Ji He's Weblog

[root@whitebox ~]# /sbin/iptables -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpt:xdmcp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:x11
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

which is GOOD.

B. Configure SMBD Service

B.1) Edit /etc/samba/smb.conf, made the following changes

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = HomeNetwork
# allow home network connection only (from 192.168.2.* and 127.*.*.*)
hosts allow = 192.168.2. 127.
#Password file
smb passwd file = /etc/samba/smbpasswd
# Unix users can map to different SMB User names
username map = /etc/samba/smbusers
# Cause this host to announce itself to local subnets
remote announce = 192.168.2.255
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes
# share /opt as "share" to be fully accessible by UNIX user "admin_opt"
[share]
comment = Public File Farm
path = /opt
writeable = yes
printable = no
create mask = 0755
browseable = no
valid users = root

Save changes. Do
testparm
to test samba settings. All passed.

B.2) Edit /etc/samba/smbusers, append line
# Remote windows user name jhe is mapped to local user name "\opt
root = jhe

B.3) Initialize the samba password file, do
grep root /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
Check the content of /etc/samba/smbpasswd, and see
#
# SMB password file.
#
root:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UD ]:LCT-00000000:
which is GOOD.

B.4) Set opt's password for samba, do
smbpasswd root
and set the new password.
Check file /etc/samba/smbpasswd and see the line is updated to:
root:500:[long encoded password string]
which is GOOD.

B.5) Set samba service to be automatically start upon reboot, do
/sbin/chkconfig --level 345 smb on

B.5) Start service, do
/sbin/service smb start
Services smb and nmbd both started successfully.

B.6) Test netbios name resolving, in windows dos command, do
ping whitebox
got the ip address resolved. Also visit
http://whitebox
and got the default "Fedora Core Test Page" web page loaded.

B.7) Test samba connection, in windows explore, try to access "\\whitebox" through windows explorer -- was asked for login id/password. Type the windows user name (jhe) and corresponing samba password set in B.3. REJECTED. Check system message by
tail -100 /var/log/messages
and see errors like:

Jan 26 19:25:20 whitebox smbd[5420]: [2006/01/26 19:25:20, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(279)
Jan 26 19:25:20 whitebox smbd[5420]: startsmbfilepwent_internal: failed to set 0600 permissions on password file /etc/samba/smbpasswd. Error was Permission denied
Jan 26 19:25:20 whitebox smbd[5420]: .Unable to open passdb database.

Checked the permission of /etc/samba/smbpasswd and found it was correct (0600). Suspected this is related to SeLinux again. So I did a google search with the above error string. Unfortunately there were not many discussions on this problem besides this.

B.8) Tried the below:
touch /.autorelabel
reboot
After reboot, check the contents under / and found that the file .autorelabel disappeared and a new file .autofsck was created. This still remains a mystery to me.

Then retry step B.7). Suprisingly this time I was able to browse the contents of the server and the shared folder, and copy files FROM the shared folder. However, I was NOT able to write files or create new folders TO the shared folder.

I still suspect there is some unresolved SeLinux issues.

Update Jan 28, 2006
B.9) As I suspect there was still some problem with the SELinux, I did more Google search and got this email archive. I then tried
man samba_selinux
and understood I need further deal with the FILE_CONTEXTS. Following the mannual, I did the following configurations:
a) Do chcon -t samba_share_t /opt
b) Create a new file /etc/selinux/targeted/contexts/files/file_contexts.local, with the following line:
/opt(/.*)? system_u:object_r:samba_share_t
c) Do setsebool -P samba_enable_home_dirs 1, and then
d) /sbin/service smb restart