[Samba] Samba4: Can't create shares outside sysvol and netlogon

Thomas Harold thomas-lists at nybeta.com
Thu Sep 19 12:56:38 MDT 2013

On 9/17/2013 6:45 AM, "Th. Söldenwagner" wrote:
> Hi,
> I am trying to create shares for my users in our new Samba4 domain, but
> with no luck so far.

Which flavor of Linux are you trying this on?

If CentOS/RHEL, one thing I always forget to check is SELinux issues. 
Maybe you have as well?

# getenforce
- Will tell you whether SELinux is disabled, permissive or enforcing.

# setenforce permissive
- Setting it /temporarily/ to "permissive" is a useful check to see 
whether you have a SELinux issue somewhere that need addressed.

Assuming that you have "auditd" running, try looking at:
# cat /var/log/audit/audit.log | audit2allow
Which may show you an overall view of how many exceptions you have.

In general, SELinux issues boil down to a few root causes and fixes:

#1 - There's a boolean that you need to maybe turn on.  If you dig 
through the "sealert -a UUID" messages in the system log, it does a good 
job of explaining when this might apply.

#2 - There's a file system labeling problem.  i.e. you are trying to let 
a process access things in a non-standard place and/or with a 
non-standard label.  These are fixed with "restorecon" and "semanage 
fcontext" changes.

#3 - There's no way to fix labels or booleans to allow what you need, so 
you need to create a local exception policy.  This can be done using 
"audit2allow" and "semodule -i".  You should be careful about which 
exceptions you feed to audit2allow and try to keep the resulting 
exception policy as minimal as possible.

More information about the samba mailing list