.
If not, you can turn SELinux off for samba with setsebool -P spamd_disable_trans 1
A couple questions..can you please tell me what each of the above *con commands does? How will this fix issues with any new files placed on the shares?
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
Edit - you can check the context of any dile/directory prior to changing it with the -Z argument to ls (ie ls -lZ gives long format with context)
Last edited by billymayday; 06-12-2008 at 05:50 PM.
Looks like everything with SELinux is all good now. Although I do still have an issue with access to one share. The /data and /mp3 are working perfectly (even with SELinux turned on) as best as I can tell, even my Mame system with the user that has no password is working now! On the other hand the /rosanne share will not allow any access by any user (even rmusel who is the owner) what so ever!
In case anyone asks what the ownership of this directory is, here it is:
drwxr-xr-x 6 rmusel rmusel 4096 Jun 7 23:35 rosanne
So as you can see the ownership is correct as is the set up in the smb.conf to the best of my knowledge. Any thoughts/ideas how to resolve this?
Not sure if this is the cause, but you're setting a goup level write list, but the group doesn't have write permissions to the directory. I know you are forcing the use, hence my doubt.
I'd still try either setting write list = rmusel or chmod'ing g+w to /rosanne and see what happens.
Anything in the logs?
Also - is /rosanne on the same partition as the other working shares?
The fact that /rosanne does not have write permission for the group should not matter especially since nobody even has read access. This directory is set up the same as the other shares which are working properly, below is the output of an ll command (as per the smb.conf the other shares are /data and /mp3):
Code:
[root@warehouse /]# ll
total 218
drwxr-xr-x 2 root root 4096 Jun 7 18:51 bin
drwxr-xr-x 4 root root 1024 Jun 8 14:46 boot
drwxr-xr-x 33 apape apape 4096 Jun 12 20:47 data
drwxr-xr-x 2 root root 4096 Jun 7 14:33 data2
drwxr-xr-x 12 root root 4020 Jun 9 18:47 dev
drwxr-xr-x 111 root root 12288 Jun 9 04:04 etc
drwxr-xr-x 6 root root 4096 Jun 7 14:30 home
lrwxrwxrwx 1 root root 50 Jun 4 17:38 jawt.h -> /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/include/jawt.h
lrwxrwxrwx 1 root root 59 Jun 4 17:38 jawt_md.h -> /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/include/linux/jawt_md.h
lrwxrwxrwx 1 root root 49 Jun 4 17:38 jni.h -> /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/include/jni.h
lrwxrwxrwx 1 root root 52 Jun 4 17:38 jni_md.h -> /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/include/jni_md.h
drwxr-xr-x 14 root root 4096 Jun 7 18:43 lib
drwx------ 2 root root 16384 Jun 4 17:11 lost+found
drwxr-xr-x 2 root root 4096 Jun 5 22:02 media
drwxr-xr-x 2 root root 0 Jun 8 16:52 misc
drwxr-xr-x 2 root root 4096 Mar 29 2007 mnt
drwxr-xr-x 467 apape apape 20480 Jun 12 20:47 mp3
drwxr-xr-x 2 root root 4096 Jun 7 14:34 mp32
drwxr-xr-x 2 root root 0 Jun 8 16:52 net
drwxr-xr-x 2 root root 4096 Mar 29 2007 opt
dr-xr-xr-x 179 root root 0 Jun 8 16:51 proc
drwxr-x--- 19 root root 4096 Jun 12 21:08 root
drwxr-xr-x 6 rmusel rmusel 4096 Jun 7 23:35 rosanne
drwxr-xr-x 2 root root 4096 Jun 7 14:34 rosanne2
drwxr-xr-x 2 root root 12288 Jun 9 04:04 sbin
drwxr-xr-x 4 root root 0 Jun 8 16:51 selinux
drwxr-xr-x 2 root root 4096 Mar 29 2007 srv
drwxr-xr-x 11 root root 0 Jun 8 16:51 sys
drwxrwxrwt 13 root root 4096 Jun 12 21:07 tmp
drwxr-xr-x 14 root root 4096 Jun 4 17:27 usr
drwxr-xr-x 26 root root 4096 Jun 4 17:49 var
[root@warehouse /]#
What log(s) would you like to see info from? Also, here's the output of an ls -lZ command as requested:
The fact that /rosanne does not have write permission for the group should not matter especially since nobody even has read access. This directory is set up the same as the other shares which are working properly
Not quite sure what you mean that nobody has read access. Anyone has read access at the OS level, and the supposed action of your share definition would be to give anyone in the rmusel group write access (which implies read btw). Samba can do some apparently odd things and allowing rights to a group that the directory won't allow may (and I stress may rather than will) could be the issue.
Things I'd try.
Change
"write list = @rmusel" to "write list = rmusel"
Try a definition you know works and adjust that, do something like
Code:
[roseanne]
comment = Copy of MP3 Server
path = /roseanne
writeable = yes
guest ok = yes
; printable = no
read list = rmusel
create mask = 774 # sets -rwxrwxr-- permission
Then add controls one by one
Also, you didn't answer the partition issue - is /roseanne on the same partition/moint point as /mp3? "mount" will tell you
By 'nobody has access' I mean via Samba nobody has any access at all, not even to read the share. When anybody, even rmusel, attempts to access /rosanne from a Windows system via Samba they get an error something like '\\warehouse\rosanne not available....you may not have permission.....check with your administrator....the group name could not be found.'
After changing "write list = @rmusel" to "write list = rmusel" the same kind of error is being thrown as above (yes, I did restart the smb serveice after making the change).
The definitions for /rosanne are near identical to those of /data already. I'll do a chmod on /rosanne to 774 and see if that helps any.
Here's the output of the the mount command:
Code:
[root@warehouse /]# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
nfsd on /proc/fs/nfsd type nfsd (rw)
You have new mail in /var/spool/mail/root
[root@warehouse /]#
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
bject_r:root_t
