Mounting CIFS shares at login with SELinux enabled

SELinux is as painful to use sometimes as it is powerful when it comes to locking down server permissions. Unfortunately even with distributions such as Red Hat which supports SELinux out of the box, you will still experience problems.

One such issue I came across recently was automounting CIFS shares on boot using netfs. At startup the netfs service was returning an "error 13 - error opening credentials file" when attempting to mount the CIFS shares. The problem was the SELinux was not allowing the netfs script to access the file that contained the CIFS authorisation details.

For example, my /etc/fstab had the following entry:

//WINDOWSSERVER/SHARE          /mnt/windowsshare             cifs    credentials=/etc/samba/auth.cifs        0 0

And in the /etc/samba/auth.cifs file were the following details:

username=windowsuser
password=windowspassword

The solution to the problem was to change a SELinux boolean parameter with the following command (found here):

setsebool -P allow_mount_anyfile 1

This lets the mount command open any referenced file, effectively side-stepping the netfs error. Sure it is not 100% secure but it works without having to completely disable SELinux which seems to be most people's answer to any problems.

Automounting Samba shares in Leopard

Edit 15th November 2007: After a few weeks of use I have found the automount technique described here is a little unreliable not only from the perspective of keeping the mount point active but also for maintaining the correct file permissions. This maybe addressed in future OSX 10.5 updates but for the time being using user-level mounts via Finder or Go -> Connect to Server is more reliable. To automatically mount a volume save the mount point as a Favorite (Go -> Connect to Server -> Add favorite) and then drag this favorite (stored in ~/Library/Favorites) to the Login Items under Account Preferences.


Apple have pleased a number of people by laying to rest the NetInfo Manager in OSX 10.5 'Leopard'. Many of the functions performed by this Registry-like tool have been incorporated into the far tidier Directory Utility tool. Unfortunately whilst this tool includes the ability to define automounted NFS shares the same capability is not provided for Samba. This is a pain because if you have a couple of Samba servers on the network that need to be connected all the time, a good example being a network share for iTunes music.

Fortunately all is not lost as we can still edit the automount configuration files directly so that our Samba shares are always accessible. To start with open up the Terminal application as an administrative user and then use sudo to create a bash shell.

sudo bash (enter)

You will be prompted to enter your administrator password at this point.

We will now create a file entitled auto.smb in the /etc/ directory to hold our server details.

pico /etc/auto.smb (enter)

In this file enter the following line (add more lines for extra servers/shares) 

$Sharename -fstype=smbfs ://$Username:$Password@$Server/$Share

Where:

$Sharename = the name you want to give the mount point
$Username = the user to connect to the server as
$Password = password of the user
$Server = the name of the server (dns/wins entry)
$Share = the name of the share on the server

As this file stores the username and password to the server in plain text set the permissions of the file so that only the root user can read it.

chmod 600 /etc/auto.smb (enter)

Now edit the /etc/auto_master file and append the auto.smb record at the end of the file. The auto_master file controls all the automounts for the system, leave everything about this file alone except for the extra line at the end. 

pico /etc/auto_master (enter)

#
# Automounter master map
#
+auto_master # Use directory service
/net -hosts -nobrowse,nosuid
/home auto_home -nobrowse
/Network/Servers -fstab
/-  -static
/Users/Resources auto.smb

This will tell the automounter to mount the shares defined in the /etc/auto.smb file under the /Users/Resources directory. So for example if auto.smb defined a Music share we would end up with /Users/Resources/Music. Note: You do not have to use /Users/Resources.

With the configuration files in place it is now time to tell the automounter to refresh the settings. Exectute the following command:

automount -vc (enter)

If all goes well you should see the following output from this command:

automount: /net updated
automount: /home updated
automount: /Users/Resources updated
automount: no unmounts

Now you should be able to open the Finder and see a /Users/Resources directory that lists (and magically takes you to) all the network shares you have defined in the auto.smb file.

Hopefully this is only a temporary fix and Apple includes the option to mount Samba as well as NFS shares in Directory Utility. Technically it is not hard to do and the end result would be far tidier. 

Jeremy Allison speaks out on Novell

On December 29th Jeremy Allison officially left Novell and was able to speak openly about the Novell-Microsoft deal. He provided answers to questions posed Mary Jo Foley of ZDNet and Boycott Novell although it would appear that his answers to the later source were for the most part copied and pasted from his ZDNet interview. What is interesting from the interviews is that the controversial patent deal was included by Microsoft at the last minute (5 days before the announcement). This would suggest Novell was setup by Microsoft, or even worse intentionally withheld information from people within their own company that understood the most about the issues at hand. Whichever was the cause it does not bode well for Novell as it was a lot of negative publicity they could have seriously done without and even avoided if managed more effectively.

Jeremy Allison leaves Novell in protest

Lead Samba developer and vocal open source figure Jeremy Allison has left his position at Novell in protest of their recent patent-protection agreement with Microsoft. It is a great move from Jeremy who has made it clear in the past that his principles (and tongue lashings) will not be bent by corporate pressure.

