[Samba] Permission denied for home, even when it's 777
Deft Developer
dev at hymes.name
Wed Jul 8 16:23:17 UTC 2020
I used setenforce 0, and I was extremely surprised to see a burst of selinux denials appear in the journal.
So I corrected the problem with:
setsebool -P use_samba_home_dirs 1
And updating some policies.
Thanks very much!
I have never before dealt with selinux denials that don't appear in the journal until "enforcing" is changed to "permissive". Is this a samba feature? Or is there a configuration I can change somewhere else in CentOS?
Thanks !
Deft
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Strahil Nikolov via samba
Sent: Monday, July 6, 2020 9:14 PM
To: Deft Developer <dev at hymes.name>; samba at lists.samba.org
Subject: Re: [Samba] Permission denied for home, even when it's 777
In order to veriify if it is indeed SELINUX, what happens when you use 'setenforce 0' ?
Usuallh , you need use_samba_home_dirs boolean to be enabled.
Best Regards,
Strahil Nikolov
На 6 юли 2020 г. 19:31:46 GMT+03:00, Deft Developer via samba <samba at lists.samba.org> написа:
>I cannot access home samba share from windows. Windows client displays
>a permission denied error. The problem is not Linux permissions for the
>user directory, permission is still denied when permissions are to 777.
>I don't think the problem is selinux, because no denials appear in any
>logs. I don't think it's an extended attributes issue from xfs, because
>I don't see any attributes from lsattr, and only "selinux" in attr -l.
>The problem is specific to home, other shares owned by the same user
>work as expected.
>
>
>
>The share-logs logs show errors like this:
>
>Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0)
>(flags=0)
>
>192.168.0.8.log.old: smbd_smb2_request_error_ex:
>smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] ||
>at
>../../source3/smbd/smb2_create.c:296
>
>192.168.0.8.log.old: get_ea_dos_attribute: Cannot get attribute from
>EA on file .: Error = Permission denied
>
>And I see similar errors from strace:
>
>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES
>(Permission
>denied)
>
>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES
>(Permission
>denied)
>
>open(".", O_RDONLY) = -1 EACCES (Permission denied)
>
>openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1
>EACCES (Permission denied)
>
>I am very puzzled about which "." directory samba is failing to access.
>
>
>
>
>
>Home shares worked for years with the configuration below, until I
>migrated the samba server from one CentOS 7 server to another. I expect
>that home shares have never worked on this new CentOS 7 server.
>
>My samba is
>
>Version : 4.10.4
>
>Release : 11.el7_8
>
>CentOS Linux release 7.8.2003 (Core)
>
>Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020
>x86_64
>x86_64 x86_64 GNU/Linux
>
>Here is an excerpt of my samba.conf:
>
> workgroup = MSAKYTOWN
>
> realm = MSAKYTOWN.ORG
>
> security = ADS
>
> server string = Galactica %v
>
> netbios name = GALACTICA
>
> log file = /var/log/samba/%m.log
>
> max log size = 50
>
> log level = 4 passdb:5 auth:5
>
> idmap config * : backend = tdb
>
> idmap config * : range = 3000-7999
>
> idmap config MSAKYTOWN:backend = ad
>
> idmap config MSAKYTOWN:range = 10000-999999
>
> idmap config MSAKYTOWN:unix_primary_group = no
>
> idmap config MSAKYTOWN:unix_nss_info = yes
>
> idmap config MSAKYTOWN:schema_mode = rfc2307
>
> template shell = /usr/bin/bash
>
> template homedir = /home/%U
>
> kerberos method = secrets and keytab
>
> local master = no
>
> preferred master = no
>
> unix extensions = no
>
> allow insecure wide links = yes
>
> username map = /etc/samba/user.map
>
>[homes]
>
> comment = Home Directories
>
> read only = No
>
> browseable = yes
>
> writable = yes
>
> follow symlinks = yes
>
> wide links = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list