Samba share permissions

TalkingMarble · 07-04-2008, 01:35 AM

Hello,

I have made a samba share on a linux machine accessable through windows explorer. I can create a file on the samba share, but get an "access denied" when i want to read the created file. Also when i delete the created file on the samba share through windows explorer it seems to be deleted, but when i refresh windows explorer the deleted file still appears as if it has never been deleted. Reading and deleting this created file in a linux shell works as expected, so the problem seems to be the samba permissions.

I am using the following smb.conf file:

[global]
workgroup = DOMAIN
netbios name = servername
realm = FQDN
preferred master = no
server string = Samba file server
security = ADS
excrypt password = yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
printcap name = cups
printing = cups
idmap uid = 0-1000000
idmap gid = 0-1000000

[backups]
comment = Backup share
path = /backups
browseable = yes
read only = no
writeable = yes
directory mask = 0770
force directory mode = 0770
create mask = 0660
force security mode = 0660

Linux permissions:
-Directory permissions: 0770
-File permissions: 0660
-umask 022

I changed the linux and samba permissions for both directory/files to 0777 but that didn't solve anything.

I red several threads on this forum and other websites, but i still can't figure it out. Maybe i'm overlooking something, i don't know.

Any help to solve my "little problem" will be appreciated.

TIA

billymayday · 07-04-2008, 02:02 AM

What are the permissions on /backups?

Do you run SELinux?

TalkingMarble · 07-04-2008, 02:15 AM

The permissions on the /backups directory are 0770.

I'm using Centos 5.0. I don't know if this OS uses SElinux by default. Is there a way i can check this?

TalkingMarble · 07-04-2008, 03:13 AM

After some googling, i checked my system and noticed that SElinux is running. I changed /etc/SElinux/config from enforcing mode to permissive mode and rebooted the system. I'm now able to read/modify and delete the files through windows explorer. So SElinux in enforcing mode is causing the problem.

I will dive into the SElinux documention in order to make some changes to the roles (http://www.engardelinux.org/doc/guid...de/index.shtml).

Thanks for pointing me in the right direction.

billymayday · 07-04-2008, 05:51 AM

I just disable SELinux for samba with "setsebool -P smbd_disable_trans 1"

Note that from the smb.conf

Quote:

# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------