3 months of troubles with SELinux and SAMBAv4 on top of glusterfs

So I’ve made this blog post to ensure that somewhere on the internet it is documented on how to get SAMBAv4 working in CentOS Linux release 7.3.1611 (Core) integrated with Windows 2012r2 Active Directory for authentication and managed by Linux ACLs

I use SSSD for auth from my linux host to auth to AD – I will include another blog post on how to install and configure.

Assuming gluster is installed and configured appropriately with a volume that is mounted and accessible over the network we need to run the following:

$ yum install adcli krb5-workstation sssd-libwbclient samba-client cifs-utils samba samba-vfs-glusterfs samba-winbind -y
# this will install all the prerequisites for samba to talk to gluster and AD

$ kinit aaron@emascc.localhost
# retreive a kerberos key from your domain

$ klist
# ensure the key is active

$ realm discover -v
# ensure connectivity to AD

$ realm permit -all
# ensure all domain accounts are permitted  to auth

$ vi /etc/samba/smb.conf
workgroup = EMASCC
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = emascc.localhost
security = ads
log file = /var/log/samba/samba.log
log level = 3
winbind separator = +
comment = FileShare
path = /mnt/fileshare
public = no
writable = yes
guest ok = no
valid users = +fileshare
nt acl support = yes
inherit acls = yes
inherit owner = yes
inherit permissions = yes
map acl inherit = yes
create mask = 0660
directory mask = 0770

$ net ads join -k
# join the domain using ads security configured in samba conf

$ chcon -t samba_share_t /mnt/fileshare share -R
# change context on the share

$ setsebool -P samba_share_fusefs 1
$ setsebool -P samba_export_all_ro 1
$ setsebool -P samba_export_all_rw 1
# setting selinux booleans for samba to avoid any selinux conflicts
## additional booleans may be required if you are affected by this bug https://bugzilla.redhat.com/show_bug.cgi?id=1103613

$ setfacl -R -d -m:”fileshare-noaccess”:- /mnt/fileshare
$ setfacl -R -d -m:”fileshare-read”:r /mnt/fileshare
$ setfacl -R -d -m:”fileshare-write”:rwx /mnt/fileshare
# set ACL permissions on folders and files – this sets default permissions – note that each user either requires No Access, Read Access or Read/Write/Execute access