Bug 5524 - smbd access homes, but homes disabled in config file
Summary: smbd access homes, but homes disabled in config file
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.2.0
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-06-06 15:02 UTC by venca
Modified: 2008-06-13 09:49 UTC (History)
1 user (show)

See Also:


Attachments
Output of grepped smbd log (9.64 KB, text/plain)
2008-06-06 15:05 UTC, venca
no flags Details
Output of sealert (2.40 KB, text/plain)
2008-06-06 15:06 UTC, venca
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description venca 2008-06-06 15:02:50 UTC
1. case:
The process smbd access "homes" and attempt to hadle "homes" (and try to access my home dir) even though I did not specified the section [homes] in my configuration file.


2 case:
The process smbd access my "homes" and attempt to handle "homes" (and try to access my home dir) even though I tried to redirect my home dir to another location by following configuration:
#cutout from my config file
...
[homes]
path=/somewhere_else/on_different_filesystem
...


Related smbd log - output of command "smbd -i -d 10 |grep -A 10 -B 10 home":

//BEGIN of listing of output of command "smbd -i -d 10 |grep -A 10 -B 10 home"
--
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
push_conn_ctx(0) : conn_ctx_stack_ndx = 2
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
SID[  4]: S-1-5-11
SE_PRIV  0x0 0x0 0x0 0x0
register_initial_vuid: allocated vuid = 100
register_existing_vuid: (500,500) myusername myusername MYHOSTNAME guest=0
register_existing_vuid: User name: myusername	Real name: Big Fart
register_existing_vuid: UNIX uid 500 is UNIX user myusername, and will be vuid 100
Locking key 49442F383938382F3130
Allocated locked data 0x0xb990df00
Unlocking key 49442F383938382F3130
lp_servicenumber: couldn't find myusername
Adding homes service for user 'myusername' using home directory: '/home/myusername'
lp_servicenumber: couldn't find homes
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Fri Jun  6 21:12:08 2008

size=112
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=128
smb_flg2=49153
--
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0
--
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
account_policy_get: name: password history, val: 0
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
pdb_set_username: setting username myusername, was 
pdb_set_domain: setting domain MYHOSTNAME, was 
pdb_set_nt_username: setting nt username , was 
pdb_set_full_name: setting full name Big Fart, was 
Home server: myhostname
pdb_set_homedir: setting home dir \\myhostname\myusername, was 
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was 
Home server: myhostname
pdb_set_profile_path: setting profile path \\myhostname\myusername\profile, was 
pdb_set_workstations: setting workstations , was 
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
NT user token: (NULL)
UNIX token of user 0

//END of listing of output of command "smbd -i -d 10 |grep -A 10 -B 10 home"


Finaly how I realized this. Simply by checking my selinux log. I found that selinux complaining about following issue:

" ... setroubleshoot: SELinux is preventing the samba daemon from reading users' home directories. For complete SELinux messages. ..."

I listed bellow how "sealert" tool in my Fedora 9 explained what happened from the system point of view. The listing contains also all neccessary information about my system and used/related software.

//BEGIN of listing of sealert output
Summary:

SELinux is preventing the samba daemon from reading users' home directories.

Detailed Description:

SELinux has denied the samba daemon access to users' home directories. Someone
is attempting to access your home directories via your samba daemon. If you only
setup samba to share non-home directories, this probably signals a intrusion
attempt. For more information on SELinux integration with samba, look at the
samba_selinux man page. (man samba_selinux)

Allowing Access:

If you want samba to share home directories you need to turn on the
samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"

Fix Command:

setsebool -P samba_enable_home_dirs=1

Additional Information:

Source Context                unconfined_u:system_r:smbd_t:s0
Target Context                system_u:object_r:home_root_t:s0
Target Objects                /home [ dir ]
Source                        smbd
Source Path                   /usr/sbin/smbd
Port                          <Unknown>
Host                          my_hostname
Source RPM Packages           samba-3.2.0-1.rc1.14.fc9
Target RPM Packages           filesystem-2.4.13-1.fc9
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   samba_enable_home_dirs
Host Name                     my_hostname
Platform                      Linux my_hostname 2.6.25.4-30.fc9.i686 #1 SMP Wed May 21
                              18:12:35 EDT 2008 i686 athlon
Alert Count                   7621
First Seen                    Thu Jun  5 18:32:21 2008
Last Seen                     Fri Jun  6 21:00:00 2008
Local ID                      914f986c-f627-4444-8d60-305ad1e553f2
Line Numbers                  

Raw Audit Messages            

host=my_hostname type=AVC msg=audit(1212778800.465:105): avc:  denied  { getattr } for  pid=8793 comm="smbd" path="/home" dev=md3 ino=2 scontext=unconfined_u:system_r:smbd_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

host=my_hostname type=SYSCALL msg=audit(1212778800.465:105): arch=40000003 syscall=195 success=no exit=-13 a0=bf9fecd5 a1=bf9ff0cc a2=514ff4 a3=bf9fecdb items=0 ppid=8789 pid=8793 auid=500 uid=500 gid=0 euid=500 suid=0 fsuid=500 egid=500 sgid=0 fsgid=500 tty=(none) ses=1 comm="smbd" exe="/usr/sbin/smbd" subj=unconfined_u:system_r:smbd_t:s0 key=(null)

//END of listing of sealert output
Comment 1 venca 2008-06-06 15:05:40 UTC
Created attachment 3337 [details]
Output of grepped smbd log
Comment 2 venca 2008-06-06 15:06:17 UTC
Created attachment 3338 [details]
Output of sealert
Comment 3 Karolin Seeger 2008-06-13 09:49:37 UTC
Works for me.

Do you have any details how to reproduce the described behaviour?