Feel free to ignore this BUT, I'm confused where Windows 10 is fitting
into this. I see an smb.conf that looks like it's setup for a server
with a bunch of shares. And I also see the use of smbclient for
testing. So I think it needs to be more clear what is the server, and
what is the client.
Also, if you're using Samba server, it matters if you're using
avahi-daemon for local dns resolution, or NetBIOS, or Active
Directory. SMB is pretty dense, it all has to be configured correctly.
And then there's which services are running on Samba server, for the
NetBIOS stuff you need 'systemctl start nmb smb' but quite honestly
I've found connecting from a Windows 10 client to Samba to always be
flakey. The most reliable has been manually inputing \\f27s into the
search field in a Windows Explorer window and I always connect
successfully. Browing, rarely does F27S appear.
From Fedora 27 Workstation (GNOME), I have a similar problem browsing
with the Windows Network icon because gvfs smb is not capable of
initiating with SMB3 unless Kerberos is setup, and I haven't gone down
that rabbit hole.
So what I'm doing on Fedora Server (running samba server) in
server min protocol = SMB2
Because I really don't want SMB1 enabled anymore. But as a
consequence, my understanding is that disables browsing support unless
you have one of he more sophisticated browsing methods enabled (which
is quickly where I get into the weeds, but NetBIOS and nmb is one
method, and the preferred new method is with SMB3 and AD and Kerberos
for authentication). But because I've basically hobbled all the legacy
and new method ways of browsing, I have to manually input the server.
BUT I can do it with an mdns hostname rather than setting up a static
So for me, in GNOME, I use connect to server, and enter
smb://f27s.local/scratch/, and then click Connect and I get an
authentication dialog, the share mounts and everything is fine, and
it's actually an SMB3.11 connection. So it's encrypted and it's fast.
And this also works with newer MacOS's as well.
One thing I had to do for some reason I don't understand is 'dnf
install nss' in order to get Avahi to actually discover and translate
f27s.local into an IP. I don't know why nss is needed to make Avahi
really work rather than just sort of work. And why it's not installed
by default. I haven't tested that out yet. Next I modified
/etc/nsswitch.conf such that the hosts line reads like this:
hosts: files mdns_minimal [NOTFOUND=return] dns myhostname
The default is to use mdns4_minimal, which causes it to resolve the
mdns host name into an IPv4 rather than IPv6. So now when I do smb,
ssh, or scp connections by f27s.local, this gets resolved into an
IPv6. That is almost certainly superfluous information you probably
want to just get it working with IPv4 for now.
Negative. Here is the output:
smbclient //temlakos/gamester -U Temlakos
tree connect failed: NT_STATUS_ACCESS_DENIED
This sounds to me like it wants to do a Kerberos authenticated
connection... I have this same error message when I try to print to a
printer that does not have guest ok = yes.
From Windows You can connect to Fedora type "\\temlakos"
Is this OK?
Now that works. I can't understand why the file manager won't list it
normally as a browseable system. But when I specify it, I can get it.
Right that's this ancient SMB1 stuff that's slowly being deprecated
both on the Windows and Samba side. And then the lack of configuration
for NetBIOS as the old new way which is now the new legacy. And also
not having Kerberosized AD authentication setup.
And my terminology here is probably shit. I have the baseball in the
ball field, but it may be a foul ball.
if enabled, is configured like
I wouldn't know how to test that.
I don't see anything in my /etc/samba/smb.conf related to selinux.
What does matter is the root mount point must have the proper selinux
For example I have these connections from client to server:
And those translate into directories /srv/most, /srv/scratch, /srv/tm,
and those have these permissions:
[chris@f27s ~]$ ls -lZ /srv
drwxr-x---. 1 chris smbusers system_u:object_r:samba_share_t:s0 218
Nov 6 20:22 most
drwxr-x---. 1 chris smbusers system_u:object_r:samba_share_t:s0 534
Dec 16 15:43 scratch
drwxr-x---. 3 chris smbusers system_u:object_r:samba_share_t:s0 74
Aug 21 22:42 tm
But the proper label is not news, it's been this way for a long time,
it's not a new thing in Fedora 27. Now that I think about it, these
permissions seem a little specious. I'd kinda expect the owner to be
root to prevent any normal user from having rwx access. And then
smbusers should be rwx to grant smbd alone the permission to rmx. And
then it's up to smbd to manage authentication and user permissions
inside this directory.
HUH. Anyway. It works and I'm not changing this today.