Linux to Linux smb share write access problem

[earlboy]

I've got a file server running fedora 3 with samba shares on a external usb disk with vfat partition.
Share name is "pub" and is located in an external usbdisk with vfat filesystem, mount point is /media/usbdisk/pub
I've also got a client pc dual booted with WinXP and fedora 3.

Accessing the share in winxp, read/write - no problem (I've tested on admin account only)
Accessing the share using linux via nautilis file browser - no problem ( any user can read or write )

The problem arises when I manually mount the share using the mount command.
mount -t smb -o username=my_user,password=my_password,uid=500,gid= 100,dmask=777,,workgroup="NO GROUP" //MyFileServer/pub /mnt/smb

As root I can read/write no problem.
But as an ordinary user, I can create a directory in the share no problem, but as soon as I go into that directory and try to create a file or another directory I get a 'permission denied'.
As mentioned above using nautilis even as an ordinay user I don't get this problem.
I haven't tried accessing the share in XP using an ordinary user.

here is my smb.conf for the pub share :

[global]
workgroup = no group
server string = File Server
printcap name = /etc/printcap# This option tells cups that the data has already been rasterized
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
#==========Share Definitions ========================
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
username map = /etc/samba/smbusers
password server = None
winbind use default domain = no
[pub]
comment = Public Files
path = /media/usbdisk/pub
writeable = yes
admin users = nobody bong

As mentioned above, I need to create a subdirectory on the directory I've just created in the share, but somehow I'm not being permited to by samba.

Any help appreciated. Thanks.

[earlboy]

I've managed to fix the problem. Though I don't know if it's the right way to do it.
I've installed FUSE and FuseSMB in my system.
I'm now able to create subdirectories and copy files into those subdirectories.
I replied to my own post in case someone encounters the same problem I had.

cheers.

[fozner]

I ran into the same problem with SELINUX. Not sure what the correct security context is but you have to change one of the security contexts on the server to be one of type smb_share or some junk like that. Sorry for being vague but I forgot. Maybe this will jog somebody's memory. The reason FUSE is working is that FUSE is probably correcting the security context. If you can do a ls -Z in the shared folder and post that, maybe we can learn what the correct setting is...

Edit: What you're looking for is in your smb.conf for the share add:
force create mode = 0775
force directory mode = 6775

Also please read this selection, paying attention to how to set the sticky bit on directories within the share so that new files are created with the proper permissions.

http://www.samba.org/samba/docs/man/...html#id2595282

[kosmosik]

http://fedoranews.org/contributors/k...kosmowski/fat/

[kosmosik]

Quote:

Originally Posted by kosmosik

http://fedoranews.org/contributors/k...kosmowski/fat/

please note the mask (fmask/dmask) parameters in mount options... it looks to me like kernel somehows caches the permissions on FAT (even that they do not exist)...

[earlboy]

Thanks for the replies.

I'll try fozner's suggestion, and see what happens.

FUSE is a bit annoying to use, since it never gets loaded at bootime. ( I tried some stuff I've read about getting modules loaded at boot time, but with fuse it doesn't seem to work. ).

I'll post back as soon as I can about the results.

[fozner]

I wish you luck. What I wound up doing, for my setup, was switching to NFS. Nfs shares the same folder that smb chokes on with no problems at all. And I can read and write to the folder from anywhere the ACL and firewall will allow.

The only problem with nfs is it lacks user level security so... any user with uid # x can go in and modify files. I wouldn't recommend it on a WEP...

For persistant connections, I have added a line to my /etc/fstab

games:/usr/share/point2play /mnt/games nfs intr 0 0

[SlowJet]

FUSE is a Kernel Module with a lib API for a File System.
FuseSMB is 2 program - one to cralw the net and collect share names (under what authority?), make a list so that program two can use SMB mounts in a pooled manner.

FUSE completely bypasses SELinux and any File System used by it could not be incorperated into the FC File System without some serious Permission maintenance and a relabel of the mount.

FUSE seems toooo good to be true. If it is so good why isn't it in FC?
Why is the Samba and IBM guys not gobbling up the code?
Why doesn't it understand SELinux?
Why has it taken so long to get to .8 vesion.

Run at your own risk as one bug will bring down the whole system.

If you read that link from Kosk, you wouldn't have to make up stories about SELinux and permissions then hack your systems back into the past to make up for your mis-information.

SJ

[earlboy]

FUSE isn't maintained anymore, as far as I know. I think it was merged with the AVFS project.
It might not work with every system it is installed on, so maybe that is the reason why FC did not include it.

