Setting up a Samba Server with SELinux on RHEL 7

We are going to set up a Samba server and configure a network share suitable for group collaboration. 

The Lab

We have two RHEL 7.0 servers available in our lab:

srv1.rhce.local (10.8.8.71) – will be configured as a Samba server
srv2.rhce.local (10.8.8.72) – will be configured as a Samba client

Both servers have SELinux set to enforcing mode.

Samba Server

All commands in this section are run on the server srv1.

The samba package version used in the article is 4.1.1.

Packages, Services and Firewall

The samba-client package contains the smbpasswd command.

# yum install -y samba samba-client
# systemctl enable smb nmb
# firewall-cmd --permanent --add-service=samba
# firewall-cmd --reload

Prepare Shared Directories

We are going to create two different shares as explained below:

/srv/samba_pub – a public Samba share with r/w for all,
/srv/samba_group – a Samba share for group collaboration.

Create directories:

# mkdir /srv/{samba_pub,samba_group}

Change permissions for the public Samba share:

# chmod 0777 /srv/samba_pub

Configure collaboration for the group share:

# groupadd devops
# chgrp devops /srv/samba_group
# chmod 2775 /srv/samba_group

We want to give read-only privileges for all users who are not members of the devops group.

When a user authenticates to the Samba server, a Samba user account is used, but the Samba user account is mapped to a Linux user account, and that user account needs access permissions.

Note that users with no write permissions on the Linux file system will not have write permissions on a share. If a share is set to writable, all users with write permissions on the Linux file system have write access to the share.

Create a couple of Samba users, dev1 and dev2, where dev1 is a member of the devops Linux group:

# useradd -s /sbin/nologin -G devops dev1
# useradd -s /sbin/nologin dev2
# smbpasswd -a dev1
# smbpasswd -a dev2

Check Samba users’ database:

# pdbedit -L

Apply SELinux Context

Let us check the default SELinux context:

# ls -dZ /srv/samba_*
drwxrwsr-x. root devops unconfined_u:object_r:var_t:s0  /srv/samba_group
drwxrwxrwx. root root   unconfined_u:object_r:var_t:s0  /srv/samba_pub

Apply the samba_share_t context type to the group share:

# semanage fcontext -a -t samba_share_t "/srv/samba_group(/.*)?"

Note that if the shared directory will only be accessed through Samba, then it should be labeled samba_share_t, which gives Samba read and write access.

Samba can also serve files labeled with the SELinux types public_content_t (readonly) and public_content_rw_t (read-write). For the public share, we are going to use the public_content_rw_t type.

Note that files labeled with the public_content_t type allow them to be read by FTP, Apache, Samba and rsync. Files labeled with the public_content_rw_t type require booleans to be set before services can write to files labeled with the public_content_rw_t type.

The boolean that’s require in Samba’s case is smbd_anon_write.

# setsebool -P smbd_anon_write=1
# semanage fcontext -a -t public_content_rw_t "/srv/samba_pub(/.*)?"

Don’t forget to restore SELinux context:

# restorecon -Rv /srv/samba_*

Other SELinux Booleans Worth Mentioning

If we wanted to share any standard directory read-only, we would set the boolean samba_export_all_ro:

# setsebool -P samba_export_all_ro=1

The boolean above would allow Samba to read every file on the system. It is off by default.

Similarly, if we wanted to share all files and directories read/write via Samba, we would set the samba_export_all_rw:

# setsebool -P samba_export_all_rw=1

This boolean would allow Samba to read and write every file on the system. It’s a bad idea in general, as compromised Samba server would become extremelly dangerous. It is off by default.

If wanted to allow samba to create new home directories, we would need to turn on the samba_create_home_dirs boolean:

# setsebool -P samba_create_home_dirs=1

By default SELinux policy turns off SELinux sharing of home directories (the [homes] section defines a special file share which is enabled by default). If we were to set up a VM as a Samba server and wanted to share users home directories, we would need to set the samba_enable_home_dirs boolean:

# setsebool -P samba_enable_home_dirs=1

The above needs to be enabled for [homes] to work.

Note that Samba SELinux policy will not allow any confined applications to access remote samba shares mounted on the server. If we want to use a remote Samba server for the home directories on the server, we must set the use_samba_home_dirs boolean:

# setsebool -P use_samba_home_dirs=1

The above allows remote Samba file shares to be mounted and used as local Linux home directories.

Another important boolean is samba_share_nfs. By default, SELinux prevents Samba daemons from reading and writing NFS shares. If we were using Samba to share NFS file systems, we would need to turn the samba_share_nfs boolean on:

# setsebool -P samba_share_nfs=1

Failure to do so will cause a permission denied mount error, but nothing will be logged in to the log file /var/log/audit/audit.log, what makes it hard to troubleshoot.

