Mysterious Happenings with Samba Shares

[worldaccordingtojohn]

I just got past my Samba authentication prompt problem on a brand new system. Now I am running into a couple of others. Some shares that are defined in smb.conf will mount and others are inaccessible.

In the attached picture you will see I can mount /mnt share just fine but I can only see one of the three directories within in.

https://www.dropbox.com/s/9sdzap4hzv9v3 ... M.bmp?dl=0

In the other picture you will see that although I was able to mount /mnt just fine, I cannot mount /jek. For all intents and purposes the definitions in smb.conf are the same.

https://www.dropbox.com/s/f5b8rb14fkgba ... M.bmp?dl=0

Any ideas?

[jyoung]

To start, I'd change your security to security = user. Restart Samba and try to remap the drive on the Windows machine (entirely).

What you're describing sounds like a permissions problem. If the above doesn't fix it, post the SELinux contexts of your directories in /mnt and the subdirectories that you're unable to view . The permissions that you've shown should at least allow the nobody user read access into the directory.

Code: Select all

ls -lZ /mnt/*

Code: Select all

ls -lZ / | grep jek

[worldaccordingtojohn]

Hey J,

Thanks for the assistance. I did all of that and got the same result. Any other ideas?

https://www.dropbox.com/s/3leafrp3lorf7 ... M.jpg?dl=0

[jyoung]

Doesn't look like your directories have the right SELinux context. In order for you to let Samba share those directories as they currently sit, you'd have to enable one (or both) of the booleans shown at the end of these lines.

Code: Select all

root@servername in /home/jyoung >> sesearch -A -C -s smbd_t -t file_t
Found 9 semantic av rules:
   allow smbd_t file_type : filesystem getattr ; 
   allow smbd_t mountpoint : dir { getattr search open } ; 
DT allow smbd_t file_t : file { ioctl read getattr lock open } ; [ samba_export_all_ro ]
DT allow smbd_t file_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ]
DT allow smbd_t file_t : dir { ioctl read getattr lock search open } ; [ samba_export_all_ro ]
DT allow smbd_t file_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ samba_export_all_rw ]
DT allow smbd_t file_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; [ samba_export_all_rw ]
DT allow smbd_t file_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ]
DT allow smbd_t file_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ samba_export_all_rw ]

From /etc/samba/smb.conf:

If you want to share home directories via samba please run:
setsebool -P samba_enable_home_dirs on

If you create a new directory you want to share you should mark it as
"samba_share_t" so that selinux will let you write into it.
Make sure not to do that on system directories as they may already have
been marked with othe SELinux labels.

Use ls -ldZ /path to see which context a directory has

Set labels only on directories you created!
To set a label use the following: chcon -t samba_share_t /path

If you need to share a system created directory you can use one of the
following (read-only/read-write):
setsebool -P samba_export_all_ro on
or
setsebool -P samba_export_all_rw on

If you change the SELinux context of those directories (the preferable solution), you should use semanage, not chcon, so that your update will survive a reboot. For example:

Code: Select all

semanage fcontext -a -t samba_share_t "/mnt(/.*)?"
touch /.autorelabel; reboot

[worldaccordingtojohn]

Thanks guys & gals. I appreciate all the help. Once you identified it to be an SELinux problem I went the other route and disabled SELinux. It's just a box in my closet at home. In the interest if simplifying life I don't think I need SELinux.