In a parting shot Jeremy made public a letter he had sent to Novell management. Within it he made a brilliant point regarding the patent agreement and the often misunderstood reaction to it by the Free Software community:

"Do you think that if we'd have found what we legally considered a clever way around the Microsoft EULA so we didn't have to pay for Microsoft licenses and had decided to ship, oh let's say, "Exchange Server" under this "legal hack" that Microsoft would be silent about it - or we should act aggr[i]eved when they change the EULA to stop us doing this?"

It is an excellent point that brings into question people's willingness to accept theft and wrong doing as something that can only occur to an object with a defined monetary value. The components that form GNU Linux have a value, they are Free in all senses of the word. Yet when Novell and Microsoft found a way around the GPL2 license to 'sell' their patent-protection alongside GNU Linux many in the industry viewed it as completely honest and worthwhile. This even though the agreement broke in spirit, but not in practice, the licensing terms of the GPL2.

UPDATE: CNET News.com is reporting that Jeremy Allison will be joining Google in the new year. 

Getting Vista working with Samba

In their efforts to 'innovate' (a.k.a. make it harder for people to use non-Microsoft products) it would appear that connecting to a Samba file server in Vista is not as easy as in prior versions of Windows. This BuilderAu post describes how to enable LM and NTLM authentication methods supported by Samba but disabled in Vista by default. It sounds like the Samba team are moving fast on getting Samba fully Vista compatible, unfortunately issues like this will effect NAS devices and servers not running the latest versions of Samba for a long time to come.

The Samba Team responds to Novell's actions

A few weeks after the Novell/Microsoft announcement the Samba Team have officially requested Novell reconsider their stand on patents. The Samba project is an important (if not crucial) piece of open source software that is allowing a wide variety of platforms (but mainly Linux) to compete head to head with Microsoft solutions in the workplace. Jeremy Alison co-heads the Samba project and is an employee of Novell but obviously this has not stopped the team from taking a moral stand against software patents and the actions of Novell and Microsoft.

This stance is completely opposite to the Mono team leader Miguel de Icaza's official support of the deal, but this is not surprising considering 99% of Mono development is funded and directed by Novell. I doubt Novell will heed Samba's request but at least its good to see such a prominent project take such a decisive stand on the matter.

Adventures in Samba with LDAP

Over the last week I have been experimenting with SMBLDAP-Tools and some of the new features available in the latest versions of Samba 3. Whilst I've written about setting up a Samba Primary Domain Controller with an LDAP-backend before SMBLDAP-Tools makes configuring this potentially troublesome (but very powerful) combination a lot easier.

For my testing I have been using the Factory build of Samba 3.0.23C for Suse 10. Suse 10 does not have a package for SMBLDAP-Tools but Suse 10.1+ does so I used the 10.1 source package and built it for Suse 10. After a bit of hassle I also applied a patch that fixed Computer creation account problems. If you are using Suse 10.0 the SMBLDAP-Tools package I built can be downloaded from here, otherwise compiling it from source is difficult as its just a collection of Perl scripts.

Jeremy Allison on FLOSS Weekly

Jeremy Allison finally made an appearance on FLOSS Weekly to talk about Samba. The delay was not through lack of trying (it was the third take of the show) and as usual he does not disappoint. My favourite bit when he was talking about a Sun conference he attended starring then CEO Scott McNealy:

"So he picks some like five rows back and she comes up to ask him a question. And it turns into a completely scripted song and dance routine. She was a ringer because he was scared to get an unfiltered question. He was scared to get an unfiltered question from one of his employees. I must admit Novell just isn't that organised...."

I guess that pretty much sums up the differences between Sun and Novell in a couple of sentences.

SuSE/OpenLDAP/Samba Howto

This tutorial assumes you are familar with basic Linux and Windows concepts and are comfortable using SuSE Linux 9 (Professional or Enterprize). SuSE 9.2 Professional was used during the production of this guide but for most part the commands, software and general concepts should be applicable on any current version of SuSE (or OpenSUSE).
To ease configuration it is very helpful to do most things from another desktop so that you can use really useful utilities like graphical Internet browsers and copy/paste tools.

Sambas Recycle VFS provides Salvage-like functionality

samba-logo.jpg
If anyone's used Novell's NSS filesystem they will know how useful the Salvage tool is. All too often a file once thought of as useless is suddenly needed or even worse a useful file accidentally deleted. In a traditional Samba setup this deleted file is lost for good unless a copy exists in backup form. This is fine for some occasions but if you have just spent eight hours working on the file going back to a twelve hour old version is not that appealing.

Samba 3's Recycle VFS (Virtual File System) module solves this problem by providing Salvage like capabilities in a nice Samba container. When a file is deleted on the share it is not deleted from the filesystem but instead its file-pointer moved to the specified recycle directory for later retrieval (just like your standard Recycle Bin).

Pages