Configure Samba

Open the file /etc/samba/smb.conf for editing and add the following:

[global]
;       Most Windows systems default to WORKGROUP
	workgroup = MYGROUP
	server string = Samba Server Version %v
;	netbios name = MYSERVER

	interfaces = lo 10.8.8.0/24
	hosts allow = 127. 10.8.8.
        hostname lookups = yes

	log file = /var/log/samba/log.%m
	max log size = 50

	security = user
	passdb backend = tdbsam
	map to guest = bad user
        guest account = nobody
	load printers = no

[public]
	comment = Public Share
	path = /srv/samba_pub
;	public = yes
	writable = yes
	browseable = yes
	printable = no
	guest ok = yes

[group]
        comment = Group Share
        path = /srv/samba_group
        writable = no
        browseable = yes
	printable = no
        guest ok = no
        write list = @devops
        read list = dev2
        valid users = @devops, dev2

Note the hosts allow parameter, if it’s specified in the [global] section, then it will apply to all shares regardless of whether each share has a different setting. Hosts can be specified by a host name or by a source IP address. Host names are checked by reverse-resolving the IP address of the incoming connection attempt. The default name resolve order for name resolution is to use the LMHOSTS file, followed by standard Unix name resolution methods (some combination of /etc/hosts, DNS and NIS), then query a WINS server and finally use broadcasting to determine the address of a NetBIOS name. Be advised that hostname lookups must to be enabled for reverse-resolving to work.

If a share is set as read-only (read only = yes, or inverted synonym writable = no), which is the default, users that are listed in the write list still have read-write access to the share. So for the group share, all users who are members of the devops group have read-write access. However, user dev2 can mount the share, but has read-only access.

On the other hand, if a share is writeable (read only = no), users in the read list will not be given write access, no matter what the read only option is set to.

Note that a printable service (printable = yes) will always allow writing to the directory (user privileges permitting), but only via spooling operations. The default is  printable = no.

The valid users parameter specifies a list of users who are allowed to access the share. Users not on the list are not allowed to access the share. Note that leaving the list blank, which is the default, allows all users to access the share.

Please note that guest ok is a synonym for public.

To summarise, these are the defaults, and can be omitted, unless a change is required:

hosts allow = # none (all hosts permitted access)
read only = yes
writable = no
printable = no
browseable = yes
valid users = # no valid users list (anyone can login)
guest ok = no

Let us test the configuration:

# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[public]"
Processing section "[group]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
	workgroup = MYGROUP
	server string = Samba Server Version %v
	interfaces = lo, 10.8.8.0/24
	map to guest = Bad User
	log file = /var/log/samba/log.%m
	max log size = 50
	load printers = No
	idmap config * : backend = tdb
	hosts allow = 127., 10.8.8.

[public]
	comment = Public Share
	path = /srv/samba_pub
	read only = No
	guest ok = Yes

[group]
	comment = Group Share
	path = /srv/samba_group
	valid users = @devops, dev2
        read list = dev2
	write list = @devops

Start the services:

# systemctl start smb nmb

Test access locally:

# smbclient //localhost/public -U guest%

Samba Client

All commands in this section are run on the server srv2.

Install Packages

# yum install -y samba-client cifs-utils

Mount Samba Shares

Create mountpoints:

# mkdir /mnt/{samba_pub,samba_group}

Mount Samba shares:

# mount -o username=dev1 //srv1.rhce.local/group /mnt/samba_group
# mount -o username=guest,password= //srv1.rhce.local/public /mnt/samba_pub

Add the following to the file /etc/fstab to mount on boot:

//srv1.rhce.local/group   /mnt/samba_group cifs username=dev1,password=pass 0 0
//srv1.rhce.local/public  /mnt/samba_pub   cifs username=guest,password=  0 0

We can also use the credentials parameter to pass the user details that are stored in a file, for example:

//srv1.rhce.local/group   /mnt/samba_group cifs credentials=/root/creds.txt 0 0

Where the content of the /root/creds.txt file is this:

username=dev1
password=pass

The file should be read by the root user only.

Sander van Vugt recommends that all remote file systems that need to be mounted through /etc/fstab include the _netdev and the x-systemd.automount mount options.

The _netdev mount option ensures that the mount is delayed until the network is fully available. The x-systemd.automount option ensures optimal integration with systemd and will ensure that the mount is made a lot faster.

If we now try to write to the group share, it should work as the user dev1 is a member of the devops group. However, if we remount the group share using the user’s dev2 credentials, we’ll get read-only access and won’t be able to create any files.

