Deft Developer
2020-Jul-06 16:31 UTC
[Samba] Permission denied for home, even when it's 777
I cannot access home samba share from windows. Windows client displays a
permission denied error. The problem is not Linux permissions for the user
directory, permission is still denied when permissions are to 777. I don't
think the problem is selinux, because no denials appear in any logs. I don't
think it's an extended attributes issue from xfs, because I don't see
any
attributes from lsattr, and only "selinux" in attr -l. The problem is
specific to home, other shares owned by the same user work as expected.
The share-logs logs show errors like this:
Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) (flags=0)
192.168.0.8.log.old: smbd_smb2_request_error_ex:
smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at
../../source3/smbd/smb2_create.c:296
192.168.0.8.log.old: get_ea_dos_attribute: Cannot get attribute from EA on
file .: Error = Permission denied
And I see similar errors from strace:
getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1
EACCES (Permission
denied)
getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1
EACCES (Permission
denied)
open(".", O_RDONLY) = -1 EACCES (Permission
denied)
openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1
EACCES
(Permission denied)
I am very puzzled about which "." directory samba is failing to
access.
Home shares worked for years with the configuration below, until I migrated
the samba server from one CentOS 7 server to another. I expect that home
shares have never worked on this new CentOS 7 server.
My samba is
Version : 4.10.4
Release : 11.el7_8
CentOS Linux release 7.8.2003 (Core)
Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64
x86_64 x86_64 GNU/Linux
Here is an excerpt of my samba.conf:
workgroup = MSAKYTOWN
realm = MSAKYTOWN.ORG
security = ADS
server string = Galactica %v
netbios name = GALACTICA
log file = /var/log/samba/%m.log
max log size = 50
log level = 4 passdb:5 auth:5
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config MSAKYTOWN:backend = ad
idmap config MSAKYTOWN:range = 10000-999999
idmap config MSAKYTOWN:unix_primary_group = no
idmap config MSAKYTOWN:unix_nss_info = yes
idmap config MSAKYTOWN:schema_mode = rfc2307
template shell = /usr/bin/bash
template homedir = /home/%U
kerberos method = secrets and keytab
local master = no
preferred master = no
unix extensions = no
allow insecure wide links = yes
username map = /etc/samba/user.map
[homes]
comment = Home Directories
read only = No
browseable = yes
writable = yes
follow symlinks = yes
wide links = yes
Strahil Nikolov
2020-Jul-07 04:14 UTC
[Samba] Permission denied for home, even when it's 777
In order to veriify if it is indeed SELINUX, what happens when you use 'setenforce 0' ? Usuallh , you need use_samba_home_dirs boolean to be enabled. Best Regards, Strahil Nikolov ?? 6 ??? 2020 ?. 19:31:46 GMT+03:00, Deft Developer via samba <samba at lists.samba.org> ??????:>I cannot access home samba share from windows. Windows client displays >a >permission denied error. The problem is not Linux permissions for the >user >directory, permission is still denied when permissions are to 777. I >don't >think the problem is selinux, because no denials appear in any logs. I >don't >think it's an extended attributes issue from xfs, because I don't see >any >attributes from lsattr, and only "selinux" in attr -l. The problem is >specific to home, other shares owned by the same user work as expected. > > > >The share-logs logs show errors like this: > >Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0) >(flags=0) > >192.168.0.8.log.old: smbd_smb2_request_error_ex: >smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || >at >../../source3/smbd/smb2_create.c:296 > >192.168.0.8.log.old: get_ea_dos_attribute: Cannot get attribute from >EA on >file .: Error = Permission denied > >And I see similar errors from strace: > >getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES >(Permission >denied) > >getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) = -1 EACCES >(Permission >denied) > >open(".", O_RDONLY) = -1 EACCES (Permission denied) > >openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 >EACCES >(Permission denied) > >I am very puzzled about which "." directory samba is failing to access. > > > > > >Home shares worked for years with the configuration below, until I >migrated >the samba server from one CentOS 7 server to another. I expect that >home >shares have never worked on this new CentOS 7 server. > >My samba is > >Version : 4.10.4 > >Release : 11.el7_8 > >CentOS Linux release 7.8.2003 (Core) > >Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 >x86_64 >x86_64 x86_64 GNU/Linux > >Here is an excerpt of my samba.conf: > > workgroup = MSAKYTOWN > > realm = MSAKYTOWN.ORG > > security = ADS > > server string = Galactica %v > > netbios name = GALACTICA > > log file = /var/log/samba/%m.log > > max log size = 50 > > log level = 4 passdb:5 auth:5 > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config MSAKYTOWN:backend = ad > > idmap config MSAKYTOWN:range = 10000-999999 > > idmap config MSAKYTOWN:unix_primary_group = no > > idmap config MSAKYTOWN:unix_nss_info = yes > > idmap config MSAKYTOWN:schema_mode = rfc2307 > > template shell = /usr/bin/bash > > template homedir = /home/%U > > kerberos method = secrets and keytab > > local master = no > > preferred master = no > > unix extensions = no > > allow insecure wide links = yes > > username map = /etc/samba/user.map > >[homes] > > comment = Home Directories > > read only = No > > browseable = yes > > writable = yes > > follow symlinks = yes > > wide links = yes
Deft Developer
2020-Jul-08 16:23 UTC
[Samba] Permission denied for home, even when it's 777
I used setenforce 0, and I was extremely surprised to see a burst of selinux
denials appear in the journal.
So I corrected the problem with:
setsebool -P use_samba_home_dirs 1
And updating some policies.
Thanks very much!
I have never before dealt with selinux denials that don't appear in the
journal until "enforcing" is changed to "permissive". Is
this a samba feature? Or is there a configuration I can change somewhere else in
CentOS?
Thanks !
Deft
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Strahil
Nikolov via samba
Sent: Monday, July 6, 2020 9:14 PM
To: Deft Developer <dev at hymes.name>; samba at lists.samba.org
Subject: Re: [Samba] Permission denied for home, even when it's 777
In order to veriify if it is indeed SELINUX, what happens when you use
'setenforce 0' ?
Usuallh , you need use_samba_home_dirs boolean to be enabled.
Best Regards,
Strahil Nikolov
?? 6 ??? 2020 ?. 19:31:46 GMT+03:00, Deft Developer via samba <samba at
lists.samba.org> ??????:>I cannot access home samba share from windows. Windows client displays
>a permission denied error. The problem is not Linux permissions for the
>user directory, permission is still denied when permissions are to 777.
>I don't think the problem is selinux, because no denials appear in any
>logs. I don't think it's an extended attributes issue from xfs,
because
>I don't see any attributes from lsattr, and only "selinux" in
attr -l.
>The problem is specific to home, other shares owned by the same user
>work as expected.
>
>
>
>The share-logs logs show errors like this:
>
>Error opening file . (NT_STATUS_ACCESS_DENIED) (local_flags=0)
>(flags=0)
>
>192.168.0.8.log.old: smbd_smb2_request_error_ex:
>smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] ||
>at
>../../source3/smbd/smb2_create.c:296
>
>192.168.0.8.log.old: get_ea_dos_attribute: Cannot get attribute from
>EA on file .: Error = Permission denied
>
>And I see similar errors from strace:
>
>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) =
-1 EACCES
>(Permission
>denied)
>
>getxattr(".", "user.DOSATTRIB", 0x7ffd35218110, 256) =
-1 EACCES
>(Permission
>denied)
>
>open(".", O_RDONLY) = -1 EACCES (Permission
denied)
>
>openat(AT_FDCWD, ".", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) =
-1
>EACCES (Permission denied)
>
>I am very puzzled about which "." directory samba is failing to
access.
>
>
>
>
>
>Home shares worked for years with the configuration below, until I
>migrated the samba server from one CentOS 7 server to another. I expect
>that home shares have never worked on this new CentOS 7 server.
>
>My samba is
>
>Version : 4.10.4
>
>Release : 11.el7_8
>
>CentOS Linux release 7.8.2003 (Core)
>
>Linux 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020
>x86_64
>x86_64 x86_64 GNU/Linux
>
>Here is an excerpt of my samba.conf:
>
> workgroup = MSAKYTOWN
>
> realm = MSAKYTOWN.ORG
>
> security = ADS
>
> server string = Galactica %v
>
> netbios name = GALACTICA
>
> log file = /var/log/samba/%m.log
>
> max log size = 50
>
> log level = 4 passdb:5 auth:5
>
> idmap config * : backend = tdb
>
> idmap config * : range = 3000-7999
>
> idmap config MSAKYTOWN:backend = ad
>
> idmap config MSAKYTOWN:range = 10000-999999
>
> idmap config MSAKYTOWN:unix_primary_group = no
>
> idmap config MSAKYTOWN:unix_nss_info = yes
>
> idmap config MSAKYTOWN:schema_mode = rfc2307
>
> template shell = /usr/bin/bash
>
> template homedir = /home/%U
>
> kerberos method = secrets and keytab
>
> local master = no
>
> preferred master = no
>
> unix extensions = no
>
> allow insecure wide links = yes
>
> username map = /etc/samba/user.map
>
>[homes]
>
> comment = Home Directories
>
> read only = No
>
> browseable = yes
>
> writable = yes
>
> follow symlinks = yes
>
> wide links = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba