[Samba] Samba rpm and /var/*/samba directory for .tdb files
Don Meyer
dlmeyer at uiuc.edu
Thu Feb 16 16:09:45 GMT 2006
At 04:06 PM 2/15/2006, Craig White wrote:
>On Wed, 2006-02-15 at 14:42 -0600, Gerald (Jerry) Carter wrote:
> > Don Meyer wrote:
> > > At 08:24 AM 2/15/2006, Gerald (Jerry) Carter wrote:
> > >> Oliver Schulze L. wrote:
> > >> > Hi,
> > >> > I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba
> > >> > for storing the .tdb files. Then I compilled the fedora .src.rpm from
> > >> > samba.org
> > >> > and it points now to /var/cache/samba
> > >>
> > >> This was a mistake introduced into the RPM specfile during a
> > >> recent set of merges. When it was realized, the 3.0.21b-1 rpm was
> > >> pulled from samba.org and a new set of RPMs posted. The tdb files
> > >> should live in /var/lib/samba/
> > >
> > > Actually, stock RHEL4 rpms for their 3.0.10-1.4E.2 version use
> > > /var/cache/samba/.
> > >
> > > Does this change in the packaging reflect a "sea change" towards use of
> > > /var/lib/samba/ for the future? (I.E. Can we "expect" future
> > > RHEL-distributed packagings to adopt use of /var/lib/samba/ as well?)
> >
> > IMO. They should have always been in /var/lib/samba/.
> > I can't guess what RedHat would do, but SuSE and most other
> > distros I can think of use /var/lib/samba/. You could
> > probably check the stock Fedora RPMs and see what they use. IIRC
> > they are using /var/lib/samba/ as well.
>----
>if this helps...
>
># ls -l /var/cache/samba/
>total 72
>-rw------- 1 root root 8192 Jun 8 2004 gencache.tdb
>-rw------- 1 root root 696 Feb 14 2005 messages.tdb
>-rw------- 1 root root 696 Feb 14 2005 netsamlogon_cache.tdb
>-rw------- 1 root root 20172 Feb 14 2005 winbindd_cache.tdb
>-rw-r--r-- 1 root root 8192 Feb 14 2005 winbindd_idmap.tdb
>drwxr-x--- 2 root root 4096 May 2 2005 winbindd_privileged
>
># uname -a
>Linux lin-workstation.azapple.com 2.6.15-1.1830_FC4 #1 Thu Feb 2
>17:23:41 EST 2006 i686 athlon i386 GNU/Linux
>
># cat /etc/redhat-release
>Fedora Core release 4 (Stentz)
>
>Craig
FWIW:
To get winbind working under the base RHEL4 packages (3.0.10-1.4E.2),
I had to modify the SELinux configuration slightly:
with package "selinux-policy-targeted-sources" installed, add these
two lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
followed by:
]# cd /etc/selinux/targeted/src/policy
]# make load
When I built and installed the 3.0.21b-3 packages under RHEL4, the
switch to using /var/lib/samba/ from /var/cache/samba/ resulted in a
whole mess of SELinux AVC errors. And a completely non-functional winbindd...
To fix, I had to to two things:
1) again modify the SELinux configuration by adding the following
lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t: dir { search };
... and another "make load" like above...
(Not sure whether the /var/lib/samba/ change directly caused the need
for lines 3,4 -- could have been some other change that made that
necessary. Line 5, though, is obviously due to this change.)
2) I also needed to execute a chcon to change the SELinux labeling on
the /var/lib/samba/ directory that was created during the
installation. The installation picked up the default labeling of
"var_lib_t" from the parent /var/lib/ directory. To allow things to
work properly under SELinux enforcing, and without wholesale opening
of anything labeled "var_lib_t" to just about all forms of access
from winbind_t, I used chcon to relabel the /var/lib/samba/ directory
to use the same labeling as /var/cache/samba/ had:
]# chcon -R -t samba_var_t /var/lib/samba
I also needed to fix the labeling on /var/lib/samba/winbindd_privileged/ :
]# chcon -R -t winbind_var_run_t /var/lib/samba/winbindd_privileged
Given these necessary changes, perhaps changing back to
/var/cache/samba/ for RHEL4 builds might be prudent...
Cheers,
-D
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list