On the Samba server srv1, we can check current connections:

# smbstatus
Samba version 4.1.1
PID     Username      Group         Machine                        
-------------------------------------------------------------------
2790      dev1          dev1          10.8.8.72    (ipv4:10.8.8.72:59422)
2790      nobody        nobody        10.8.8.72    (ipv4:10.8.8.72:59422)

Service      pid     machine       Connected at
-------------------------------------------------------
IPC$         2790   10.8.8.72     Tue Jun  7 19:44:27 2016
group        2790   10.8.8.72     Tue Jun  7 19:44:27 2016
public       2790   10.8.8.72     Tue Jun  7 19:40:53 2016
IPC$         2790   10.8.8.72     Tue Jun  7 19:40:53 2016

SMB/CIFS resources can also be accessed with smbclient:

# smbclient -L srv1.rhce.local -N
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

	Sharename       Type      Comment
	---------       ----      -------
	public          Disk      Public Share
	group           Disk      Group Share
	IPC$            IPC       IPC Service (Samba Server Version 4.1.1)
Domain=[MYGROUP] OS=[Unix] Server=[Samba 4.1.1]

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------

Multiuser Samba Mount

In RHEL 7 we can use the multiuser mount option to create a multiuser Samba mount.

We mount the share with a user who has minimal permissions on the share. Regular users can then add their own SMB username and password in their current session to elevate their permissions to their own permission level.

Mount the share as a multiuser mount:

# mount -o username=dev2,multiuser,sec=ntlmssp //server1.rhce.local/group /mnt/samba_group

Note that by default the protocol that’s used to authenticate users is NTLM v2 password hashing encapsulated in raw NTLMSSP messages (sec=ntlmssp). It’s for compatibility with Microsoft Windows.

We should get the permission denied error trying to write to the share as the user dev2 doesn’t have write privileges:

# touch /mnt/samba_group/test
touch: cannot touch ‘/mnt/samba_group/test’: Permission denied

On the server srv2, create a local user dev1:

# useradd dev1

Change to the newly created user and check the Samba mount:

# su - dev1
$ ls -l /mnt/
ls: cannot access /mnt/samba_group: Permission denied
total 12
dr-xr-xr-x. 10 root root 4096 May  7  2014 rhel7dvd
d??????????  ? ?    ?       ?            ? samba_group
drwxr-xr-x.  2 root root 4096 Jun  7 19:55 samba_pub

We can use cifscreds command to add authentication credentials to the current session (keyring) of a user:

$ cifscreds add srv1
Password:

Check the Samba mount again:

$ ls -l /mnt/
total 12
dr-xr-xr-x. 10 root root 4096 May  7  2014 rhel7dvd
drwxrwsr-x.  2 root dev1    0 Jun  7 19:57 samba_group
drwxr-xr-x.  2 root root 4096 Jun  7 19:55 samba_pub

We should be able to write now:

$ touch /mnt/samba_group/test
$ ls -l /mnt/samba_group/test
-rw-r--r--. 1 dev1 dev1 0 Jun  7 19:58 /mnt/samba_group/test

And if we check on the Samba server srv1 with smbstatus, we should see active connections for both users dev1 and dev2.

References

https://www.samba.org/samba/docs/using_samba/appb.html

87 thoughts on “Setting up a Samba Server with SELinux on RHEL 7

  1. Hie Tomas

    This line gives me an error on centos 7.2

    //srv1.rhce.local/public /mnt/samba_pub cifs username=guest,password= 0 0

    I am still checking to see if there are other ways of mounting the share using guest access

  2. Let me keep checking ,somehow its giving me a mount error : permission denied error while the other share samba_group is working perfectly with credentials.

  3. @tomas ,i am trying the multiuser option and dont really know what i am missing.

    on the samba server i have this

    [multi]
    comment = Multi Share
    path = /srv/samba_multi
    writable = no
    browseable = yes
    printable = no
    guest ok = no
    write list = @devops
    read list = dev2
    valid users = @devops, dev2

    and on the client i have this
    //rhce.example.com/multi /mnt/samba_multi cifs username=dev2,multiuser,sec=ntlmssp 0 0

    and i created a dev1 local user on the client
    the cifscreds add rhce is not giving me permissions and when i reboot the client ,the multiuser mount option asks me for the dev2 password ,is this normal

  4. Somehow my client doesnt want to mount using any user who isnt in the devops group , will try again with a fresh install and see how it goes.Any user in the devops group is able to mount it with the multiuser option without any issues

  5. @everyone ,i managed to figure this one out after reading Micheal Jang. The multiuser option will work as explained on this blog post but the only caveat for me ,was the multi user mount was refusing to work if i used dev2 ,which isnt part of the devops group.so the only way it worked was for the dev2 user to have r and execute access to the /srv/samba_multiuser share folder via setfacl ………..

    • I don’t mean to sound rude Martin, but it’s all explained in the blog post.

      When a user authenticates to the Samba server, a Samba user account is used, but the Samba user account is mapped to a Linux user account, and that user account needs access permissions.

      Your dev2 user needs access permissions. You can do it with setfacl if you wish, or you can do it as in this article:

      # chmod 2775 /srv/samba_group
    • Hi Tomas, I gave the separate permissions with setfacl but still I’m having issue. I don’t have any problem to mount. I get the permission deny even though cifscreds add. I tried with both permissions. Cifscreds add system1 -u user1.user1 has full permissions Please let me know where I missed?

  6. its okay @tomas ,its my bad ,i guess i am used to the 2770 group permission where everything is restricted to the users and the groups only but as you explained it above.that works

    • It is good Tomas has emphasized to read clearly how access is granted based on mapped linux user.
      I tested this way:
      on srv1 I added extra two user – bob, lisa – in the same group devops
      then on second machine srv2:
      # useradd bob1;su – bob
      $ cifscreds add -u lisa srv1
      $ touch file1 /mnt/samba_group/

      check its ownership on srv1. It is not bob, even you think you did su – bob, so file should be created with bob as owner, but cifscred mapped user lisa
      -rw-r–r–. 1 lisa1 devops 0 Mar 16 20:55 file1

      so now I understand why we should share and mount with least access and let user elevate their access based on need

      another note. It is really important not to miss all three words when you mount :credentails=whateverfile.txt,multiuser,sec=ntlmssp . I once forgot multiuser and wasted 15 minutes on troubleshooting.

  7. Hello Tomas,
    I am confused with the booleans.
    If I wanna share a standard directory, say, homedirs, I should enable samba_export_all_rw and samba_enable_home_dirs.
    If I wanna share a non-standard directory only via Samba, I use samba_share_t
    If I wanna share a non-standard directory via Samba and NFS, I use samba_public_content_t or samba_public_content_rw_t.
    Is everything correct?

    • What do you mean by saying “a standard directory”? You need samba_enable_home_dirs=1 if you want to share users home directories.

      If you have a directory that you want to be accessed through Samba, use samba_share_t. If you need that directory to be also accessed through FTP, Apache and rsync, use either public_content_t or public_content_rw_t.

  8. I have problem with guest share, when i try to mount the share folder i get an error error(13): Permission denied.But if i use Nautilus and try to browse to the samba share it work fine,
    Any help appreciated

    smb.conf configuration

    [public]
    comment = public
    path = /public
    browseable = yes
    writeable = yes
    guest ok = yes
    —————————————–
    permission of the public folder
    drwxrwxrwx. 3 root root 18 Jan 1 03:49 public
    —————————————–

    mount //ldap/public /mnt -o username=guest,password=
    mount error(13): Permission denied
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

  9. Hi friends,

    I have a question that came up my mind after I’ve learned that Samba supports Unix ACLs (and windows ofc).I feel more comfortable using them, but if the samba server is evaluated by a Windows machine – I’m not sure how well it will work out.
    What do you think about using ACLs? If the Folder is “writable = yes” and the “inherit acls = yes” then all depends on the file/folder permissions on the Samba Server.

  10. Sadly I found an issue , which turns ACLs useless unless AD/LDAP is used. In order ACLs to work – both the user on the Samba server and on the client machine should have the same UID /GID for groups/ as in ALC mode we are rely on File System permissions only.
    I guess for the exam both methods will do the trick. Either Samba controls permissions or the File System of the share.

  11. There’s a few things missing from the examples that will cause permission denied errors. The [global] section needs the following line to allow host restrictions to work.

    hostname lookups = yes

    • This directive isn’t required unless you use hostname lookups with hosts deny and hosts allow. These weren’t used in the examples, therefore I’m not sure on what permission denied errors you refer to. Unless you put a DNS name and not an IP address as per example, you shouldn’t have any issues.

  12. Hi Tomas,

    I have some improvement suggestions for your group share samba example.
    The “public” option is a synonym for “guest ok”, so listing both options with the same value (used in your public share example) is useless and listing both options with different values (like in your group share example) is (at least) confusing. I suggest removing the “public = yes” statement in your example, as it contradicts to “guest ok = no”.
    Another possible improvement area (depending on, if files placed in your group share should be writable by the group per default) in your example might be to consider setting an explicit mask for the group share files with the following options:
    create mask = 0660
    force create mode = 0660
    The “create mask” and “force create mode” options ensure, that, when a user in group1 creates a new file, the permissions will be set to 0660. By default, files were created with 0744, which prevents other members of the group from writing to the files, unless the user creating the file manually assigns write permissions for the group. After setting those options, this would be done automatically.

    • Hi Mirec, thanks for your feedback, these are really good points! I’ll update the article making a note that public is also called guest ok.

      Setting masks is optional in my opinion and depends on your set up.

  13. Hi,

    I have a problem with cifscreds but it does not seem to work. I mounted a share with multiuser option with a user that has rw so I am trying to test a second user with ro permissions but I can t get the credentials for that user. Am I missing something. I thought that you can switch from different users and inherent the permissions

    Cheers,
    olive

    • I have encountered the same issue using RHEL 7.0. Maybe the issue was resolved in a subsequent release? It appears that the elevated permissions persist from one user to the next and not removed when the user session is terminated.

    • Did you guys found the solution for this issue I have exactly the same problem.

  14. Hi Tomas.
    I’m having some trouble when I want to share a directory that is not located on the “/” filesystem.
    For example I have a sambashare on /sambashare and another on /data/sambadev
    I’ve configured SELinux for both locations, f.x
    semanage fcontext -a -t samba_share_t “/srv/samba_dev(/.*)?”
    restorecon -R /srv/samba_dev

    Here is my smb.cof
    [sambashare]
    comment = /sambashare
    path = /sambashare
    browseable = yes
    writeable = no
    public = no
    write list = @sambagroup
    valid users = @sambagroup
    force group = +sambagroup
    [Sambadev]
    comment = /data/sambadev
    path = /data/sambadev
    browseable = yes
    writeable = no
    printable = no
    write list = @devops
    valid users = @devops
    public = no
    The share named “sambashare” works perfectly fine but the when I try to mount the “Sambadev” share I get the following “error mount error(6): No such device or address”

    I’ve disabled SELinux and the firewall and I still get this error. Could give me some input on what I am doing wrong.

    • Well, I feel stupid…. I was trying to mount the full path instead of the section name..

    • Ah, I see the confusion, for the first share you used the same name for the share as well as the path, but it was different in the second case where you tried using the path to mount it. I’m glad you got that sorted.

  15. I’ve encountered a problem following these configurations when it comes to the public share.

    On the Samba Server, 777 permissions have been set to /publicshare yet guests are not able to write to it on the Samba client.

    Guests are only able to read, not write.

    Anyone know what the solution may be? I’ve followed this article to the T and still keep getting this same issue.

  16. Tomas, thanks for Great resources.Question 12 doesn’t ask to mount .Mount is needed on srv2.rhce.local or not?how about entry in fstab?

  17. thanks for this amazing post Tomas. I have been following your RHCE blogs.Would like to ask samba specific Q here. What does it mean when its asked to create samba share with access to domain users only/ accessible to subdomY.domainX.com ONLY ?
    Thanks.

  18. Found it in this page itself.
    I guess by defining the “hosts allow”, the access to ap particular domain can be achieved if we know the subnets.
    hosts allow = 127. 10.8.8.

  19. Tomas,please help me on this where I missed?
    Samba server:
    [multi]
    path = /paas
    writable = yes
    browseable = yes
    valid users = brian bina
    write list = brian
    fstab entry in client :
    //192.168.10.2/paas /mnt/multi cifs credentials=/root/bina,multiuse,sec=ntlmssp 0 0
    I’m able to mount /pass under /mnt/multi but having permission issues on cifscreds.brian has rwx and bina has rx permission on /paas (with setfacl) .I have created bob local user on the client. When I tried to add cifscreds for bob : I did : su – bob
    bob@ ,,,cifscreds add 192.168.10.2 -u brian entered brian password and #cd /mnt/multi then #touch ll.It says permission deny even though brian is getting rwx permission.Also this user is in write list in smb.conf file. Same thing is with bina user which I think is right but why I’m getting permission issue with brian?

    note: /paas is getting public_content_rw_t selinux type . Thanks

  20. Hi Tomas,Can you please suggest to me how to fix the following error. ipv4 network is 172.25.1.0.Server ip is 172.25.1.1 and client ip is 172.25.1.2 and I added hosts allow = 127. 172.25.1.
    all other configuration is correct in the smb.conf file.when I do:
    smbclient -L //localhost
    enter
    enter
    protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE : on Cerver
    mount -o username=user1 //172.25.1.1/data /mnt/multi
    protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE on Client

    • The error suggest that the client is being denied access by hosts allow parameter in /etc/samba/smb.conf. Please verify.

  21. For my scenario I tried both of the following in
    hosts allow = 127. 172.25.1. but did not worked.Can you please suggest to me for correct order.I don’t know where I missed.I also tried 127. example.com Any specific rule needed for this case?

  22. Nice explanation on Samba here.
    In regards cifscreds, is there a way to do this in a permanent way, so that when you issue a
    cifscreds add srv1
    it will survive a reboot?

  23. I’m currently studying for the RHCE exam. A big thank you for your work.

    Some additional notes:
    I ran into trouble with the samba public share. Accessing the public share as root works without problems. But when you try to access the share as a non-root user, you can create a file (0777), but you can’t write into the file. Therefore you have to use the “noperm” mount option to avoid this:

    //samba-server/public /mnt/public cifs defaults,noperm,username=guest,password=,_netdev 0 0

    And another thing:
    According to the Manpage x-systemd.automount is the Systemd replacement for autofs. There’s no need to use this for every net drive.

  24. Hi Tomas,

    I created two shares /srv/samba-pub and /srv/samba-grp

    on /public i set the Selinux context and Permissions like this

    drwxrwsr-x. root devops unconfined_u:object_r:samba_share_t:s0 /srv/samba-grp
    drwxrwxrwx. nobody nobody unconfined_u:object_r:public_content_rw_t:s0 /srv/samba-pub

    And in smb.conf i included this options for both shares

    [public]
    comment = Public Stuff
    path = /public
    browsable =yes
    writable = yes
    guest ok = yes
    read only = no
    force user = nobody

    [group]
    comment = Samba Group Share
    path = /srv/samba-grp
    public = no
    valid users = @devops, dev2
    read list = dev2
    write list = @devops

    From windows machine i can access the /srv/samba-grp share without any problem, but group share gives permission denied.

    In Hosts allow i set
    “hosts allow = 127. 10.8.8.”
    and also included
    guest account = nobody
    security = user

    Any idea what im doing wrong

  25. In my case to make group collaboration to work nicely in the latest Red Hat release (7.6), the mount command needs vers=1.0.

    Without to specify the version in the mount command the default mount options are: uid=0,noforceuid,gid=0,noforcegid

  26. Perfect step-by-step explanation, thank You.
    Regarding SElinux things – there is a long comment of the samba/selinux things at the begining of smb.conf file. I always used this to assign proper label for the samba shares.

  27. CentOS Linux release 7.6.1810 (Core)
    samba-4.8.3-4.el7.x86_64

    [root@srv2 ~]# mount -a
    mount error(5): Input/output error
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

    [78925.296723] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
    [78925.310088] CIFS VFS: validate protocol negotiate failed: -13
    [78925.311548] CIFS VFS: cifs_mount failed w/return code = -5

    I keep seeing these errors in practice and I’m unable to resolve it, my configuration seems correct..

    • false alarm.. didn’t have the salesmnt and accountmnt in the right group.

      But I have another question, am I setting this up correctly:

      [sales]
      comment = sales
      path = /srv/samba/sales
      valid users = @sales salesmnt
      write list = @sales

      [account]
      comment = account
      path = /srv/samba/account
      valid users = @account accountmnt
      write list = @account

      I have the salesmnt and accountmnt users for mounting then set the mount up on the other server as multiuser in fstab or autofs. That way every user has RO privileges but they use cifscreds to escalate that to RW if they are in the sales or account group. Only caveat is that I need to have both group and user ids matching in order for this to work.

      Is this acceptable for the exam? Should I look into “inherit acls = yes” option?

    • cifscreds is very finicky.

      permissions on samba server:
      d—rws–T. 2 root account 6 Mar 6 11:27 account
      d—rws–T. 2 root sales 6 Mar 6 11:27 sales

      same samba config as above.

      on my client server, I login as a user of sales group (same uid and gid on both servers) I run:
      [cindy@srv2 account]$ cifscreds add -u cindy -d 192.168.255.21

      but I still can’t write to the directory.

  28. I did resolve this btw. this worked:

    [cindy@srv2 account]$ cifscreds add 192.168.255.21
    as opposed to
    [cindy@srv2 account]$ cifscreds add -u cindy -d 192.168.255.21

    for some reason, specifying the user hasn’t work for me

  29. Hi Tomas

    having an issue here. I was practicing using the sample exam you provided , currently i am on Samba share.

    On samba share i created /samba/docs. and using “setfacl -m u:venice:rwX /samba/docs” i gave it permission to read and write. getfacl result is

    getfacl: Removing leading ‘/’ from absolute path names
    # file: samba/docs/
    # owner: root
    # group: root
    user::rwx
    user:venice:rwx
    group::r-x
    mask::rwx
    other::r-x
    default:user::rwx
    default:user:venice:rwx
    default:group::r-x
    default:mask::rwx
    default:other::r-x

    and in smb.conf i wrote following lines

    [docs]
    comment= Document Folder
    path = /samba/docs
    hosts allow = 10.8.8.51
    browseable = yes
    printable = no
    read only = yes
    write list = venice
    valid users = venice

    i can mount it on samba client . when i switch to venice user on client machine and try to write something it gives permission denied.

    but when i change the permission to 777 on /samba/docs on samba server. i can create and edit files.

    • If you need to change permissions to 777 in order to get it to work, then there is something wrong with either owner or group permissions. I’d look into that.

    • Now here is the twist, even if change the permission to 750 but mount it ntlmssp and multiuser and by elevate privileges by “cifscreds add serv1” im able to write files.

      But yes 777 does work also. dont have to use multiuser and ntlmssp.

      I checked and rechecked permissions . because from server 1 if i setfacl and switch to venice user im able to write. But from Samba client im not able to.

    • Now this time i mount the share using the uid and gid of user created on server . Now im able to write with permission 750 on server, but i do set the acl

    • Confirmed. Even if you are mounting Samba share as multiuser with credentials of a user fully authorized to read and write by the smb.conf, you won’t actually be able to write to that share unless at the server you as that user is a t least member of the group that owns the share. Even after “cifscreds add” command, if on the server you are not part of the group that owns the Samba share but you are listed as a user that can write to the share by smb.conf, you won’t be allowed to write.
      Additionally, those users that are set to be Samba users on the server will have to exist at least as system users (that have no login privilege) on that server. On the client, those same users will have to exist as fully login-capable users.
      Have more restrictive privileges on the share at the server, doesn’t have to be 777, but make that Samba user at least a member of the group that owns that share.

  30. it looks like when you configure a (multiuser) samba share with access restricted to some users, e.g. pippo, you need to use the command “cifscreds” for user pippo to actually access the share from the client when it’s mounted, otherwise he gets a “Permission denied” error; Sander Van Vugt says it’s a SELinux issue when you get that error, but it’s not. Moreover, I could not see any mention of the “cifscreds” command in Sander’s videos on Samba, while it’s explained on page 761 of Jang’s book.

  31. … and just one more Samba caveat: if in smb.conf you are configuring the section about Samba share with a name different than the name of the directory you are actually sharing, example:
    [smbshare]
    path = /sambadir
    . . .
    you will have to mount it at the client under the name of the section and not the name of the actual directory shared:
    mount -t cifs -o . . . //sambaserver/smbshare ## this is work
    mount -t cifs -o. . . //sambaserver/sambadir ## this will not work

    P.S. I am sitting the RHCE exam tommorow, I know nobody recommends studying and recapping the day before the exam and everybody warns against it, but I am already burned by pollen allergies and don’t feel like by not studying that I’d catch some rest…

    • This is expected. You have to mount the share, not the path. You seem to get confused because your path contains a single directory only.

    • Interesting remark, could you further elaborate on listing several directories onto one “path” directive? What is the pecking order behind the choice of which of those dirs gets mounted, which one will be preffered?
      As I understand, it’s only one mount point…

    • What I meant is using something like this to avoid confusion:

      [smbshare]
      path = /folder1/folder2/folder3

      You wouldn’t be trying to mount //sambaserver/folder1/folder2/folder3. You would do //sambaserver/smbshare.

      How did the exam go?

  32. This is Newbi Andrew:
    My samba shares are working on RHEL 7.6 – for 2 weeks in production.
    I have a timing issue:

    Write Message 1 to shared-folder DATA
    chmod a+rw DATA, message1
    Write Message1 to shared folder CONTROL
    chmod a+rw CONTROL, message1
    On the Windows server the CONTROL message is read and deleted
    The Windows server often reports: Cannot fine the DATA message1
    When I put a delay of 4 seconds, the process mostly works

    What control is there for write-through/timing control?

  33. I have a very minimal setup in /etc/samba/smb.conf. It works as expected. Question, why will i need to add netbios? workgroup? interfaces? Where the config below, works just fine. Can you please explain?

    [root@server2 shared]# vi /etc/samba/smb.conf
    hosts allow = 127. 192.168.4.
    [shared]
    comment = Shared directory
    browseable = yes
    path = /shared
    valid users = sambauser1
    writable = yes

    • If it works as you expected, then you don’t need to add anything else. The article merely shows some Samba options available for configuration that you might find useful.

  34. Hi,
    When I try to mount on the client with root credentials via /etc/fstab I get an error:
    [root@system2 Desktop]# mount /dir3
    mount error(13): Permission denied
    Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

    /etc/fstab contains:
    //system1/samba_public /dir3 cifs username=guest,password= 0 0

    • smb.conf:
      [global]
      workgroup = EXAMPLE
      hosts allow = 172.24.2.
      security = user
      passdb backend = tdbsam
      guest account = nobody
      [samba_public]
      comment = Samba_Public
      path = /smb_pub
      browseable = yes
      writable = yes
      ;public = yes
      guest ok = yes
      [samba_dir]
      comment = samba_dir
      path = /smb_dir
      valid users = martin,lora
      write list = martin

      Permissions on /smb_pub:
      [root@system1 Desktop]# ls -ldZ /smb_pub/
      drwxrwxrwx. nobody nobody unconfined_u:object_r:public_content_rw_t:s0 /smb_pub/

      On samba client /etc/fstab:
      //system1/samba_public /dir3 cifs username=guest,password= 0 0

      I suggested, anyway with using root user on the client I must have the opportunity to mount the guest share directory regardless of the root user on the client doesn’t exist in the samba users database on the samba server.

    • I changed mount options in /etc/fstab to
      //system1/samba_public /dir3 cifs guest 0 0

      instead of options, offered by you:
      //system1/samba_public /dir3 cifs username=guest,password= 0 0

      A mount error with root disappeared. However, I can change the content in /dir3 directory only using a root account. When I try to create any file in /dir3 using other user accounts, error “permission denied” appears, but files created. I was confused. As I know, any users including root relate to nobody user on the samba server. But there is a correct work only with root user on the client.

      On the client:
      [lora@system2 ~]$ echo 34343 > /dir3/666
      -bash: /dir3/666: Permission denied
      [lora@system2 ~]$ ls /dir3
      1 11 111 11111 2 222 3 4 4444 55 5555 666 s wewew
      Empty file /dir3/666 created using lora user.

  35. smb.conf:
    [global]
    workgroup = EXAMPLE
    hosts allow = 172.24.2.
    security = user
    passdb backend = tdbsam
    guest account = nobody
    [samba_public]
    comment = Samba_Public
    path = /smb_pub
    browseable = yes
    writable = yes
    ;public = yes
    guest ok = yes
    [samba_dir]
    comment = samba_dir
    path = /smb_dir
    valid users = martin,lora
    write list = martin

    Permissions on /smb_pub:
    [root@system1 Desktop]# ls -ldZ /smb_pub/
    drwxrwxrwx. nobody nobody unconfined_u:object_r:public_content_rw_t:s0 /smb_pub/

    On samba client /etc/fstab:
    //system1/samba_public /dir3 cifs username=guest,password= 0 0

    I suggested, anyway with using root user on the client I must have the opportunity to mount the guest share directory regardless of the root user on the client doesn’t exist in the samba users database on the samba server.

  36. the cifscreds are temporary, so if the server is rebooted, the account who were able to access and write before will enoucnter permission denied? so every reboot, the user needs to run cifscreds -a SAMBASERVER?

    if that is the case, how can redhat check if you did it right? if it was rebooted?
    Thanks

  37. Hi Tomas, I’m following along and practising using both Sander’s RHCE videos and your posts. I’ve configured a “sales” share as follows on my samba server (server1.example.local), with the options below:

    “`
    [sales]
    comment = Sales Share
    path = /smbshare/sales
    read only = No
    valid users = @sales laura bob
    write list = @sales laura bob
    “`

    It can be successfully mounted on my samba client machine (server2.example.local), using the credentials of user “laura” with the line in /etc/fstab:
    `//server1.example.local/sales /smb/sales cifs username=laura,password=laura 0 0`

    And confirmed with `# findmnt`:
    /smb/sales //server1.example.local/sales cifs rw,relatime,vers=default,cache=strict,username=laura,domain=SERVER1,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.4.210,file_mode=0755

    I then created a local user “laura” on server2 as well, switch to that user, navigate to the mounted samba dir `/smb/sales/`, try to create a test file, and get the following:
    “`
    [laura@server2 sales]$ touch test
    touch: cannot touch ‘test’: Permission denied
    “`

    The user and group owner of `/smb/sales` is `root` on server2, so I’m guessing that’s the issue here. But I thought based on the “write list” configuration option in `smb.conf` in server1, it should still grant user “laura” write access, no?

    I can create a test file from server2 as the root user, but that’s expected. This test file has ownership “root:root” as seen on server2, but “laura:sales” as seen from server1 (I did `# chmod 2775 /smbshare/sales` as your tutorial suggests).

    Lastly I also ran `$ cifscreds add server1` as the local user “laura” on server2 (even though I didn’t set-up multiser mount yet), and still couldn’t create a file inside of the mounted share `/smb/sales`.

    I feel like I’m either misunderstanding something fundamental here, or maybe missing something obvious. So please give me some tips.

Leave a Reply

Your email address will not be published. Required fields are marked *