A little Samba help please

Craig White craigwhite at azapple.com
Sun Mar 26 19:09:20 UTC 2006


On Sun, 2006-03-26 at 19:55 +0100, Paul Howarth wrote:
> On Sun, 2006-03-26 at 11:40 -0700, Craig White wrote:
> > On Sun, 2006-03-26 at 10:08 -0800, Knute Johnson wrote:
> > > >First step in diagnosing whether or not a problem is SELinux is to try:
> > > >
> > > ># setenforce 0
> > > >
> > > >If the problem goes away then it's SELinux. If not, look elsewhere for
> > > >the problem.
> > > >
> > > >Paul.
> > > 
> > > Paul:
> > > 
> > > Thanks for your reply.  I worked on it some more last night and found 
> > > a relavent article somewhere on the net.   The article said when 
> > > creating share files with the gui samba control program that since 
> > > FC4 it didn't set the selinux context correctly.  So I set the 
> > > directory to system_u:object_r:samba_share_t.  It works fine now.  
> > > Both directions.  I do have a question though, who should own the 
> > > share directory.  When root owned it it didn't work but I changed the 
> > > owner to nobody it worked.
> > ----
> > that sort of makes sense since you are running the shares as user
> > 'nobody' - this is just one of many peculiar aspects of using 'security
> > = share' modes...which I have never done.
> 
> I've never done that either - I always use "security = user". For
> filestore that is to be shared between several people, I usually create
> a new account for use with that filestore share, use "force user" in
> smb.conf for that share (specifying the specially-created account) and
> then have a "write list" for the share to say who can write to it.
----
that very much makes sense but it does seem somewhat controlling,
especially since samba supports/integrates all sorts of things including
posix user and group attributes including suid & guid and extended
ACL's, where supported by the underlying file systems - but that does
mean that the 'Red Hat' way of simultaneously creating a new identically
named group when you create a new user is rather pointless.

Also just as a means of pointing out how other people do things
differently and YMMV, I tend to use 'inherit permissions = yes' in most
of my samba file shares themselves - which also accomplishes similar
results...but people do get to keep ownership and are actually able to
change ownwership and the stored documents can be accessible via means
other than samba and not have a confused user/group scheme that doesn't
relate to anything other than samba.

Craig




More information about the fedora-list mailing list