I have the usual entry in smb.conf on my FC4 server:
[homes] comment = Home Directories read only = No browseable = No
As an additional wrinkle, home directories on the server are physically on /users but get mounted on demand on /home on both the server and on client workstations using a typical LDAP/autofs setup.
With SELinux enabled, both smbclient and users on Windows machines fail to get access to home directories. What magic chcon invocation do I need?
On Wednesday 28 September 2005 19:13, Stephen Walton wrote:
I have the usual entry in smb.conf on my FC4 server:
[homes] comment = Home Directories read only = No browseable = No
As an additional wrinkle, home directories on the server are physically on /users but get mounted on demand on /home on both the server and on client workstations using a typical LDAP/autofs setup.
With SELinux enabled, both smbclient and users on Windows machines fail to get access to home directories. What magic chcon invocation do I need?
Solution 1 (temporary; won't survive a re-boot):
Issue the command:
[root]# setsebool samba_enable_home_dirs=1
Solution 2 (might survive a reboot; I didn't actually try this one):
[root]# setsebool -P samba_enable_home_dirs=1
Solution 3 (survives a reboot):
This is the solution I ultimately settled on. Go to the /etc/selinux/targeted directory. Create a text file called booleans.local, and put the "samba_enable_home_dirs=1" line in it (without the quotes, of course).
Solution 4 (surives a reboot, but removes all SELinux protection):
Edit /etc/selinux/config. Change the line SELINUX=enforcing to SELINUX=permissive or SELINUX=disabled.
I've got same problem earlier and tried the 3 solution from the list above. It worked.
Best.
Vitaliy Ivanov wrote:
On Wednesday 28 September 2005 19:13, Stephen Walton wrote:
With SELinux enabled, both smbclient and users on Windows machines fail to get access to home directories. What magic chcon invocation do I need?
Solution 2 (might survive a reboot; I didn't actually try this one):
[root]# setsebool -P samba_enable_home_dirs=1
This does survive a reboot as it puts samba_enable_home_dirs in /etc/selinux/targeted/booleans.local. Unfortunately I tried doing both this and
setsebool -P smb_use_home_dirs=1
to no avail.
smbclient //machine/swalton
still throws a NT_STATUS_BAD_NETWORK_NAME error when I try to connect to my home directory with SELinux set to "enforcing", and the error message in the smb log file reads
'/home/swalton' does not exist or is not a directory, when connecting to [swalton]
Stephen Walton wrote:
Vitaliy Ivanov wrote:
On Wednesday 28 September 2005 19:13, Stephen Walton wrote:
With SELinux enabled, both smbclient and users on Windows machines fail to get access to home directories. What magic chcon invocation do I need?
Solution 2 (might survive a reboot; I didn't actually try this one):
[root]# setsebool -P samba_enable_home_dirs=1
This does survive a reboot as it puts samba_enable_home_dirs in /etc/selinux/targeted/booleans.local. Unfortunately I tried doing both this and
setsebool -P smb_use_home_dirs=1
to no avail.
smbclient //machine/swalton
still throws a NT_STATUS_BAD_NETWORK_NAME error when I try to connect to my home directory with SELinux set to "enforcing", and the error message in the smb log file reads
'/home/swalton' does not exist or is not a directory, when connecting to [swalton]
Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?
Daniel J Walsh wrote:
Stephen Walton wrote:
smbclient //machine/swalton
still throws a NT_STATUS_BAD_NETWORK_NAME error when I try to connect to my home directory with SELinux set to "enforcing", and the error message in the smb log file reads
'/home/swalton' does not exist or is not a directory, when connecting to [swalton]
Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?
No, but perhaps I need a log level tweaked higher somewhere. It is 100% reliably true that if I use system-config-securitylevel to set SELinux enforcing to off, smbclient works fine, and if I reset SELinux back to enforcing I see the above error messages again. So SELinux is definitely the culprit here somehow.
Hi, I am new user of FC4. I had similar problem in my LAN too.
have you checked if your linux hostname is configured properly? SAMBA, SElinux conbination seems to manipulte the hostname or somentihg like that. (I am novice user :-) )
In my case I found out that my hostname set during the installation of FC4 was somehow manipulated when I tried to use samba and selinux. I had to manually set my linux hostname (I used GUI tool) and its everything is working.
because of this hostname thing even my httpd was not working properly.
my problem before was when samba is running, windows clients can locate the machine and browsers can locate served page but when samba is stopped, everything stops also.
