I few weeks back my server started having a problem where all shares are now readonly. AFAIK nothing has changed except a 'yum update' which was probably around the same time. Everyone still has the shares on their Win7 PC's and can see the contents. However, if they try to open a file it opens read only. If the try to create a new file (e.g. right click -> New -> Text Document) it says that they don't have permission. I am not seeing anything meaningful in the log files. Can anyone give me a clue how to fix this, or at least how to collect getting debug info? SELinux has been disabled to eliminate that. Gary Global parameters [global] netbios name = ZEPPO2 server string = Ringways Doncaster Showroom Server workgroup = MOTORPARK os level = 33 preferred master = Yes log file = /var/log/samba/log.%m max log size = 50 guest account = gary security = USER username map = /etc/samba/smbusers wins proxy = Yes wins server = 10.1.1.101 idmap config * : backend = tdb cups options = raw hosts allow = 127. 10. [printers] comment = All Printers path = /var/spool/samba browseable = No printable = Yes guest ok = Yes [tmp] comment = Temporary work area path = /user/remote/tmp guest ok = Yes read only = No [goodwill] comment = Good will documents path = /user/remote/goodwill force user = gary guest ok = Yes read only = No valid users = gary [service] comment = Temporary work area path = /user/remote/service force user = gary read only = No valid users = gary write list = gary [sales_doc] comment = Sales D.O.C. spreadsheets path = /user/remote/sales_doc force user = gary guest ok = Yes read only = No valid users = gary [root at zeppo ~]# smbstatus Samba version 4.4.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 2552 gary gary 10.6.103.236 (ipv4:10.6.103.236:50445) SMB2_10 - - Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- tmp 2552 10.6.103.236 Thu May 4 14:05:23 2017 BST - - Locked files: Pid Uid DenyMode Access R/W Oplock SharePath Name Time -------------------------------------------------------------------------------------------------- 2552 1000 DENY_ALL 0x100080 RDONLY NONE /user/remote/tmp . Thu May 4 14:05:23 2017 2552 1000 DENY_NONE 0x100081 RDONLY NONE /user/remote/tmp . Thu May 4 14:05:39 2017 [root at zeppo ~]# ls -ld / /user /user/remote/ /user/remote/tmp/ /user/remote/service/ dr-xr-xr-x. 18 root root 4096 May 4 13:59 / drwxr-xr-x. 4 root root 34 Nov 7 2013 /user drwxr-xr-x. 22 gary gary 4096 Jun 2 2016 /user/remote/ drwxr-xr-x. 6 gary gary 4096 Apr 19 08:32 /user/remote/service/ drwxr-xr-x. 8 gary gary 4096 Feb 23 17:26 /user/remote/tmp/ [root at zeppo ~]#
Gary Stainburn wrote:> I few weeks back my server started having a problem where all shares are > now readonly. AFAIK nothing has changed except a 'yum update' which was > probably around the same time. > > Everyone still has the shares on their Win7 PC's and can see the contents. > However, if they try to open a file it opens read only. If the try to > create a new file (e.g. right click -> New -> Text Document) it saysthat they> don't have permission. > > I am not seeing anything meaningful in the log files. Can anyone give me a > clue how to fix this, or at least how to collect getting debug info? > > SELinux has been disabled to eliminate that.<snip> Dumb question #1: on the server, can you touch /samba/path/this? That is, can *you* create a file in one of those directories? If not... why is your filesystem read-only mark.
Pretty sure smb gets "control" of a directory via the group. For my setup, each directory defined by a path in smb.conf has group smbusers, and has rwx permissions. This is applied just to that directory, it is not applied recursively. The files and folders in that directory have the actual remote user's ownership and permissions. What is applied recursively is the selinux label. I find it's better to have a dedicated filesystem volume so you can use the mount option context="system_u:object_r:samba_share_t:s0" and that will apply that context to the whole file system. If a file system volume is being shared, then you'll need to use chcon -R "system_u:object_r:samba_share_t:s0" <path> to apply that context to everything. New files and directories will inherit this context (so long as it's a copy and not a move; so if you move things behind the scenes outside of samba, you can run into label problems since inheritance doesn't apply to moving). Chris Murphy
On Thursday 04 May 2017 14:59:17 m.roth at 5-cent.us wrote:> Dumb question #1: on the server, can you touch /samba/path/this? That is, > can *you* create a file in one of those directories? If not... why is your > filesystem read-only > > mark.No such thing as a dumb question. As the unix user gary I can successfully cd to the target directory and I can add/amend/delete files. The user gary and th smbuser gary are the same.
On Thursday 04 May 2017 17:54:57 Chris Murphy wrote:> Pretty sure smb gets "control" of a directory via the group. For my > setup, each directory defined by a path in smb.conf has group > smbusers, and has rwx permissions. This is applied just to that > directory, it is not applied recursively. The files and folders in > that directory have the actual remote user's ownership and > permissions. > > What is applied recursively is the selinux label. I find it's better > to have a dedicated filesystem volume so you can use the mount option > context="system_u:object_r:samba_share_t:s0" and that will apply that > context to the whole file system. If a file system volume is being > shared, then you'll need to use chcon -R > "system_u:object_r:samba_share_t:s0" <path> to apply that context to > everything. New files and directories will inherit this context (so > long as it's a copy and not a move; so if you move things behind the > scenes outside of samba, you can run into label problems since > inheritance doesn't apply to moving). > > > Chris MurphyI have run the following commands for each share, to ensure that group permissions are are: find . -type d -exec chmod 770 {} \; find . -type f -exec chmod 660 {} \; I can now create and delete files and folders using windows explorer. I can also create a new blank spreadsheet in Excel and save it to the share. However, when I then open that file in Excel again it comes up as Read Only. Again, I can delete the spreadsheet using Windows Explorer What I don't understand, apart from why the system is behaving like this, is what has changed that stopped it from working in the first place.