samba share problem

Discussion in 'Other Operating Systems' started by Fitzi, Dec 4, 2017.

  1. Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    Hi All,

    I am a building a centos7 server to use as a NAS but I am having problems with the samba configuration I think). When I browse to the server I can see the share but when I try and connect to it I get the username/password prompt but it just rejects it. For the setup I did the following:

    - created a linux user account and set the password
    - created a group and added the user account to it
    - created a directory to share
    - changed the share directory ownership to the user account I creaetd
    - change the share directory group to the datashare group I created
    - changed the share directory permissions to 770

    The smb.conf file is as below:
    [root@nnnasp01 storage]$ sudo cat /etc/samba/smb.conf
    [global]
    workgroup = WORKGROUP
    netbios name = nas
    log file = /var/log/samba/log.%m
    passwd program = /usr/bin/passwd %u
    syslog = 0

    [share]
    comment = Movies
    writable = yes
    browsable = yes
    valid users = @shareuser
    path = /mnt/storage/share
    create mask = 0660
    directory mask = 0770
    write list = shareuser
    force user = shareuser

    The user/group and directory is as follows:
    [root@nas storage]$ ls -la
    total 24
    drwxr-xr-x. 4 root root 4096 Dec 1 21:23 .
    drwxr-xr-x. 3 root root 21 Nov 19 11:45 ..
    drwx------. 2 root root 16384 Nov 19 11:42 lost+found
    drwxrwx---. 2 shareuser datashare 4096 Dec 1 21:23 share

    [root@nas storage]$ cat /etc/passwd | grep shareuser
    shareuser:x:1001:1002::/home/shareuser:/bin/bash

    [root@nas storage$ cat /etc/group | grep shareuser
    datashare:x:1002:shareuser
    shareuser:x:1001:

    I cant really understand what is wrong here. For troubleshooting I set added the user to samba (smbpasswd -a shareuser) and I also tried changing the directory permission to 777 as a test but I still get the same issue, so to me is looks like a samba/sharing problem.

    All I am trying to do is setup a shared directory and required user authentication (username/password) to access it.

    Can anyone see what I am doing wrong here or have any pointers?
     
  2. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    10,754
    Is your share a separate drive or partition? If so what file system is it using?
     
  3. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    The share is a directory on a mdadm raid 5 with ext4 as the filesystem:

    [root@nas storage]$ mount -ls | grep md0
    /dev/md0 on /mnt/storage type ext4 (rw,relatime,seclabel,stripe=384,data=ordered)
     
  4. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    30,332
    Location:
    Brisbane
    What's the output of:

    ls -lad /mnt
    ls -lad /mnt/storage
    ls -lad /mnt/storage/share

    ?

    Altnernatively, log on (or su) to the Linux box as "shareuser", attempt to navigate to /mnt/storage/share and try to run "touch testfile".
     
  5. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    Creating the testfile:
    login as: shareuser
    shareuser@nas's password:
    [shareuser@nas ~]$ cd /mnt/storage/share/
    [shareuser@nas share]$ touch testfile
    [shareuser@nas share]$ ls -la
    total 8
    drwxr-xr-x. 2 shareuser datashare 4096 Dec 5 13:34 .
    drwxr-xr-x. 4 root root 4096 Dec 1 21:23 ..
    -rw-r--r--. 1 shareuser datashare 0 Dec 5 13:34 testfile

    ls output for each directory:
    [root@nas ~]# ls -lad /mnt
    drwxr-xr-x. 3 root root 21 Nov 19 11:45 /mnt

    [root@nas ~]# ls -lad /mnt/storage/
    drwxr-xr-x. 4 root root 4096 Dec 1 21:23 /mnt/storage/

    [root@nas ~]# ls -lad /mnt/storage/share
    drwxr-xr-x. 2 shareuser datashare 4096 Dec 5 13:34 /mnt/storage/share
     
  6. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    30,332
    Location:
    Brisbane
    On-disk permissions look good. Config at a glance looks good. You mentioned you did the right passwd/smbpasswd stuff, so that sounds good.

    CentOS7 enables SELinux by default. Have you tried disabling that (set SELINUX=disabled in /etc/selinux/config), rebooting, and testing the SMB share again?
     
  7. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    10,747
    Location:
    Canberra
    This'd be my first test.

    You can temporarily disable SELinux with 'sudo setenforce 0' and/or just review the /var/log/audit/audit.log for entries referencing the share directory and samba daemons.

    If it starts to work with SELinux temporarily disabled, don't just be lazy and turn off SELinux permanently, work out how to fix it, it may just require a 'chcon' your share directory to have the proper SELinux context.
     
    elvis likes this.
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    30,332
    Location:
    Brisbane
    Agreed. Disabling should be for testing reasons only. Leaving it enabled is a good thing, long term.
     