I have no idea where the problem lies but its ok now.
--- Stephen Walton stephen.walton@csun.edu wrote:
Daniel J Walsh wrote:
Stephen Walton wrote:
smbclient //machine/swalton
still throws a NT_STATUS_BAD_NETWORK_NAME error
when I try to connect
to my home directory with SELinux set to
"enforcing", and the error
message in the smb log file reads
'/home/swalton' does not exist or is not a
directory, when connecting
to [swalton]
Are you seeing AVC messages in /var/log/messages
or
/var/log/audit/audit.log?
No, but perhaps I need a log level tweaked higher somewhere. It is 100% reliably true that if I use system-config-securitylevel to set SELinux enforcing to off, smbclient works fine, and if I reset SELinux back to enforcing I see the above error messages again. So SELinux is definitely the culprit here somehow.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
________ ___ __ _____ _____ __ / / /_ _ _ _ \ _ /_/ / / __// __/ /_____/ ___/ ___/
Send instant messages to your online friends http://uk.messenger.yahoo.com
Stephen Walton wrote:
I have the usual entry in smb.conf on my FC4 server:
[homes] comment = Home Directories read only = No browseable = No
As an additional wrinkle, home directories on the server are physically on /users but get mounted on demand on /home on both the server and on client workstations using a typical LDAP/autofs setup.
With SELinux enabled, both smbclient and users on Windows machines fail to get access to home directories. What magic chcon invocation do I need?
I had this issue too, solved by:
From Gnome desktop panel menus:
Desktop->System Settings->Security Level
(Alternatively run system-config-securitylevel from a command line)
Select SElinux tab, scroll down in the box at the bottom and expand the Samba section, and check "Allow samba to share users home directories"
Jonathan.
Jonathan Underwood wrote:
I had this issue too, solved by:
From Gnome desktop panel menus:
Desktop->System Settings->Security Level
Select SElinux tab, scroll down in the box at the bottom and expand the Samba section, and check "Allow samba to share users home directories"
This does the same thing as "setsebool -P samba_enable_home_dirs 1" from the command line, which I've already done on my machine. Still doesn't work.
My case is home lan. In my case something has messed up the hostname given during installation (it seems so) until I used the GNOME Network GUI tool to set the host name.
--- Stephen Walton stephen.walton@csun.edu wrote:
Deepak Shrestha wrote:
have you checked if your linux hostname is
configured
properly?
Well, the 'hostname' command returns the fully qualified domain name of my host. Is that what you mean? Anyway, I'm not on a home LAN but on my campus network.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
________ ___ __ _____ _____ __ / / /_ _ _ _ \ _ /_/ / / __// __/ /_____/ ___/ ___/
Send instant messages to your online friends http://uk.messenger.yahoo.com
Stephen Walton wrote:
Daniel J Walsh wrote:
Stephen Walton wrote:
smbclient //machine/swalton
still throws a NT_STATUS_BAD_NETWORK_NAME error when I try to connect to my home directory with SELinux set to "enforcing", and the error message in the smb log file reads
'/home/swalton' does not exist or is not a directory, when connecting to [swalton]
Are you seeing AVC messages in /var/log/messages or /var/log/audit/audit.log?
No, but perhaps I need a log level tweaked higher somewhere. It is 100% reliably true that if I use system-config-securitylevel to set SELinux enforcing to off, smbclient works fine, and if I reset SELinux back to enforcing I see the above error messages again. So SELinux is definitely the culprit here somehow.
Install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy make enableaudit; make load
Try the smbclient command
Grab the AVC messages
make clean; make load
to reset the policy.
Daniel J Walsh wrote:
Install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy make enableaudit; make load
Try the smbclient command
Grab the AVC messages
OK, I did this and it was pretty clear from the result that the problem was the labeling of /home. In fact, the problem was the lack of labeling. Because /home was still around from an original FC1 install on this system, it did not get labeled appropriately on install of FC4, and therefore smbclient didn't work with SELinux enabled. A quick
# touch /.autorelabel
and a reboot fixed the problem. FYI, the appropriate labels seem to be system_u:object_r:home_root_t for /home, user_u:object_r:user_home_dir_t for user directories in /home, and user_u:object_r:user_home_t for users' other files and directories.
Thanks to everyone for their help and patience with this problem.
-
Daniel J Walsh -
Deepak -
Jonathan Underwood -
Stephen Walton -
Vitaliy Ivanov