Can only connect to tmp samba share

Ab3n · 01-09-2010, 11:34 PM

Hey all,

I've setup a samba server on a centos 5 machine and am trying to connect to it via a windows 7. The problem I'm encountering is that the only share I am able to connect to is the tmp share. It doesn't matter if it is a protected share or not, I always get a "network path could not be found error" when trying to open the share from windows.

I even setup a share with the exact same settings as the tmp one and still got the error. Here is my smb.conf file:

Code:

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
#  http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
#  http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network Related Options -------------------------
#
# workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
#
# server string is the equivalent of the NT Description field
#
# netbios name can be used to specify a server name not tied to the hostname
#
# Interfaces lets you configure Samba to use multiple interfaces
# If you have multiple network interfaces then you can list the ones
# you want to listen on (never omit localhost)
#
# Hosts Allow/Hosts Deny lets you restrict who can connect, and you can
# specifiy it as a per share option as well
#
	workgroup = SHIRE
	server string = Samba Server Version %v

	netbios name = EVEREST

;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
	hosts allow = 127. 192.168.1.

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

	# logs split per machine
;	log file = /var/log/samba/%m.log
	# max 50KB per log file, then rotate
;	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

	security = user
	passdb backend = tdbsam
	username map = /etc/samba/smbusers

# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM

;	password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
;	logon path =  

;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option

	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
	comment = Home Directories
	browseable = no
	writable = yes
	valid users = %S
;	valid users = MYDOMAIN\%S

[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes

[test]
	comment = Joe's Share
	path = /shares/joe
	read only = no
	public = yes

[tmp]
	comment = Temporary file space
	path = /tmp
	read only = no
	public = yes

# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes


# A publicly accessible directory, but read only, except for people in
# the "staff" group
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff

Here are the permissions on the folder:

Code:

drwxrwxrwx  2 Joe  Joe  4096 Jan 10 21:16 joe

Any help on solving this problem is greatly appreciated!

jschiwal · 01-10-2010, 01:22 AM

Use smbclient to add the user "joe" and enter a password.
You need a samba user who matches the Linux user. Keeping the usernames and passwords the same for users who use both windows and a share on samba would work the best for the "security = user" security model.

If you have a public share, create the directory with the same permissions as the /tmp directory.
chmod a=rwxt <directory>
The linux permissions need to allow access as well as smb.conf.

For a public writable share, where a user isn't a Linux user, you need to add the line:
map to guest = Bad User

This will result in the ownership of written files being the "nobody" user in Linux. The "nobody" user is mapped to the "guest" user in Windows.

Code:

[test]
	comment = Joe's Share
	path = /shares/joe
	read only = no
	public = yes

Make sure that the /shares/ directory has at least "rwxr-xr-x" permissions. This is what the permissions are for the /home directory. The "r-x" is needed on /shares/ to allow the user joe to enter his share.

For private access for the user "joe" change the permissions of /shares/joe/ to "rwxrwx---".

----

The error message seems to indicate a networking problem. Can you ping back and forth?
Check the samba server's firewall.

Code:

netbios-ns      137/tcp    # NETBIOS Name Service
netbios-ns      137/udp    # NETBIOS Name Service
netbios-dgm     138/tcp    # NETBIOS Datagram Service
netbios-dgm     138/udp    # NETBIOS Datagram Service
netbios-ssn     139/tcp    # NETBIOS Session Service
netbios-ssn     139/udp    # NETBIOS Session Service
...
microsoft-ds    445/tcp    # Microsoft-DS
microsoft-ds    445/udp    # Microsoft-DS

These are the ports that samba uses. I started the smb and nmb services on my desktop and then scanned the open ports.

Code:

137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds

Ab3n · 01-10-2010, 05:50 PM

Thanks jschiwal,

The share directory as well as the Joe directory both have read write and execute permissions. Also, I've stopped the iptables service while testing, so no firewall is preventing access (For some reason I can't even see the shares from windows when iptables is running, even with the ports open...but I suppose thats a question for another time).

I've made sure that there is a samba user that correlates to the windows user and that the account is enabled as well. I did try that map to guest bit though it didn't affect anything.

Oh and the two computers can ping each other just fine. I should note that I can see web pages from the apache server just fine and as stated above, the tmp share works perfectly, but for some reason I get a "network path not found error" when trying to open the other shares (it doesn't even prompt for a username and password on the homes share).

Any other ideas or info you need from me?

Ab3n · 01-12-2010, 07:43 PM

Alright, so I reinstalled samba and cut my smb.conf file down to this:

Code:

[global]
        workgroup = MYGROUP
        server string = Samba Server Version %v
	security = user
	passdb backend = tdbsam
	username map = /etc/samba/smbusers
        cups options = raw

[temp]
        comment = Temp Share
        path = /tmp
        read only = no
        public = yes

[test]
        comment = Joe's Share
        path = /shares/joe
        read only = no
        public = yes

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

smbusers file:

Code:

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
Joe = Joe
nobody = guest pcguest smbguest

Permissions on applicable folders:

Code:

drwxr-xr-x   3 root root  4096 Jan 10 21:16 shares
drwxr-xr-x  2 Joe  Joe  4096 Jan 10 21:16 joe
drwxrwxrwt   9 root root  4096 Jan 13 18:29 tmp

Again, I can access the tmp share just fine, but it's a no go on any others.

Ab3n · 01-12-2010, 08:01 PM

Just turned off selinux and it seems to be working correctly. Is there a way to punch a hole through selinux for samba or do I need to set it to Permissive (or off) permanently? Thanks guys!

Ab3n · 01-13-2010, 11:26 PM

Alrighty, after some searching I found the answers to both of my questions:

1. Allowing samba through selinux (set to enforcing)

http://sergiy.kyrylkov.name/blog/200...and-samba.html

2. Allowing samba through iptables

http://troy.jdmz.net/samba/fw/

Thanks for the help and I hope this can be a help to anyone else with the same questions!