On 9/17/2013 6:45 AM, "Th. Söldenwagner" wrote:
Hi,

I am trying to create shares for my users in our new Samba4 domain, but
with no luck so far.

Which flavor of Linux are you trying this on?

If CentOS/RHEL, one thing I always forget to check is SELinux issues. Maybe you have as well?

# getenforce
- Will tell you whether SELinux is disabled, permissive or enforcing.

# setenforce permissive
- Setting it /temporarily/ to "permissive" is a useful check to see whether you have a SELinux issue somewhere that need addressed.

Assuming that you have "auditd" running, try looking at:
# cat /var/log/audit/audit.log | audit2allow
Which may show you an overall view of how many exceptions you have.

In general, SELinux issues boil down to a few root causes and fixes:

#1 - There's a boolean that you need to maybe turn on. If you dig through the "sealert -a UUID" messages in the system log, it does a good job of explaining when this might apply.

#2 - There's a file system labeling problem. i.e. you are trying to let a process access things in a non-standard place and/or with a non-standard label. These are fixed with "restorecon" and "semanage fcontext" changes.

#3 - There's no way to fix labels or booleans to allow what you need, so you need to create a local exception policy. This can be done using "audit2allow" and "semodule -i". You should be careful about which exceptions you feed to audit2allow and try to keep the resulting exception policy as minimal as possible.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to