[Samba] Permission denied for home, even when it's 777

Strahil Nikolov hunter86_bg at yahoo.com
Wed Jul 8 19:10:33 UTC 2020 

Usually  not everything is logged on disk  or  you will end up  with a  '/var' bigger than 50G.
Also,  in order  to  log the whole denial process,  you need  to  be in permissive mode.
Imagine that samba needs  a sequence  of tasks that SELINUX  was  not  informed to allow by the admin - the first one will be rejected and samba will never try the rest.

When you set in permissive, you can use 'sealert -a /var/log/audit/audit.log' and in some cases it will propose  meaningful solutions (but don't grab the first one).

About the selinux docu, you can install selinux-policy-doc  package and rebuild  the man:
mandb &&  man -k _selinux

Best Regards,
Strahil Nikolov

На 8 юли 2020 г. 19:23:17 GMT+03:00, Deft Developer via samba <samba at lists.samba.org> написа:
>I used setenforce  0, and I was extremely surprised to see a burst of
>selinux denials appear in the journal.
>So I corrected the problem with:
>    setsebool -P use_samba_home_dirs 1 
>And updating some policies.
>Thanks very much!
>I have never before dealt with selinux denials that don't appear in the
>journal until "enforcing" is changed to "permissive". Is this a samba
>feature? Or is there a configuration I can change somewhere else in
>CentOS?
>Thanks !
>Deft
>-----Original Message-----
>From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Strahil
>Nikolov via samba
>Sent: Monday, July 6, 2020 9:14 PM
>To: Deft Developer <dev at hymes.name>; samba at lists.samba.org
>Subject: Re: [Samba] Permission denied for home, even when it's 777
>
>In order to veriify if it is indeed SELINUX, what happens when you use
>'setenforce  0' ?
>
>Usuallh ,  you need  use_samba_home_dirs  boolean to be enabled.
>
>Best Regards,
>Strahil Nikolov
>
>На 6 юли 2020 г. 19:31:46 GMT+03:00, Deft Developer via samba
><samba at lists.samba.org> написа:
>>I cannot access home samba share from windows. Windows client displays
>
>>a permission denied error. The problem is not Linux permissions for
>the 
>>user directory, permission is still denied when permissions are to
>777. 
>>I don't think the problem is selinux, because no denials appear in any
>
>>logs. I don't think it's an extended attributes issue from xfs,
>because 
>>I don't see any attributes from lsattr, and only "selinux" in attr -l.
>
>>The problem is specific to home, other shares owned by the same user 
>>work as expected.
>>
>> 
>>
>>The share-logs logs show errors like this:
>>
>>Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0)
>>(flags=0)
>>
>>192.168.0.8.log.old:  smbd_smb2_request_error_ex:
>>smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || 
>>at
>>../../source3/smbd/smb2_create.c:296
>>
>>192.168.0.8.log.old:  get_ea_dos_attribute: Cannot get attribute from 
>>EA on file .: Error = Permission denied
>>
>>And I see similar errors from strace:
>>
>>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES 
>>(Permission
>>denied)
>>
>>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES 
>>(Permission
>>denied)
>>
>>open(".", O_RDONLY)                     = -1 EACCES (Permission
>denied)
>>
>>openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 
>>EACCES (Permission denied)
>>
>>I am very puzzled about which "." directory samba is failing to
>access.
>>
>> 
>>
>> 
>>
>>Home shares worked for years with the configuration below, until I 
>>migrated the samba server from one CentOS 7 server to another. I
>expect 
>>that home shares have never worked on this new CentOS 7 server.
>>
>>My samba is
>>
>>Version     : 4.10.4
>>
>>Release     : 11.el7_8
>>
>>CentOS Linux release 7.8.2003 (Core)
>>
>>Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020
>>x86_64
>>x86_64 x86_64 GNU/Linux
>>
>>Here is an excerpt of my samba.conf:
>>
>>        workgroup = MSAKYTOWN
>>
>>        realm = MSAKYTOWN.ORG
>>
>>        security = ADS
>>
>>        server string = Galactica %v
>>
>>        netbios name = GALACTICA
>>
>>        log file = /var/log/samba/%m.log
>>
>>        max log size = 50
>>
>>        log level = 4 passdb:5 auth:5
>>
>>        idmap config * : backend = tdb
>>
>>        idmap config * : range = 3000-7999
>>
>>        idmap config MSAKYTOWN:backend = ad
>>
>>        idmap config MSAKYTOWN:range = 10000-999999
>>
>>        idmap config MSAKYTOWN:unix_primary_group = no
>>
>>        idmap config MSAKYTOWN:unix_nss_info = yes
>>
>>        idmap config MSAKYTOWN:schema_mode = rfc2307
>>
>>        template shell = /usr/bin/bash
>>
>>        template homedir = /home/%U
>>
>>        kerberos method = secrets and keytab
>>
>>        local master = no
>>
>>        preferred master = no
>>
>>        unix extensions = no
>>
>>        allow insecure wide links = yes
>>
>>        username map = /etc/samba/user.map
>>
>>[homes]
>>
>>        comment = Home Directories
>>
>>        read only = No
>>
>>        browseable = yes
>>
>>        writable = yes
>>
>>        follow symlinks = yes
>>
>>        wide links = yes
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list