several wired errors with samba4

Andrew Bartlett abartlet at samba.org
Sun Feb 22 16:23:16 MST 2009


On Thu, 2009-02-19 at 00:06 +0300, Matthieu Patou wrote:
> On 02/13/2009 02:33 AM, Andrew Bartlett wrote:
> > On Thu, 2009-02-12 at 15:21 +0300, Matthieu Patou wrote:
> >    
> >> Dear all,
> >>
> >> While trying to search a problem I had a look at my samba4 log today,
> >> and I saw this errors:
> >>
> >> * /usr/local/samba/private/smbd.tmp/messaging/names.tdb
> >> * keytab /usr/local/samba/private/secrets.keytab open failed: Permission
> >> denied
> >> *
> >> '/usr/local/samba/private/smbd.tmp/messaging/msg.0.0.146':NT_STATUS_ACCESS_DENIED
> >>
> >> It seems to me that the samba process is started with root so unless it
> >> tries to lower its rights I do not see a reason for this because all
> >> files and folders (even parent folders) are owned by root with a least
> >> rw rights.
> >>
> >> Any idea of what could cause this problem ?
> >>      
> >
> > Are you sure it started as root?
> >
> > Is SeLinux or some other tool denying access?
> >
> > Samba does change user to perform filesystem access (in the SMB server),
> > but should change back as soon as it needs to access anything else.
> >
> > In short, I'm a bit stumped - the best route forward would be to print
> > the real and effective UID in the debug messages.
> >
> >    
> So I made some changes (prod env ... more lengthy than expected ...)
> 
> * For permission denied with /usr/local/samba/private/smbd.tmp/messaging/names.tdb it comes from one user 10080 (which correspond to one of my domain users in idmap.tdb), I know that last days he has been using the server for storing files (our samba4 server is not used much appart from logon/logoff and ldap/kerberos).
> * For keytab /usr/local/samba/private/secrets.keytab open failed: Permission denied, I have a few errors with 10080 and others workstation accounts as well
> * For /usr/local/samba/private/smbd.tmp/messaging/msg.0.0.xxx: NT_STATUS_ACCESS_DENIED, I have also only user 10080

OK, so this means we have some codepath where we do not move back to
root soon enough.  We need to add some code to print a backtrace at this
point, so we can try and see why this happens. 

> I just restarted my server with a loglevel of 9 just in case it will give me more information about the context.

I don't think it will help :-(

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090223/c81552fa/attachment.bin


More information about the samba-technical mailing list