[fozner]

Not using FUSE. Not recommending FUSE. Just curious about how it bypasses selinux and the correct way to make smb rw shares work under Selinux. That is what nobody seems to know.

[earlboy]

Well it didn't work. I've added :
force create mode = 0775 ( even tried 0777 )
force directory mode = 6775 ( same here tried 6777 )
but as a regular user ( not root), I still got the same problem. I can create a directory in my /mnt/smb/pub directory e.g. ( mkdir /mnt/smb/pub/test - works ), but cannot create a file or directory inside it e.g. ( mkdir /mnt/smb/pub/test/test2 - permission denied ).

tried kosmosik's suggestion as well .

I tried using umask=000 ( since I read that it was reverted ), dmask=000 and fmask=000 in my mount options, but still I'm still getting the same problem.

[Time2IPL]

Quote:

Originally Posted by fozner

The reason FUSE is working is that FUSE is probably correcting the security context. If you can do a ls -Z in the shared folder and post that, maybe we can learn what the correct setting is...

I really doubt that FUSE it's doing anything with SELINUX or security contexts; it's a user-space driver that's allowing you to access your Window$ files directly. Think of it as if you were using a CD as a normal user; the permissions in fstab have to be set so you can use it, but once they are, you're off and running. Same thing with FUSE. AFAIK the only security layer(s) applied are that which are provided by the underlying file system(s).

I'm still not clear on why you're using FUSE - or NTFS in the kernel - or anything other than SAMBA itself to read / write files; you're not using FUSE et al. to circumvent SAMBA's access controls, are you? If you're having user permissions at all, you probably want to do a {CODE]net groupmap list[/CODE]
and make sure that you have corresponding UNIX groups for each NT group. Running pdbedit might clear some of the mystery surrounding this up for you, too. SAMBA has grown up, it's using UNIX uid & gid <-> NT sid (& rid) mapping; check out your /var/log/messages...

[Time2IPL]

Hit "post" by accident; sorry for that.

I'm running a SAMBA PDC; everything on that machine is accessible to users authenticated by it (who logged in to / via it) and also at a share level. From the looks of the dates on my files in August of '04 I had to change a lot of things around; SAMBA matured a LOT. This setup has been working wonderfully; it even auto-magically sends the correct print drivers when a windows user adds a printer.

Part I : get your smb.conf in working order (I'll elaborate on that in a bit)
Part II: map out your users and your groups. Remember, users essentially exist twice: as UNIX users, and as SAMBA users. By far and away the easiest way to deal with users is to add them with useradd, set a pasword for them with passwd, then add them as SAMBA users. Something like this (as root):

Code:

useradd -u $NEWUSERUID -c "SAMBA user" -g users -G users,ntusers -m -d /export/home/$NEWUSERNAME -n $NEWUSERNAME
passwd --stdin $NEWUSERNAME
smbpasswd -a $NEWUSERNAME
(it'll prompt you for the user's password at this point).

Use the same password for the *NIX shell account and for smbpasswd.
Next, create whatever groups you need to and do your

Code:

net groupmap list

Then, enter your mappings. You'll probably end up with something like this:

Code:

# net groupmap modify ntgroup="Domain Admins"       unixgroup="wheel"
# net groupmap modify ntgroup="Domain Users"        unixgroup="samba"
# net groupmap modify ntgroup="Domain Guests"       unixgroup="nobody"
# net groupmap modify ntgroup="Administrators"      unixgroup="wheel"
# net groupmap modify ntgroup="Users"               unixgroup="samba"
# net groupmap modify ntgroup="Guests"              unixgroup="guest"
#
# net groupmap modify ntgroup="Power Users"         unixgroup="ntpoweru"
# net groupmap modify ntgroup="Account Operators"   unixgroup="account"
# net groupmap modify ntgroup="System Operators"    unixgroup="operator"
# net groupmap modify ntgroup="Print Operators"     unixgroup="print"
# net groupmap modify ntgroup="Backup Operators"    unixgroup="backup"
# net groupmap modify ntgroup="Replicators"         unixgroup="staff"

Hopefully that'll get you going; I will check back in later, and by then, will have hopefully found the HOWTO I wrote up on this some time back when I had to do it myself. Check out "man pdbedit" and "man smb.conf", I seem to recall having spent a lot of time looking there.

Unfortunately a lot of what' s out there on the web is <very> dated, and isn't going to be of much - if it's of any - use to you.

- Larry