[Samba] Permission denied for home, even when it's 777
Strahil Nikolov
hunter86_bg at yahoo.com
Wed Jul 8 19:10:33 UTC 2020
Usually not everything is logged on disk or you will end up with a '/var' bigger than 50G.
Also, in order to log the whole denial process, you need to be in permissive mode.
Imagine that samba needs a sequence of tasks that SELINUX was not informed to allow by the admin - the first one will be rejected and samba will never try the rest.
When you set in permissive, you can use 'sealert -a /var/log/audit/audit.log' and in some cases it will propose meaningful solutions (but don't grab the first one).
About the selinux docu, you can install selinux-policy-doc package and rebuild the man:
mandb && man -k _selinux
Best Regards,
Strahil Nikolov
На 8 юли 2020 г. 19:23:17 GMT+03:00, Deft Developer via samba <samba at lists.samba.org> написа:
>I used setenforce 0, and I was extremely surprised to see a burst of
>selinux denials appear in the journal.
>So I corrected the problem with:
> setsebool -P use_samba_home_dirs 1
>And updating some policies.
>Thanks very much!
>I have never before dealt with selinux denials that don't appear in the
>journal until "enforcing" is changed to "permissive". Is this a samba
>feature? Or is there a configuration I can change somewhere else in
>CentOS?
>Thanks !
>Deft
>-----Original Message-----
>From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Strahil
>Nikolov via samba
>Sent: Monday, July 6, 2020 9:14 PM
>To: Deft Developer <dev at hymes.name>; samba at lists.samba.org
>Subject: Re: [Samba] Permission denied for home, even when it's 777
>
>In order to veriify if it is indeed SELINUX, what happens when you use
>'setenforce 0' ?
>
>Usuallh , you need use_samba_home_dirs boolean to be enabled.
>
>Best Regards,
>Strahil Nikolov
>
>На 6 юли 2020 г. 19:31:46 GMT+03:00, Deft Developer via samba
><samba at lists.samba.org> написа:
>>I cannot access home samba share from windows. Windows client displays
>
>>a permission denied error. The problem is not Linux permissions for
>the
>>user directory, permission is still denied when permissions are to
>777.
>>I don't think the problem is selinux, because no denials appear in any
>
>>logs. I don't think it's an extended attributes issue from xfs,
>because
>>I don't see any attributes from lsattr, and only "selinux" in attr -l.
>
>>The problem is specific to home, other shares owned by the same user
>>work as expected.
>>
>>
>>
>>The share-logs logs show errors like this:
>>
>>Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0)
>>(flags=0)
>>
>>192.168.0.8.log.old: smbd_smb2_request_error_ex:
>>smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] ||
>>at
>>../../source3/smbd/smb2_create.c:296
>>
>>192.168.0.8.log.old: get_ea_dos_attribute: Cannot get attribute from
>>EA on file .: Error = Permission denied
>>
>>And I see similar errors from strace:
>>
>>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES
>>(Permission
>>denied)
>>
>>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES
>>(Permission
>>denied)
>>
>>open(".", O_RDONLY) = -1 EACCES (Permission
>denied)
>>
>>openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1
>>EACCES (Permission denied)
>>
>>I am very puzzled about which "." directory samba is failing to
>access.
>>
>>
>>
>>
>>
>>Home shares worked for years with the configuration below, until I
>>migrated the samba server from one CentOS 7 server to another. I
>expect
>>that home shares have never worked on this new CentOS 7 server.
>>
>>My samba is
>>
>>Version : 4.10.4
>>
>>Release : 11.el7_8
>>
>>CentOS Linux release 7.8.2003 (Core)
>>
>>Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020
>>x86_64
>>x86_64 x86_64 GNU/Linux
>>
>>Here is an excerpt of my samba.conf:
>>
>> workgroup = MSAKYTOWN
>>
>> realm = MSAKYTOWN.ORG
>>
>> security = ADS
>>
>> server string = Galactica %v
>>
>> netbios name = GALACTICA
>>
>> log file = /var/log/samba/%m.log
>>
>> max log size = 50
>>
>> log level = 4 passdb:5 auth:5
>>
>> idmap config * : backend = tdb
>>
>> idmap config * : range = 3000-7999
>>
>> idmap config MSAKYTOWN:backend = ad
>>
>> idmap config MSAKYTOWN:range = 10000-999999
>>
>> idmap config MSAKYTOWN:unix_primary_group = no
>>
>> idmap config MSAKYTOWN:unix_nss_info = yes
>>
>> idmap config MSAKYTOWN:schema_mode = rfc2307
>>
>> template shell = /usr/bin/bash
>>
>> template homedir = /home/%U
>>
>> kerberos method = secrets and keytab
>>
>> local master = no
>>
>> preferred master = no
>>
>> unix extensions = no
>>
>> allow insecure wide links = yes
>>
>> username map = /etc/samba/user.map
>>
>>[homes]
>>
>> comment = Home Directories
>>
>> read only = No
>>
>> browseable = yes
>>
>> writable = yes
>>
>> follow symlinks = yes
>>
>> wide links = yes
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list