1

Cannot seem to find an answer which includes all of the specifics of my situation. I followed instructions in Sharing a mounted drive with samba on CentOS7, but still have a problem. I have CentOS 7 and a NTFS USB drive connected to it. I would like to share using Samba that drive with my other windows machines (Windows 10). I have successfully mounted the drive to /mymnt/win folder, and I can read the drive from the Linux host machine AND see the share from Windows 10 machine. However, when I attempt to browse into the share from windows I get a "You do not have permission to access \mediapc\LewisData7TB." I can access anonymously a pure Linux share from windows as well.

Here's the relevant /etc/fstab file entry:

/dev/sda2 /mymnt/win ntfs-3g rw,umask=0000,defaults 0 0 -o context="system_u:object_r:samba_share_t:s0"

Here's my /etc/samba/smb.conf file (homes/printers/print$ are all commented out):

[global] workgroup = LEWISFAM server string = Samba Server %v netbios name = mediapc dns proxy = no security = user map to guest = Bad User passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [Anonymous] path = /shares/anonymous guest ok = yes browsable = yes writeable = yes [LewisData7TB] path = /mymnt/win browsable =yes writable = yes guest ok = yes read only = no

When I attempt to configure for SELinux I do this command:

chcon -t samba_share_t /mymnt/win/

I get this error:

chcon: failed to change context of /mymnt/win/ to system_w:object_r:samba_share_t:s0: Operation not supported.

So, my goal is to access to read/write this drive from windows, but not quite there yet.

Improve this question
4
  • If there are no SELinux errors in audit log, it likely is a regular permission issue. Commented Feb 8, 2019 at 5:29
  • Fedora Project Q&A: NTFS does not support SELinux attributes. Try mount -o remount,context=system_u:object_r:samba_share_t:s0 /dev/sdxY Commented Feb 8, 2019 at 6:03
  • This is not a fix, but more information. I temporarily suspended SELinux using thegeekdiary.com/centos-redhat-how-to-set-selinux-modes. setenforce permissive. This allows me now to browse into the drive from my windows machine and create files/folders (read/write). So, it is related to SELinux. Commented Feb 9, 2019 at 3:54
  • Kenneth, my original post shows the fstab entry with the -o parameter as you recommend... So, I don't think the remount command (not supported anyway on my Centos 7) will have any effect. Commented Feb 9, 2019 at 3:56

1 Answer 1

Reset to default
0

I was about to post some more error messages as some form of progress, but I had the notion to try some commands again and found one of these final ones ended my journey successfully, and as I don't see an answer already posted, I'll take what I used from Kenneth that helped me and add it here myself:

This was causing issues for me on Fedora Linux 35 Workstation with my exFAT USB external hard disk drive that I had already been using fine in Files/Nautilus that would be only to my user account.

To be sure I wasn't just unfamiliar with Samba, I used commands such as man smb.conf to edit the /etc/samba/smb.conf file with more knowledge, and testparm to validate the configuration.

sudo mount /dev/sd?? '/mnt/...' -o 'nosuid,nodev,nofail,noauto,x-gvfs-show,context="system_u:object_r:samba_share_t:s0"'

https://ask.fedoraproject.org/en/question/62838/selinux-ntfs-samba-share-problemworkaround/

That is the command that completed my solution.

It utilizes the same method of masking filesystem attributes like I had found in tutorial pages with my Fedora Linux distribution here: https://docs.fedoraproject.org/en-US/quick-docs/samba/ https://www.tecmint.com/setup-samba-file-sharing-for-linux-windows-clients/

sudo semanage fcontext --add --type "samba_share_t" /mnt/... sudo restorecon -R /mnt/...

I was able to test that was necessary earlier using these broader commands:

> sudo setenforce Permissive > sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33

https://www.thegeekdiary.com/centos-redhat-how-to-set-selinux-modes/ I had also noticed the bare directory when unmounted was a mnt_t, and when mounted and dysfunctional with Samba was dosfs_t.

I checked these with this command: ls -ldZ where the Z was key. l is enough for me, but some used getfacls for a more verbose display.

https://superuser.com/questions/617777/how-do-i-auto-mount-a-usb-drive-that-all-users-can-write-to I had also thought of the user mount option, but it is unnecessary now, at least for solving this problem for me.

2 more SELinux commands may have been helpful, but I could not generate any console or log output with them, with or without the '-d' option, audit2why and audit2allow. https://opensource.com/article/18/12/troubleshooting-hardware-problems-linux

The firewall commands allowed other systems to connect.

I was able to test locally using these:

> smbclient --user="<user>%<password>" -L '//<machine>/<share>' Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers ... Disk smbtest Disk testing IPC$ IPC IPC Service (Samba #.#.#) SMB1 disabled -- no workgroup available > smbclient --user="<user>%<password>" '//<machine>/<share>' --command 'ls' `NT_STATUS_ACCESS_DENIED listing \*` > journalctl -u smb -b ...... chdir_current_service: vfs_ChDir(<path>) failed: Permission denied. Current token: uid=#, gid=#, 1 groups: # ...... ...NT_STATUS_INTERNAL_ERROR...

I had already set a custom manual mount line for in /etc/fstab through the Disks GUI, and manually as well, having it be mounted under /mnt/... instead of only to my user under /run/... trying to open the permissions for users and groups more, but other had read permission throughout, so that was misleading.

I may have tried other methods from articles such as these but with messy situations encountered these error messages and thought they were completely ineffective: Sharing a mounted drive with samba on CentOS7

mount: <path>: wrong fs type, bad option, bad superblock on /dev/sd??, missing codepage or helper program, or other error. SELinux: mount invalid. Same superblock, different security settings for (dev sd??, type exfat) 
> sudo semanage fcontext --add --type "samba_share_t" '/mnt/...' ValueError: File specification can not include spaces

That was incorrect anyway, as I needed the mentioned mask option to mount anyway, so I did not need to work out a correct file context pattern that worked such as suffixes like (/.*)? or partial names with wildcards too, where I had the idea when trying this command: sudo semanage fcontext -l | less.

That did not work for me earlier as I saw I was not able to change security settings with a remount, thus why it works later now only using the context option alone that I thought I had done already.

It's also possible something is still strange between me using the terminal to mount the drive vs. the Disks GUI now that I had the updated file system table file. I think I have the same options lines and in the correct order, but one method is still giving me a dosfs_t..

Other useful commands: sudo umount '/mnt/...'
lsblk
dmesg | less Since I have little logs in the var folder for any service, possibly using systemd to contain them.
smbpasswd
smbstatus
sudo pdbedit -L
cat /etc/passwd | grep <user>

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.