Page 1 of 1

Newbie question: Samba and access rights?

Posted: 2020/05/03 06:22:13
by Lavett

I have what is probably a really newbie problem with sharing folders with Samba.
I am trying to share a raid on my Centos machine with the Windows clients in the house.
I (hopefully correctly?) mounted the disk like this:

Code: Select all

mount /dev/sdb /srv/samba/shared
I have gotten to the point where I can see the Centos machine in windows, it displays a folder named Anonymous, but I do not have the rights to access it.

I have followed the guide at: ... -centos-8/

My /etc/samba/smb.conf:

Code: Select all

workgroup = WORKGROUP
server string = Samba Server %v
netbios name = centos-8
security = user
map to guest = bad user
dns proxy = no

path = /srv/samba/shared
browsable =yes
writable = yes
guest ok = yes
read only = no

I have done this thing, as instructed in the guide:

Code: Select all

$ sudo chmod -R 0755 /srv/samba/shared
$ sudo chown -R nobody:nobody /srv/samba/shared
$ sudo chcon -t samba_share_t /srv/samba/shared
Any help would be greatly appreciated!


Re: Newbie question: Samba and access rights?

Posted: 2020/05/03 12:55:38
by TrevorH
Read /etc/samba/smb.conf.example too for the steps needed to allow access for selinux as well. Using semanage/restorecon is better than using chcon as it persists over a filesystem relabel.

Re: Newbie question: Samba and access rights?

Posted: 2020/05/26 23:40:42
by juhaX
Got a similar situation with Lavett where cannot access my Samba share and get error to log:

Code: Select all

  make_connection_snum: canonicalize_connect_path failed for service...
Been investigating the issue and a share on regular disk identical share works OK but not on the Raid array. that I want to use.

The Raid array is originally from a NAS that is mounted to this server as:

Code: Select all

]# cat /etc/fstab | grep nw
UUID=358da40d-2d76-4c37-8154-8abe2154e445 /nwmax xfs defaults
The array is working fine and directory was specifically created to debug this i.e. it is not old data.

So two identical shares on different disks - other works and other doesn't. Can use touch to create files to both of the shared directories i.e also Raid is editable and permissions & ACLs work ok. Could you please help to point out what have I missed to check.

Re: Newbie question: Samba and access rights?

Posted: 2020/05/27 00:41:03
by TrevorH
It's the same answer that the OP was given. Please re-read the thread from the top.

Re: Newbie question: Samba and access rights?

Posted: 2020/05/28 23:05:12
by juhaX
Hi TrevorH,

maybe as I writing my reply at 3AM my message wasn't clear enough, so trying to clarify. My first touch with Unix is from mid 80's and what I have learned over the years is that having someone to review the problem is really helpful to find out the root cause. Although I have a few miles under my belt this is my first touch with Samba. Yes, I did read the example as well as quite a few other things before posting my query as didn't find anything useful. So to comment smb.conf.example SWLinux notes topics:
  • setsebool -P samba_domain_controller on - done
  • setsebool -P samba_enable_home_dirs on - not done as not sharing home " Turn the samba_enable_home_dirs Boolean on if you want to share home"
  • samba_share_t - done, see below
  • Use the samba_export_all_ro or samba_export_all_rw Boolean to share system directories - not done as not sharing system directories
  • To run scripts - not done as no scripts to run
So, I'm sure that the issue is quite obvious, but I have become blind for it. Therefore did my first post ever in the hope of finding a pair of fresh eyes to point me on things to try out next.

So to investigate this I did create two identical shares - one for the Raid array where I want to make the share and one to the disk containing / directory. They can be seen in the testparm output:

Code: Select all

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.

Press enter to see a dump of your service definitions

# Global parameters
        load printers = No
        map to guest = Bad User
        security = USER
        idmap config * : backend = tdb

        path = /koe/x
        read only = No
        valid users = @smbmax

        path = /nwmax/test
        read only = No
        valid users = @smbmax
From these two the share test works and the target directory is defined as:

Code: Select all

[mestari@mato koe]$ pwd
[mestari@mato koe]$ ls -ldZ x
drwxr-xr-x. 2 root smbmax unconfined_u:object_r:samba_share_t:s0 6 May 27 01:48 x
[mestari@mato koe]$ ls -al
total 0
drwxr-xr-x.  3 root root    15 May 27 01:48 .
dr-xr-xr-x. 19 root root   263 May 27 01:48 ..
drwxrwxr-x.  2 root smbmax   6 May 27 01:48 x
Included also the ls -al to show how the access rights are set all the way from the root.

As you can see the group for the target directory is set as smbmax as per the valid users parameter above. Like said I can map this to Windows PC and use it without problems.

Then I created new directory test to my Raid array that is mounted as /nwmax:

Code: Select all

[mestari@mato nwmax]$ pwd
[mestari@mato nwmax]$ ls -ldZ test
drwxrwxr-x. 2 root smbmax unconfined_u:object_r:samba_share_t:s0 16 May 27 02:29 test
[mestari@mato nwmax]$ ls -al
total 0
drwxrwxr-x. 10 root root   111 May 27 01:57 .
dr-xr-xr-x. 19 root root   263 May 27 01:48 ..
... some directories removed here ...
drwxrwxr-x.  2 root smbmax  16 May 27 02:29 test
This is share test2.

I added the user mestari to the smbmax group to try out check with touch from command line if something is preventing users to write on this disk but that didn't seem to be a problem.

Did check logs. No conflicts in audit log. The samba log message indicating an issue is in my previous post.

So I don't get it why of the two identical shares on the same server one works and other doesn't. Could you please provide ideas on what to check next?

Re: Newbie question: Samba and access rights?

Posted: 2020/06/04 22:00:01
by juhaX

so as no ideas to look at will ask a more direct question. The target /nwmax/test for the problematic share is in /nwmax and for that there is system_u:object_r:unlabeled_t:s0:

Code: Select all

[root@mato nwmax]# ls -alZ /nwmax
total 0
drwxrwxr-x. 10 root root   system_u:object_r:unlabeled_t:s0       111 May 27 01:57 .
Would that cause the problem for Samba?

Br, JuhaX

Re: Newbie question: Samba and access rights?

Posted: 2020/06/05 00:08:01
by juhaX
After some checking can confirm that my problem was the unlabeled_t in the /nwmax directory. Like I mentioned earlier a simple problem that one gets blind to. So a simple chcon -t samba_share_t /nwmax solved the problem.

@Lavett, please check my posts on information that you could check. My guess is that you're having the same issue as I did i.e. the rights need to be set correctly - not only standard read,write,execute bits. If you're unfamiliar with SELinux you can find many information pages like
and use ls -lZ to find out the relevant information. Will also check if you post additional comments on this thread.

Re: Newbie question: Samba and access rights?

Posted: 2020/06/05 11:49:36
by Thraex
Just a heads up, chcon label changes do not survive a system relabel, to make the change permanent you'll want to use semanage. Command would be: semanage fcontext -at samba_share_t "/nwmax(/.*)?" This gives the directory and anything inside it the samba SELinux type