Samba trouble with File Permissions

Latest response

I have a RedHat machine with Samba and would like my Windows 7 machine to access the share. The W7 machine can see the RHEL6 machine but cannot get past authentication to connect to the share.

1) /etc/samba/smb.conf configuration (this is all I did):

[global]

            workgroup = MYNETWORK

[SambaShare]

            path = /mnt/SambaShare

            writeable = yes

            browseable = yes

            read only = no

            guest ok = yes

            public = yes

            force user = somebody

2) User "somebody" was created at both the RedHat and Samba level

3) /mnt permissions:

drwxrwxrwx

4) /mnt/SambaShare permissions:

drwxrwxrwx

My W7 machine can see the RHEL6 machine. Using my Samba user password I am able to open the RHEL6 machine but not the specific SambShare folder so I could map the network drive. Clicking on the SambaShare folder does not even give me the option to authenticate. What am I missing? Any assistance would be appreciated.

Thanks,

Dave

Responses

What are your SElinux settings?  Run

# getenforce

You most likely have SElinux enabled.  There are a number of ways to resolve this, depending on which approach you want to take (correct vs easy ;-)  You can either  update your system to be compliant with the context of SElinux or you can disable SElinux.

At a minimum I would change your approach slightly:

  • create a user on the RHEL 6 host that matches your windows username (smbpasswd -c <username>)
  • update your smb.conf to allow that user to access the share (valid user = <username>) and restart smb/nmb
  • to test, you can temporarily disable SElinux by executing # setenforce 0

This is not necessarilly an extremely difficult problem, but there are a lot of possible issues and a number of solutions - which make the problem seem daunting.

checking /var/log/audit/audit.log is a good place to monitor while you are attempting to connect, as well as /var/log/messages.

In addition, there are some Windows 7 settings that may need to be tweaked to allow you to connect to a Samba share. 

1) Run: gpedit.msc

2) Find:

Console Root -> Local Computer Policy -> Computer Configuration -> Windows Settings -> -> Security Settings -> Local Policies ->Security Options

When you're there change the following policies

3) Microsoft network client: Send unencrypted password to third-party SMB server: Switch it to "Enabled".

4) Network security: LAN Manager authentication level: Select the option: Send LM & NTLM - use NTLMv2 session security if negotiated.

Take a look at the audit.log for AVC messages

 

ausearch -m avc -ts recent

 

Which  should show you any SELinux issues.  You might have to toggle some booleans or set some SELinux context for the samba share.

 

man samba_selinux

Would be a good source of info about what SELinux is doing and how to configure it for samba.

# semanage fcontext -a -t samba_share_t '/mnt/SambaShare(/.*)?'

# restorecon -R -v /mnt/SambaShare

 

Would basically tell SELinux that samba data is stored in /mnt/SambaShare and the samba daemons would then be allowed to share it.

I was aware of the possible W7 settings to change. But I will research a bit on SElinux. I'll let you know how it goes. Thanks to both of you.

I made the two Security Options changes on my Windows 7 box. I don't have any named users/passwords on that machine - just an Administrator password. Would Administrator be my Samba username or do I need to create a fresh user on my W7 machine?

I would prefer to correctly configure SELinux instead of just disabling (it's currently enabled).

While attempting to authenticate. This time I could not get into the shared machine at all (but I can see it). Viewing the following logs produced no records

/var/log/audit/audit.log

/var/log/messages.

ausearch -m avc -ts recent

I entered the following command to alter SELinux:

# semanage fcontext -a -t samba_share_t '/mnt/NetworkShare(/.*)?'

I get a ">" prompt with no way (to my knowledge) of getting out of it so I can enter the subsequent command:

# restorecon -R -v /mnt/NetworkShare               Is there any way out of this so I can proceed? Pls advise.

semanage fcontext -a -t samba_share_t '/mnt/NetworkShare(/.*)?'

 

As root

 

Not

# semanage fcontext -a -t samba_share_t '/mnt/NetworkShare(/.*)?'

IE no '#' sign.

Which works fine for me.

I thought I did not include # the first time. I entered the command again and now I just get a "-bash: semanage: command not found."

semanage is part of the "polycoreutils-python" rpm. You may need to install it.

'yum install policycoreutils-python'

helpful tip:

"whatprovides" is your best friend ;-)  You can use a wildcard if you don't know the path of where the file resides.  Otherwise, you can search for the absolute path (i.e. you could search for /usr/sbin/semanage)

[jradtke@system.company.com ~]$ yum whatprovides */semanage

This system is not registered with RHN.
RHN support will be disabled.
Setting up repositories

Reading repository metadata in from local files

policycoreutils.x86_64                   1.33.12-12.el5         installed       
Matched from:
/usr/sbin/semanage

Thanks, I'll try that.

I performed the following tasks:

RHEL6 Box:

1) 'yum install policycoreutils-python'

2) semanage fcontext -a -t samba_share_t '/mnt/SambaShare(/.*)?'

3) restorecon -R -v /mnt/SambaShare

4) setsebool -P samba_export_all_rw 1

W7 Box:

5) Microsoft network client: Send unencrypted password to third-party SMB server: Switch it to "Enabled".

6) Network security: LAN Manager authentication level: Select the option: Send LM & NTLM - use NTLMv2 session security if negotiated.

Samba is enacted but I cannot authenticate into the RHEL6 machine. My Samba username and password matches my RHEL6 username. For the sake of security, say username is "georgew"; password is "cherrytree." My W7 machine only has an Admin password of "Ronald" and there are no other Windows users

Nothing shows up in these logs:

/var/log/audit/audit.log

ausearch -m avc -ts recent

This log does:

/var/log/messages. Should anything be calling out to me in terms of authentication attempts?

  

Since SELinux was on, I'm thinking iptables is probably on too. 

chkconfig --list iptables

This will of course show if iptables is on and for what run levels. 

service iptables status

The above will show you the current policies iptables adheres to. 

If as with SELinux you don't want to go the easy route of just turning iptables off (service iptables stop; chkconfig iptables off), you can allow access to the samba ports on your RHEL machine. Run the below commands to insert the required new rules:

  • iptables -I INPUT -p udp --dport 137:138 -j ACCEPT
  • iptables -I INPUT -p tcp --dport 139 -j ACCEPT
  • iptables -I INPUT -p tcp --dport 445 -j ACCEPT
  • service iptables save
 
Whenever I encounter an issue where I don't get a lot of feedback in the logs, or when things aren't communicating and it doesn't make sense, it's normally iptables that is the cause. Hope this helps. 

Thanks for all your suggesions. It's working now. Perhaps someone did not create Samba user like they said they did (me). Maybe Samba cannot create users without all the prerequisites.

I finished off my project by making Samba start at boot:

/sbin/chkconfig --level 345 smb on

/sbin/chkconfig --level 345 nmb on

Works like a charm. Thanks Again, Dave.

Awesome, thanks for following up.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.