  9. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    10,747
    Location:
    Canberra
  10. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    Hi Guys,

    Thanks for the pointers, I have tried the above but I am still seeing the same behaviour (it just re prompts for the username/password), for info I tested this on linux mint and windows but I doubt that matters.

    I disabled selinux enforcement and tested but no dice, below is the output to confirm selinux is disabled:

    [root@nas samba]# sestatus
    SELinux status: enabled
    SELinuxfs mount: /sys/fs/selinux
    SELinux root directory: /etc/selinux
    Loaded policy name: targeted
    Current mode: permissive
    Mode from config file: enforcing
    Policy MLS status: enabled
    Policy deny_unknown status: allowed
    Max kernel policy version: 28

    On the server I tried tailing /var/log/audit/audit.log and connecting to the share again but it doesn't write any entries to this log, I did the same with /var/log/messages, I also check the /var/log/samba/ but the log.smbd just shows the service starting/stopping. My smb.conf file also points the samba logs to /var/log/samba and I can see the log files are being created for each host trying to access the share but the log files themselves are empty (zero bytes).

    I also tried tailing /var/log/syslog on the client machine, but in all the log files I checked I cant see any entries which indicate a permitted/denied/established connection, which I assumed would have been logged somewhere, is this the case and I am just missing it? Just before posting I tried disabling selinux altogether and rebooted but I still have the same issue, when trying to connect:

    [root@nas ~]# sestatus
    SELinux status: disabled

    @cvidler thanks for the link, I've had a quick read and I think I know what needs to be set once I get this working.
     
  11. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    10,747
    Location:
    Canberra
    opened the firewall on the server for all the required ports? the fact your logs are empty suggests the connections aren't getting through?
     
  12. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    I did previously add samba as an allowed service in firewalld:

    [root@nas ~]# firewall-cmd --list-all
    public (active)
    target: default
    icmp-block-inversion: no
    interfaces: enp3s0
    sources:
    services: ssh dhcpv6-client samba
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    I stopped firewalld and tested as well as disabling firewalld altogether and rebooting but I still am still running into the same issue :confused: I am guessing there is something super simple here I have overlooked...
     
  13. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    Just wanted let you guys know I just got this working.

    First I thought it might be related to the share directory permissions as they were set to 755 but specified as 770 in the smb.conf file, of course this made no difference because the authentication didn't actually happen so no way to read/write to the share anyway.

    Then I found this serverfault question about enabling samba accounting/authentication logging:
    https://serverfault.com/questions/389166/how-to-debug-samba-authorization-authentication-procedure

    So I enabled logging and from there I still couldn't really see exactly what was wrong (loggin level 3 is pretty verbose), even now when I go back and grep the log for "authentication for user" I still cant see it failing.

    From there I thought I would go back to my smb.conf and start stripping it back while tailing the samba log and testing, once I changed the valid users = @datashare, to be the group rather than the specific username, it started working correctly. I also removed some other stuff along the way but it did not start working until after I changed the valid users to the group name, working smb.conf is below:

    [root@nas samba]# cat /etc/samba/smb.conf
    [global]
    workgroup = WORKGROUP
    netbios name = nas
    log file = /var/log/samba/log.%m
    syslog = 0
    security = user
    log level = 3

    [share]
    comment = share
    writable = yes
    browsable = yes
    read only = no
    valid users = @datashare
    path = /mnt/storage/share
    create mask = 0660
    directory mask = 0770

    I have also just found that selinux is still disabled from troubleshooting last night, so I will re enable it and see if it still works and if not start looking where I go from there.

    Thanks for the help on this one guys!

    Edit: I re-enabled selinux, rebooted and its still working as expected :)
     
    Last edited: Dec 6, 2017
  14. flu!d

    flu!d Ubuntu Mate 16.04 LTS

    Joined:
    Jun 27, 2001
    Messages:
    10,754
    Very interesting, good job Fitzi.

    I had a samba issue a while back, after exhausting everything I purged and reinstalled samba and all of a sudden everything started working again - Strangely enough the issue I was encountering was only present when my Mac tried to access the share, every other Linux and Windows based machine accessed the share just fine.
     
  15. OP
    OP
    Fitzi

    Fitzi Member

    Joined:
    Jun 27, 2001
    Messages:
    504
    Location:
    Central Coast, NSW
    Once I got it working last night I didn't really know why, but I think I just worked it out. Looking at the examples from chapter 9 at samba.org: https://www.samba.org/samba/docs/using_samba/ch09.html

    In the valid users line in my smb.conf I had the @ before the username thinking I was setting a single valid user, once I changed the valid user line to @datashare (the group name), it worked fine.

    Looking at the above link it seems you only use the @ to specify the group whereas if you want to just specify users you don't use the @ symbol.

    I haven't actually tried to access it with my macbook yet :Paranoid: but thats not really a priority at this stage anyway
     

Share This Page