several wired errors with samba4

Wed Feb 18 14:06:00 MST 2009

On 02/13/2009 02:33 AM, Andrew Bartlett wrote:
> On Thu, 2009-02-12 at 15:21 +0300, Matthieu Patou wrote:
>    
>> Dear all,
>>
>> While trying to search a problem I had a look at my samba4 log today,
>> and I saw this errors:
>>
>> * /usr/local/samba/private/smbd.tmp/messaging/names.tdb
>> * keytab /usr/local/samba/private/secrets.keytab open failed: Permission
>> denied
>> *
>> '/usr/local/samba/private/smbd.tmp/messaging/msg.0.0.146':NT_STATUS_ACCESS_DENIED
>>
>> It seems to me that the samba process is started with root so unless it
>> tries to lower its rights I do not see a reason for this because all
>> files and folders (even parent folders) are owned by root with a least
>> rw rights.
>>
>> Any idea of what could cause this problem ?
>>      
>
> Are you sure it started as root?
>
> Is SeLinux or some other tool denying access?
>
> Samba does change user to perform filesystem access (in the SMB server),
> but should change back as soon as it needs to access anything else.
>
> In short, I'm a bit stumped - the best route forward would be to print
> the real and effective UID in the debug messages.
>
>    
So I made some changes (prod env ... more lengthy than expected ...)

* For permission denied with /usr/local/samba/private/smbd.tmp/messaging/names.tdb it comes from one user 10080 (which correspond to one of my domain users in idmap.tdb), I know that last days he has been using the server for storing files (our samba4 server is not used much appart from logon/logoff and ldap/kerberos).
* For keytab /usr/local/samba/private/secrets.keytab open failed: Permission denied, I have a few errors with 10080 and others workstation accounts as well
* For /usr/local/samba/private/smbd.tmp/messaging/msg.0.0.xxx: NT_STATUS_ACCESS_DENIED, I have also only user 10080

I just restarted my server with a loglevel of 9 just in case it will give me more information about the context.