[SOLVED] smb isn't working correctly

[pnelsonsr]

Had samba working fine but now the shares (yep all of them) do not allow the creation or deletion of directories. Files? They work fine.

I've searched and searched but can not seem to find any info on this kind of issue. Any ideas where to look?

What would change with an upgrade from F15 to F16? Could SELinux be doing something? Nothing in the logs at all...

[flyingfsck]

Check smb.conf and the user and group IDs. With your new install, you may not be owner of the files any more and may need to play with chmod.

[pnelsonsr]

But I can create/edit/delete files. Just not directories. And this is in every share.

[flyingfsck]

So, check smb.conf. There are ways to set directory and file privileges, but they must match the UNIX privileges.

http://www.samba.org/samba/docs/man/...on/rights.html
http://www.samba.org/samba/docs/man/...sControls.html

[Dutchy]

I can confirm that this is caused by SELinux.
The upgrade from F15 to F16 seems to reset some SELinux settings / policy's but the biggest problem is that you won't see SETroubleshooter pop up with notifications which is caused by the disabling of some services after the upgrade.

I fixed this by re-enabling the some service but unfortunately I'm not completely sure which ones.
I believe it were (some of) these:
-abrt-ccpp.service
-abrt-oops.service
-abrt-vmcore.service
-auditd.service
-accounts-daemon.service

Look whether these are active with this command:

Code:

systemctl -a | grep service

And if not then re-enable them with this command:

Code:

systemctl enable some.service

After that SELinuxTroubleshooter should popup again telling you it is preventing certain actions.

Of course you could also use system-config-selinux to switch the right Samba booleans (can't check right now which ones unfortunately) and then your Samba server should function properly again.

[pnelsonsr]

Thanks Duchy you got me going down the right path! The point about setroubleshoot not doing the popups caused me to remember that there was a log entry for these types of selinux alerts, so I ran

Code:

tail -f the /var/log/messages

and while watching the log file I tried to create a new directory on a samba share. Sure enough there was an kernel audit create denied message ! So then I listed out the selinux samba bools with:

Code:

getsebool –a | grep samba | grep off

This showed:

Code:

samba_create_home_dirs --> off
samba_domain_controller --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

So I started with the first one with:

Code:

setsebool -P samba_create_home_dirs=1

And confirmed it with the above getsebool command which showed:

Code:

samba_create_home_dirs --> on

I then tried (while still running 'tail -f messages') to create a dir in a samba share. Presto a new directory was created.

I didn't turn on the setroubleshoot alerter as I hope that this will be fixed in an update shortly.

[RHamel]

Code:

systemctl enable auditd.service
systemctl start auditd.service

[pnelsonsr]

Thanks all for the help. I have spent a lot of time on this and it drove me nuts at times. But I think I finally solve this. After my last reply I started testing things and found that I had not solve the problem. With the samba_create_home_dirs bool I was in fact able to create a new dir in a share, but I was unable to rename it. So I tried changing all samba and smbd bools to yes, but this did not help and I kept getting audit errors.

So I went looking and found that the information was on my system all along in a man page call samba_selinux. Seeing I was dealing with shares that were not home dirs of the person connecting there was an issue of SELinux requiring files (and dirs) to have an extended attribute set so that the daemons that access them can be governed. The attribute in question for samba is samba_share_t and this needs to be set to solve the problem I was having. So I changed all the bools back to what they were to begin with which was:

Code:

samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
allow_smbd_anon_write --> off

And then set the attribute on each of my samba shares root dir with:

Code:

chcon -Rt samba_share_t <FULL PATH TO SHARE>

And then all was working within the share. To make this permanent (so any restorecon wouldn't change it back) I did this with:

Code:

semanage fcontext -a -t samba_share_t "<FULL PATH TO SHARE>(/.*)?"
restorecon -R -v <FULL PATH TO SHARE>

There is a bunch of information in this man page (installed with selinux-policy package) that was helpful.

I'm setting this to solved, but I still don't know what changed with F16 that effected the samba shares, was it selinux or samba or both? Don't know but I'm moving on...