No edit summary |
|||
| Line 149: | Line 149: | ||
==== Trouble with writing in the share ==== | ==== Trouble with writing in the share ==== | ||
- Check the samba configuration file | - Check in the samba configuration file if the user/group has write permissions | ||
- Check user group membership | |||
- Check the share directory permissions | |||
https://selinuxproject.org/page/SambaRecipes | https://selinuxproject.org/page/SambaRecipes | ||
Revision as of 15:14, 9 January 2020
Prerequisites
sudo dnf install samba sudo systemctl enable smb --now firewall-cmd --get-active-zones sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba sudo firewall-cmd --reload sudo systemctl enable smb --now
Sharing a directory under your home
In this example you will share a directory under your home and accessible only by your user.
Note: using the standard samba configuration (no backends, no modules), samba doesn't use the operating system users for authentication. So you have to create the samba user replicating the system one. However, the same system username must exists in order to handle filesystem permissions.
If your user name is "jane", you have to add the same username to samba. Please note: the samba password could be different from the system password.
sudo smbpasswd -a jane
Add the share definition to the /etc/samba/smb.conf configuration file
[share]
comment = My Share
path = /home/jane/share
writeable = yes
browseable = yes
public = yes
create mask = 0644
directory mask = 0755
write list = user
mkdir /home/jane/share
sudo semanage fcontext --add --type "samba_share_t" ~/share
sudo restorecon -R ~/share
sudo systemctl restart smb
Sharing a directory for many users
In this example you will share a directory (outside your home) and you will create a group of users with the right to read/write to the share.
Create a system group
sudo groupadd -G myfamily
Remember: the samba user has to be also a system user, in order to respect filesystem permissions.
sudo useradd -G myfamily jack sudo useradd -G myfamily maria
You can avoid to set a system password for such users, in order to prevent access the system via SSH or local login.
sudo smbpasswd -a jack sudo smbpasswd -a maria sudo mkdir /home/share sudo chgrp myfamily /home/share sudo chmod 770 /home/share sudo semanage fcontext --add --type "samba_share_t" /home/share sudo restorecon -R /home/share
Add this stanza to the /etc/samba/smb.conf, each share has its own section in the configuration file:
[family]
comment = Family Share
path = /home/share
writeable = yes
browseable = yes
public = yes
valid users = @myfamily
create mask = 0660
directory mask = 0770
force group = +myfamily
Explanation:
valid users <-- only users of the group family have access rights (the @ sign denote a group name) force group = myfamily <--- force the creation of files and directories with this group, instead of with the user group create mask = 0660 <--- files on the filesystem are created with these permissions, so all the group users can read and write the files created by other users directory mask = 0770 <--- as before but for directories
Change a samba user password
Remember: system and samba password could be different. The system user is mandatory in order to handle filesystem permissions.
sudo smbpasswd maria
Remove a samba user
sudo smbpasswd -x maria
If you don't need the system user, remove it as well:
sudo userdel -r maria
Troubleshooting and logs
Samba log files are located in /var/log/samba/
tail -f /var/log/samba/log.smbd
You can increase the verbosity adding this directive to /etc/samba/smb.conf in the [global] stanza:
[global]
loglevel = 5
To validate configuration file syntax: testparm
To display current samba connections, use the smbstatus command.
- Be sure that the user exists as system user as well as samba user - Check if the shared directory has the right SELinux context
$ ls -dZ /home/share unconfined_u:object_r:samba_share_t:s0 /home/share
- Check if the system user has access rights to the shared directory ls -ld /home/share drwxrwx---. 5 root myfamily 4096 9 gen 15.45 /home/share
In this case the user should be in the myfamily group
- check in the configuration file if the user has access rights granted or he is in the appropriated group
- Check in the samba configuration file if the user/group has write permissions - Check user group membership - Check the share directory permissions