[Samba] Samba rpm and /var/*/samba directory for .tdb files

Don Meyer dlmeyer at uiuc.edu
Thu Feb 16 16:09:45 GMT 2006 

At 04:06 PM 2/15/2006, Craig White wrote:
>On Wed, 2006-02-15 at 14:42 -0600, Gerald (Jerry) Carter wrote:
> > Don Meyer wrote:
> > > At 08:24 AM 2/15/2006, Gerald (Jerry) Carter wrote:
> > >> Oliver Schulze L. wrote:
> > >> > Hi,
> > >> > I use CentOS4 (RHEL4) and it seems that I was using /var/lib/samba
> > >> > for storing the .tdb files. Then I compilled the fedora .src.rpm from
> > >> > samba.org
> > >> > and it points now to /var/cache/samba
> > >>
> > >> This was a mistake introduced into the RPM specfile during a
> > >> recent set of merges.  When it was realized, the 3.0.21b-1 rpm was
> > >> pulled from samba.org and a new set of RPMs posted.  The tdb files
> > >> should live in /var/lib/samba/
> > >
> > > Actually, stock RHEL4 rpms for their 3.0.10-1.4E.2 version use
> > > /var/cache/samba/.
> > >
> > > Does this change in the packaging reflect a "sea change" towards use of
> > > /var/lib/samba/ for the future?    (I.E. Can we "expect" future
> > > RHEL-distributed packagings to adopt use of /var/lib/samba/ as well?)
> >
> > IMO.  They should have always been in /var/lib/samba/.
> > I can't guess what RedHat would do, but SuSE and most other
> > distros I can think of use /var/lib/samba/.  You could
> > probably check the stock Fedora RPMs and see what they use.  IIRC
> > they are using /var/lib/samba/ as well.
>----
>if this helps...
>
># ls -l /var/cache/samba/
>total 72
>-rw-------  1 root root  8192 Jun  8  2004 gencache.tdb
>-rw-------  1 root root   696 Feb 14  2005 messages.tdb
>-rw-------  1 root root   696 Feb 14  2005 netsamlogon_cache.tdb
>-rw-------  1 root root 20172 Feb 14  2005 winbindd_cache.tdb
>-rw-r--r--  1 root root  8192 Feb 14  2005 winbindd_idmap.tdb
>drwxr-x---  2 root root  4096 May  2  2005 winbindd_privileged
>
># uname -a
>Linux lin-workstation.azapple.com 2.6.15-1.1830_FC4 #1 Thu Feb 2
>17:23:41 EST 2006 i686 athlon i386 GNU/Linux
>
># cat /etc/redhat-release
>Fedora Core release 4 (Stentz)
>
>Craig

FWIW:

To get winbind working under the base RHEL4 packages (3.0.10-1.4E.2), 
I had to modify the SELinux configuration slightly:

with package "selinux-policy-targeted-sources" installed, add these 
two lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:

allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;

followed by:
         ]# cd /etc/selinux/targeted/src/policy
         ]# make load

When I built and installed the 3.0.21b-3 packages under RHEL4, the 
switch to using /var/lib/samba/ from /var/cache/samba/ resulted in a 
whole mess of SELinux AVC errors.   And a completely non-functional winbindd...

To fix, I had to to two things:

1) again modify the SELinux configuration by adding the following 
lines to /etc/selinux/targeted/src/policy/domains/misc/local.te:

allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t: dir { search };


... and another "make load" like above...

(Not sure whether the /var/lib/samba/ change directly caused the need 
for lines 3,4 -- could have been some other change that made that 
necessary.   Line 5, though, is obviously due to this change.)


2) I also needed to execute a chcon to change the SELinux labeling on 
the /var/lib/samba/ directory that was created during the 
installation.   The installation picked up the default labeling of 
"var_lib_t" from the parent /var/lib/ directory.  To allow things to 
work properly under SELinux enforcing, and without wholesale opening 
of anything labeled "var_lib_t" to just about all forms of access 
from winbind_t, I used chcon to relabel the /var/lib/samba/ directory 
to use the same labeling as /var/cache/samba/ had:

         ]# chcon -R -t samba_var_t /var/lib/samba

I also needed to fix the labeling on /var/lib/samba/winbindd_privileged/ :

         ]# chcon -R -t winbind_var_run_t /var/lib/samba/winbindd_privileged



Given these necessary changes, perhaps changing back to 
/var/cache/samba/ for RHEL4 builds might be prudent...


Cheers,
-D

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list