Accessing symbolic links through Samba results in access denied error.

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • When attempting to access a symbolic link through a Samba share accessing the link will fail with an access denied error observed on the client.

Resolution

  • Set the following parameter in /etc/samba/smb.conf under the global settings.

If using libsmbclient-3.0.33-3.37.el5 or newer:

[global]
follow symlinks = yes
unix extensions = no
wide links = yes
allow insecure wide links = yes

If using an older version of libsmbclient:

[global]
follow symlinks = yes
  • Then add the below under each share that has symlinks:
follow symlinks = yes
wide links = yes
  • Next, restart the samba services to put the changes into effect:
# /etc/init.d/samba restart

Root Cause

  • Newer versions of Samba require a modification to the Samba configuration file to allow symbolic links. This change and option was introduced to patch a security vulnerability which allowed users to access the machine via symbolic links.
follow symlinks (S)

This parameter allows the Samba administrator to stop smbd(8) from following 
symbolic links in a particular share. Setting this parameter to no prevents 
any file or directory that is a symbolic link from being followed (the user 
will get an error). This option is very useful to stop users from adding a 
symbolic link to /etc/passwd in their home directory for instance. However 
it will slow filename lookups down slightly.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments