samba, kerberos, winbind and W2K3 avc messages

Tom Diehl <tdiehl@xxxxxxxxxxxx> · Sun, 2 Apr 2006 14:01:58 -0400 (EDT)

Hi all,

I have a fully updated FC4 machine that I am trying to get samba and winbind
working with selinux in enforcing mode.

I would appreciate it if someone could look at the avc messages below and 
help me understand what they mean and how to fix the machine.

When I start up samba and winbind I get the following avc messages:

Apr  2 11:06:45 backup kernel: audit(1143990405.799:54): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:06:45 backup kernel: audit(1143990405.807:55): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:06:45 backup kernel: audit(1143990405.811:56): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:06:45 backup kernel: audit(1143990405.815:57): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:06:45 backup kernel: audit(1143990405.819:58): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:06:45 backup kernel: audit(1143990405.823:59): avc:  denied  { getattr } for  pid=2773 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
...

When I try to browse the samba shares from the w2k3 server I get the following
messages:

==> messages <==
Apr  2 11:09:35 backup kernel: audit(1143990575.906:161): avc:  denied  { getattr } for  pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file
Apr  2 11:09:35 backup kernel: audit(1143990575.910:162): avc:  denied  { getattr } for  pid=2811 comm="smbd" name="backup-044_0" dev=dm-4 ino=31755 scontext=root:system_r:smbd_t tcontext=root:object_r:samba_net_tmp_t tclass=file

==> samba/sommer1.log <==
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
  ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!
[2006/04/02 11:09:35, 1] libads/kerberos_verify.c:ads_verify_ticket(324)
  ads_verify_ticket: krb5_get_server_rcache failed (Permission denied in replay cache code)
[2006/04/02 11:09:35, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
  Failed to verify incoming ticket!

If I disable selinux everything works as it should.

Regards,

Tom Diehl		tdiehl@xxxxxxxxxxxx		Spamtrap address mtd123@xxxxxxxxxxxx

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list