Cannot access Samba shares despite ostensibly correct permissions

Question

I've been trying to set up Samba shares for some directories on a NAS, and I can't seem to be able to get it to work.

A minimalized version of my smb.conf boils down to

[global]
dns proxy = no

create mask = 0664
force create mode = 0664
directory mask = 0775
force directory mode = 0775

[Media]
path = /srv/Media
writeable =yes

/srv/Media and its descendants belong to user and group samba with modes 775. The user I am trying to access the share with is user in group samba, i.e. he has read and write permission to the path in question. I have verified this by suing into user and cding to /srv/Media, where I can list and modify files without issue.

To verify that my Samba password (set with smbpasswd -a user) is correct, I have tried to connect with smbclient while giving an intentionally wrong password, which gets answered with NT_STATUS_LOGON_FAILURE as expected, while connecting with the correct password drops me in the smbclient shell. Once in the shell however, if I try to ls, I get NT_STATUS_ACCESS_DENIED listing \*. Mounting via CIFS or gvfs doesn't work either.

I've researched many questions and articles with similar issues, but pretty much everything I've found was due to permission issues on the shared directory. Having verified that the user in question can indeed access the directory in question locally but not over Samba, I am lost.

Answer 1

It was AppArmor. While I was tailing the logs as I was testing, I was only following the Samba logs with journalctl -fu smb. On top of that, I was running Samba in a systemd-nspawn container and was tailing the logs from inside there as well, so I wouldn't have been able to find the errors anyway, but after looking at the audit logs on the host on a whim, I saw a bunch of denied open calls on /srv/Media for profile smbd.

Just for completeness' sake, the full command I used (on the host) to correlate the logs in the end was journalctl -m _SYSTEMD_UNIT=smb.service _HOSTNAME=nas + _AUDIT_FIELD_PROFILE='"smbd"'. This requires that the guest journal is linked with the host, as is the default when using machinectl start.