非常に基本的な構成があります/etc/samba/smb.conf。
[global]
workgroup = WORKGROUP
server string = Samba server (%v) on %h
security = user
passdb backend = tdbsam
[data]
comment = Share
path = /data
writable = yes
valid users = jim fred
適切なSELinuxコンテキスト権限で共有ディレクトリを設定し、以下を実行しましたrestorecon。
# semanage fcontext -a -t samba_share_t "/data(/.*)?"
# restorecon -R /data
Sambaに対して次のSELinuxブールオプションを有効にしました。
# setsebool -P samba_enable_home_dirs on
# setsebool -P samba_export_all_rw on
# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> on
samba_export_all_ro --> off
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> off
virt_use_samba --> off
ユーザー用のSambaユーザーアカウントを作成しましたjim。
# smbpasswd -a jim
Sambaユーザーを認証できます。
# pdbedit -L -v
---------------
Unix username: jim
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1313117023-1808504127-2290582315-1001
Primary Group SID: S-1-5-21-1313117023-1808504127-2290582315-513
Full Name: The Jim of Legend
Home Directory: \\LSERVER\jim
HomeDir Drive:
Logon Script:
Profile Path: \\LSERVERS\jim\profile
Domain: LSERVER
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set: Tue, 16 Aug 2022 18:02:06 EDT
Password can change: Tue, 16 Aug 2022 18:02:06 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
設定を設定した後、smbとnmbを再起動しました。
service smb restart && service nmb restart
smb サービスが正常に開始されます。
# service smb status
Redirecting to /bin/systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-08-16 17:56:22 EDT; 7s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 2795706 (smbd)
Status: "smbd: ready to serve connections..."
Tasks: 3 (limit: 76912)
Memory: 5.6M
CPU: 47ms
CGroup: /system.slice/smb.service
├─ 2795706 /usr/sbin/smbd --foreground --no-process-group
├─ 2795708 /usr/sbin/smbd --foreground --no-process-group
└─ 2795709 /usr/sbin/smbd --foreground --no-process-group
Aug 16 17:56:22 lserver systemd[1]: Starting smb.service - Samba SMB Daemon...
Aug 16 17:56:22 lserver smbd[2795706]: [2022/08/16 17:56:22.850039, 0] ../../source3/smbd/server.c:1741(main)
Aug 16 17:56:22 lserver smbd[2795706]: smbd version 4.16.4 started.
Aug 16 17:56:22 lserver smbd[2795706]: Copyright Andrew Tridgell and the Samba Team 1992-2022
Aug 16 17:56:22 lserver systemd[1]: Started smb.service - Samba SMB Daemon.
ただし、利用可能な共有を一覧表示しようとすると、jim利用可能な共有はありません。
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
service smb statusログのいくつかのエラーを報告します。
# service smb status
...
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828139, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/spoolss': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828218, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/srvsvc: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828242, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/srvsvc': Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828740, 0] ../../source3/lib/util_sock.c:977(create_pipe_sock)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: bind failed on pipe socket /run/samba/ncalrpc/np/winreg: Address already in use
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: [2022/08/16 18:04:27.828763, 0] ../../source3/rpc_server/rpc_sock_helper.c:91(dcesrv_create_ncacn_np_socket)
Aug 16 18:04:27 lserver samba-dcerpcd[2821072]: dcesrv_create_ncacn_np_socket: Failed to create ncacn_np socket! '/run/samba/ncalrpc/np/winreg': Address already in use
/var/log/messages事件当時の全体のログは次のとおりです。
2022-08-16T18:23:00.514283-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.515763-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file rpcecho.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the rpcecho sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.518242-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.519194-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file epmapper.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the epmapper sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.521350-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.522205-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file winreg.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the winreg sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.524343-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.525202-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file lsarpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the lsarpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.527306-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.528142-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file fssagentrpc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the fssagentrpc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.530259-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.531103-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file mdssvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the mdssvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.533234-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.534081-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file srvsvc.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the srvsvc sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
2022-08-16T18:23:00.536250-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss. For complete SELinux messages run: sealert -l df6a7f6a-2540-4247-91e7-4755ff529d58
2022-08-16T18:23:00.537079-04:00 lserver setroubleshoot[2878314]: SELinux is preventing samba-dcerpcd from unlink access on the sock_file spoolss.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that samba-dcerpcd should be allowed unlink access on the spoolss sock_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd#012# semodule -X 300 -i my-sambadcerpcd.pp#012
SELinuxはaudit2allowを介して解決策を提供します。同じプロセスを使用する代替参照が見つかりました。他の場所でただし、指定されたコマンドとまったく同じコマンドを使用しようとすると、不明なスイッチに関するエラーが報告されます。
# ausearch -c 'samba-dcerpcd' --raw | audit2allow -M my-sambadcerpcd semodule -X 300 -i my-sambadcerpcd.pp
Usage: audit2allow [options]
audit2allow: error: no such option: -X
これがSELinuxの問題であることを確認できます。 SELinux を無効にして smb サービスを再起動すると、共有が表示されます。
# setenforce 0
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
data Disk Share
IPC$ IPC IPC Service (Samba server (4.16.4) on lserver)
SELinuxを再度有効にしてsmbサービスを再起動すると、共有に再びアクセスできなくなります。
# setenforce 1
# systemctl restart smb.service
# smbclient -L localhost -U jim
Password for [WORKGROUP\jim]:
Sharename Type Comment
--------- ---- -------
明らかにSELinuxが共有を参照してアクセスする機能をブロックしていますが、問題が何であるかはわかりません。 SELinuxが有効な状態で共有にアクセスできないのはなぜですか?
Fedora 36 を構成するときにこの問題が発生しました。同様の構成(私が知る限り同じ)を持つCentOS 7.9サーバーがあり、SELinux適用が有効になっている場合、この問題は発生しません。
以下は、関連するBugzillaレポートのようです。