[Samba] NT_STATUS_ACCESS_DENIED and SELinux

Brandon Blackmoor bblackmoor at blackgate.net
Sat Apr 7 02:28:17 GMT 2007 

Quoting Gary Dale <garydale at torfree.net>:
>
> Since you haven't specified a "user = " or "guest account = "
> for the share, I have no idea what user Samba is going to try
> to connect with.

I took it out because a previous poster said that I should take out anything
"not critical". But here, I have put it back:

        guest account = smbguest

> Guest account defaults to nobody, which probably doesn't
> have access to the share.

That does not explain why, with two directories/shares with the exact same
system permissions, the exact same owners, the exact same samba permissions,
and the exact same contents (also with the exact same permissions), I get
NT_STATUS_ACCESS_DENIED with one but not the other.

Aha! I just thought of something. Fedora Core 6 (which is what I am running, as
I said earlier) comes with SELinux. Now, I know absolutely nothing about
SELinux, and I have never needed to, but I thought it'd be worth investigating
to see if that might have something to do with this. Here is a directory
listing with the SELinux "security context" of each directory:


[root at annwn /]# ls -la --author -Z
...
drwxrwxr-x  root media root:object_r:root_t             media
drwxrwxr-x  root media root:object_r:var_t              mediatest
...


So they are different! I have no clue what those differences mean, but at least
it's a difference. So I used chcon to set the "security context" of /mediatest
(which is giving me the NT_STATUS_ACCESS_DENIED error) to that of /media (which
doesn't give me that error).


[root at annwn /]# chcon root:object_r:root_t mediatest

[root at annwn /]# ls -la --author -Z
...
drwxrwxr-x  root media root:object_r:root_t             media
drwxrwxr-x  root media root:object_r:root_t             mediatest
...


Now I can access both shares and do a dir and they seem to work. However, I do
not like changing settings that I do not understand. So until I read up on
SELinux and how it works (or not) with Samba, I am disabling SELinux
enforcement on Samba, like so:


setsebool -P smbd_disable_trans 1


I got that command from a post by Yvon Dubinsky from this list in May of 2006:

http://lists.samba.org/archive/samba/2006-May/120625.html

Having made that change, I copied my /media directory back to /var/media,
changed the samba config appropriately, set permissions to "user", created the
needed users, and now it seems to work the way all of the How-Tos and manuals
say that it should.

It would appear from the general bafflement this error caused that not many
people run SELinux and Samba at the same time.

Live and learn. Thanks for the attempts at helping me.

--
Brandon Blackmoor
bblackmoor at blackgate.net
2007-04-06

More information about the samba mailing list