Feel free to ignore this BUT, I'm confused where Windows 10 is fitting into this. I see an smb.conf that looks like it's setup for a server with a bunch of shares. And I also see the use of smbclient for testing. So I think it needs to be more clear what is the server, and what is the client. Also, if you're using Samba server, it matters if you're using avahi-daemon for local dns resolution, or NetBIOS, or Active Directory. SMB is pretty dense, it all has to be configured correctly. And then there's which services are running on Samba server, for the NetBIOS stuff you need 'systemctl start nmb smb' but quite honestly I've found connecting from a Windows 10 client to Samba to always be flakey. The most reliable has been manually inputing \\f27s into the search field in a Windows Explorer window and I always connect successfully. Browing, rarely does F27S appear. >From Fedora 27 Workstation (GNOME), I have a similar problem browsing with the Windows Network icon because gvfs smb is not capable of initiating with SMB3 unless Kerberos is setup, and I haven't gone down that rabbit hole. So what I'm doing on Fedora Server (running samba server) in /etc/samba/smb.conf is [global] server min protocol = SMB2 Because I really don't want SMB1 enabled anymore. But as a consequence, my understanding is that disables browsing support unless you have one of he more sophisticated browsing methods enabled (which is quickly where I get into the weeds, but NetBIOS and nmb is one method, and the preferred new method is with SMB3 and AD and Kerberos for authentication). But because I've basically hobbled all the legacy and new method ways of browsing, I have to manually input the server. BUT I can do it with an mdns hostname rather than setting up a static address. So for me, in GNOME, I use connect to server, and enter smb://f27s.local/scratch/, and then click Connect and I get an authentication dialog, the share mounts and everything is fine, and it's actually an SMB3.11 connection. So it's encrypted and it's fast. And this also works with newer MacOS's as well. *sigh* One thing I had to do for some reason I don't understand is 'dnf install nss' in order to get Avahi to actually discover and translate f27s.local into an IP. I don't know why nss is needed to make Avahi really work rather than just sort of work. And why it's not installed by default. I haven't tested that out yet. Next I modified /etc/nsswitch.conf such that the hosts line reads like this: hosts: files mdns_minimal [NOTFOUND=return] dns myhostname The default is to use mdns4_minimal, which causes it to resolve the mdns host name into an IPv4 rather than IPv6. So now when I do smb, ssh, or scp connections by f27s.local, this gets resolved into an IPv6. That is almost certainly superfluous information you probably want to just get it working with IPv4 for now. > Negative. Here is the output: > > smbclient //temlakos/gamester -U Temlakos > > tree connect failed: NT_STATUS_ACCESS_DENIED This sounds to me like it wants to do a Kerberos authenticated connection... I have this same error message when I try to print to a printer that does not have guest ok = yes. > From Windows You can connect to Fedora type "\\temlakos" into file > manager > > Is this OK? > > > Now that works. I can't understand why the file manager won't list it > normally as a browseable system. But when I specify it, I can get it. Right that's this ancient SMB1 stuff that's slowly being deprecated both on the Windows and Samba side. And then the lack of configuration for NetBIOS as the old new way which is now the new legacy. And also not having Kerberosized AD authentication setup. And my terminology here is probably shit. I have the baseball in the ball field, but it may be a foul ball. > > if enabled, is configured like > /etc/samba/smb.conf.example show? > > > I wouldn't know how to test that. I don't see anything in my /etc/samba/smb.conf related to selinux. What does matter is the root mount point must have the proper selinux label. For example I have these connections from client to server: smb://f27s.local/scratch/ smb://f27s.local/most/ smb://f27s.local/tm/ And those translate into directories /srv/most, /srv/scratch, /srv/tm, and those have these permissions: [chris@f27s ~]$ ls -lZ /srv total 0 drwxr-x---. 1 chris smbusers system_u:object_r:samba_share_t:s0 218 Nov 6 20:22 most drwxr-x---. 1 chris smbusers system_u:object_r:samba_share_t:s0 534 Dec 16 15:43 scratch drwxr-x---. 3 chris smbusers system_u:object_r:samba_share_t:s0 74 Aug 21 22:42 tm [chris@f27s ~]$ But the proper label is not news, it's been this way for a long time, it's not a new thing in Fedora 27. Now that I think about it, these permissions seem a little specious. I'd kinda expect the owner to be root to prevent any normal user from having rwx access. And then smbusers should be rwx to grant smbd alone the permission to rmx. And then it's up to smbd to manage authentication and user permissions inside this directory. HUH. Anyway. It works and I'm not changing this today. -- Chris Murphy _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
