Samba Share – Allow Access to Mounted Remote File Store

centoscentos8sambaselinux

I have two servers on the same network. One running Windows Server 2016 and another running CentOS 8. The Windows server is my main file store, it's where all my data is. The CentOS server has the Windows share mounted and can access its files.

On CentOS, I've setup a samba share. Why? Because I have a webapp running on that same server and I want the webapp to control who can access what file. So, instead of having our (internal) users mount the Windows share directly, they'll be mounting the CentOS share which will be "gatekeeping" access to the files.

In the samba folder, there are folders for each user and a config to allow users access to just their folders. The webapp is configured to add symlinks into these folders that link to the "real" files.

This is where the issue is. If I add a "normal" files into a user's folder, they can access it just fine. But if I add a symlink (to a file in the mounted Windows share), it doesn't appear for them. I'm pretty sure this is an SELinux issue.

Here's how things are setup.

  • The Windows share is mounted

    sudo mount -t cifs //WindowsShare/data /media/WinShare \ 
  -o ip=192.168.1.5,username=user,gid=sambashare

ls -alhZ /media/WinShare
drwxr-xr-x. 2 root sambashare system_u:object_r:cifs_t:s0  0 Jan 10 16:57 files

  • A samba share is created and uses /srv/smb (all samba users are in the sambashare group)

    ls -alhZ /srv
drwxrwx---.  2 root sambashare unconfined_u:object_r:samba_share_t:s0    6 Jan 13 11:20 smb

  • The /etc/samba/smb.conf has the following:

    [global]
    allow insecure wide links = yes
    unix extensions = no

[adminShare]
    path = /srv/smb
    wide links = yes
    follow symlinks = yes

  • As a test, I added a symlink and a file

    ln -s /media/WinShare/files/test.pdf /srv/smb/test.pdf
touch /srv/smb/file.bin

Then I tried to mount \\CentOS\adminShare in a Windows VM and I don't see the test.pdf file but I do see file.bin.

How can I give the CentOS samba share access to the mounted Windows Server data? When setting up the CentOS server, I ran:

sudo semanage fcontext -a -t samba_share_t "/srv/smb(/.*)?"

This is what allowed me to see file.bin, but I still can't see file.pdf. I found this, but I don't know if I want to change everything:

sudo setsebool -P samba_export_all_rw=1

How can I allow samba to access the /media/WinShare folder? Would this work?

sudo semanage fcontext -a -t samba_share_t "/media/WinShare(/.*)?"

Best Answer

I fixed it! I had to mount the Windows share and force a context of samba_share_t.

When mounting add context=unconfined_u:object_r:samba_share_t:s0.

sudo mount -t cifs //WindowsShare/data /media/WinShare \
    -o ip=192.168.1.5,username=user,gid=sambashare,context=unconfined_u:object_r:samba_share_t:s0
Related Topic