Applies to: 

All supported Samba versions on platforms with SELinux or AppArmor enabled. 


Problem: 

Samba shares can be accessed and the FS permissions are set correctly. However, users cannot do anything within the share: 
 

[ckelly@centos7-1 ~]$ ls /samba -ld
drwxrwxrwx. 2 root localgroup1 6 Jun 27 13:43 /samba-select

[ckelly@centos7-1 ~]$ smbclient -U ckelly //centos7-1/Samba-Select
Enter ckelly's password:
Domain=[ALWAYS] OS=[Windows 6.1] Server=[Samba 4.2.10]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> exit

Resolution: 

The error message is coming from OS, not from Samba. If SELinux or AppArmor is enabled, please see below: 

AppArmor:
After configuring adbindproxy, the winbindd's new listen path is /{var/,}run/samba/winbindd2. The following lines needs to be in the AppArmor profile (/etc/apparmor.d/usr.sbin.winbindd). 
 

/{var/,}run/samba/winbindd2/ rw,  
/{var/,}run/samba/winbindd2/pipe w,

SELinux: 
Make sure the shared directory has the samba_share_t label, or use "setsebool -P samba_export_all_rw 1" (not recommended). 
For example: 
 

[ckelly@centos7-1 ~]$ ls -ldZ /samba-select/
drwxrwxrwx. ckelly localgroup1 unconfined_u:object_r:default_t:s0 /samba-select/
[ckelly@centos7-1 ~]$ semanage fcontext -a -t samba_share_t /samba-select"(/.*)?"
[ckelly@centos7-1 ~]$ restorecon -Rv /samba-select
restorecon reset /samba-select context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:samba_share_t:s0
[ckelly@centos7-1 ~]$ smbclient -U ckelly //centos7-1/Samba-Select
Enter ckelly's password:
Domain=[ALWAYS] OS=[Windows 6.1] Server=[Samba 4.2.10]
smb: \> ls
  .                                   D        0  Mon Jun 27 13:43:57 2016
  ..                                 DR        0  Wed Jun 29 10:50:38 2016

                14530560 blocks of size 1024. 9172892 blocks available
smb: \> exit