Samba security problem

[cbeeler]

---

Help! I'm running CENT 6 with Samba. I can map from windows to my share, but I can't create a directory or file in the share. I can login as the user locally and do everything, but not from an XP box. The message is "access denied". I think this is a rights issue. I just don't know where to start.

Thanks in advance.
Clinton

[vasile002]

You can start by posting your samba configs. Are you authenticating when accessing the share from the xp pc?

[cbeeler]

Samba will let me authenticate to the server as the smb user. I can then see everything in the share so I have read access, but I can't write to it or create a file or directory there. It's got to be a rights issue. I'm just not familiar enough with Samba to see where. I've changed the SMB.CONF file so many times... The current version is:

[global]
workgroup = KEITH
netbios name = UBUNTU
guest account = smbuser
os level = 65
valid users = smbuser
admin users = smbuser
read list = smbuser
write list = smbuser
[home]
path = /home
username = smbuser
force group = root
read only = no
create mask = 0775
directory mask = 0775

As I said, I've changed this so many times that my brain is numb. Any help would be greatly appreciated!
Clinton

[vasile002]

Change the [home] section to this:

Code:

[USERhome]
path = /home/USER
force group = root
read only = no
create mask = 0775
directory mask = 0775
valid users = USER

Create a separate share for each user home directory and login using the user system account

If you login to the whole /home dir using smbuser username then you won't have write permissions because the files from /home are owned by other users

[cbeeler]

OK, so I tried that and it didn't work. Since the server hasn't gone production yet I decided to 'punt'.
I rebuilt the server from scratch so that everything would be in the 'known state'. I created all the users at build time. Then I installed Samba, and then set up the users using smbpasswd. Then I setup the server as a PDC and my workstation as a member of the domain. I can login to the domain. I can see the /home directory. I can read all of it , but I cannot create anything even though my ID is a member of the 'root' group. Here is the contents of the smb.conf file. For the record, I'm going to call someone who knows more about this than I do and pay them money to fix this.

[global]
workgroup = Keith
netbios name = UBUNTU
passdb backend = tdbsam
os level = 65
preferred master = auto
domain master = yes
local master = yes
security = user
domain logons = yes
guest ok = no
admin users = @root
encrypt passwords = yes

[netlogon]
path = /var/lib/samba/netlogon
read only = yes

[home]
path = /home/
read only = no
create mask = 0775
directory mask = 0775
browsable = yes

Regards
Clinton

[scathefire]

i'd suggest adding:

Code:

writeable = yes

to the shares.

also, you need to make sure your UNIX permissions are set accordingly. Samba permissions do not override UNIX permissions. if you are logging on as user1 and user1 or the group(s) user1 belong to do not have write permission to a file/directory, it won't happen.

[cbeeler]

Hi All,

Just so you know... I had the expensive guys out on Monday and after 2 hours their expert was at the same point that I was at six weeks ago. Then he got frustrated and left with a copy of the .conf file and the CD I used to install the OS. I haven't seen him since. I don't bother people with simple questions. The server is working now and I wanted to have a copy of this online so that I can access it if I should need it later...

The OS is CENT6 and SAMBA 3.5.9 (I think, whatever is current)

1) Install OS and updates
2) Create users ( and home directories)
3) Install SAMBA
4) Create users as SAMBA users (smbpasswd -a <userID>)
5) Make directory structure as needed (in my case create a 'Shared' directory)
6) Setup SELinux
A) Setsebool -t samba_share_t /home (there is a -R (recursive) in there somewhere that flags all this.)
B) Setsebool again to flag all this 'RW' (I think the default is 'read only')
7) Write the smb.conf file. I tried everything and in the end I wrote the file form scratch using a text editor. The one that came with SAMBA is...

Requirements:

A user ID and password must be required for access.
All workstations must have access. ( OS versions include XP Home, Pro, Media Edition, as well as Vista and 7.)

No other servers exist so ADS won't work. The machine running 'Home' is the accountant's so the Domain model won't work as well. This leaves 'share' or 'user' security. Share is 'depricated' so that leaves 'user'.

Here is the smb.conf file:

[global]

workgroup = Keith
netbios name = Ubuntu
security = user

[home]

path = /home/
writable = yes
force group = Keith
browseable = yes

I created a group on the Linux box called 'Keith' that my users are part of. Each of the users mapped their drives using their own UID. Life is good!

Best Regards,
Clinton