RHEL6: Unable to access any Samba share

[^rooker]

[PROBLEM]
I was trying to configure a folder to be shared using Samba, on a Redhat Enterprise Linux Server (RHEL) 6.
I did the usual things, like adding my user using "smbpasswd", adding a share config block to /etc/samba/smb.conf - and restarted "smb" and "nmb" services.

I could open the RHEL6 server from Windows7, and logon worked as expected.
But as soon as I tried to open any share on that RHEL6 samba server, I got an error message telling me something like "access denied":
(Sorry, only have the errormessage in German at the moment)

Auf \\<servername>\<sharename> konnte nicht zugegriffen werden.

Sie haben keine Berechtigung für den Zugriff auf \\<servername>\<sharename>. Wenden Sie sich an den Netzwerkadministrator, um den Zugriff anzufordern.

I've checked everything. Several times.

[SOLUTION]
SELinux must be told to allow access to the shared folder:

Code: Select all

chcon -t samba_share_t <shared_foldername>

After telling SELinux that my shared folder was of type "Samba Share", I finally was able to access it.

Details for setting up Samba on RHEL6, can be found in Edward Hurst's blog entry title "RHEL 6 for the Clueless: Samba Server (Updated)".

[^rooker]

[PROBLEM]
On the same Redhat Enterprise Linux Server, I made another uncomfortable discovery:
RHEL6 + GlusterFS + SELinux + Samba =

chcon: failed to change context of `/mnt/gluster_share' to `system_u:object_r:samba_share_t:s0': Operation not supported

[SOLUTION]
First, take a look at SELinux settings regarding Samba:

Code: Select all

$ getsebool -a | grep samba

On my setup this returns:

samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off

What caught my attention was:

samba_share_fusefs --> off

GlusterFS is a fuse filesystem, so let's enable sharing fusefs over Samba:

Code: Select all

$ setsebool samba_share_fusefs=on

Voila!
That did the trick: Now I was able to access the mounted Gluster folder over Samba.


References:
Redhat Bugzilla: Bug 910380 - unable to execute selinux "chcon" on gluster mounts
SELinux blocking Samba directory listing

[^rooker]

[PROBLEM]
By default, the ports used by Samba are filtered by RHEL's iptables firewall.

[SOLUTION]
In "/etc/sysconfig/iptables", add the following line, before the first "-j REJECT", so it looks like this:

Code: Select all

-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

The "--reject-with icmp-host-prohibited" line should already be in there, but it's important that the rule for destination port (--dport) 445 (=Microsoft-ds) is before it.

Then load the iptables, using "iptables-restore":

Code: Select all

$ cat /etc/sysconfig/iptables | iptables-restore

If everything went fine, the output of "iptables -L" should look like this:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:Microsoft-ds
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Thanks to Aaron Walrath's blog entry about Samba on Red Hat Enterprise Linux.