several wired errors with samba4
Matthieu Patou
mat+Informatique.Samba at matws.net
Tue Feb 24 06:42:42 MST 2009
On 02/23/2009 02:23 AM, Andrew Bartlett wrote:
> On Thu, 2009-02-19 at 00:06 +0300, Matthieu Patou wrote:
>
>> On 02/13/2009 02:33 AM, Andrew Bartlett wrote:
>>
>>> On Thu, 2009-02-12 at 15:21 +0300, Matthieu Patou wrote:
>>>
>>>
>>>> Dear all,
>>>>
>>>> While trying to search a problem I had a look at my samba4 log today,
>>>> and I saw this errors:
>>>>
>>>> * /usr/local/samba/private/smbd.tmp/messaging/names.tdb
>>>> * keytab /usr/local/samba/private/secrets.keytab open failed: Permission
>>>> denied
>>>> *
>>>> '/usr/local/samba/private/smbd.tmp/messaging/msg.0.0.146':NT_STATUS_ACCESS_DENIED
>>>>
>>>> It seems to me that the samba process is started with root so unless it
>>>> tries to lower its rights I do not see a reason for this because all
>>>> files and folders (even parent folders) are owned by root with a least
>>>> rw rights.
>>>>
>>>> Any idea of what could cause this problem ?
>>>>
>>>>
>>> Are you sure it started as root?
>>>
>>> Is SeLinux or some other tool denying access?
>>>
>>> Samba does change user to perform filesystem access (in the SMB server),
>>> but should change back as soon as it needs to access anything else.
>>>
>>> In short, I'm a bit stumped - the best route forward would be to print
>>> the real and effective UID in the debug messages.
>>>
>>>
>>>
>> So I made some changes (prod env ... more lengthy than expected ...)
>>
>> * For permission denied with /usr/local/samba/private/smbd.tmp/messaging/names.tdb it comes from one user 10080 (which correspond to one of my domain users in idmap.tdb), I know that last days he has been using the server for storing files (our samba4 server is not used much appart from logon/logoff and ldap/kerberos).
>> * For keytab /usr/local/samba/private/secrets.keytab open failed: Permission denied, I have a few errors with 10080 and others workstation accounts as well
>> * For /usr/local/samba/private/smbd.tmp/messaging/msg.0.0.xxx: NT_STATUS_ACCESS_DENIED, I have also only user 10080
>>
>
> OK, so this means we have some codepath where we do not move back to
> root soon enough. We need to add some code to print a backtrace at this
> point, so we can try and see why this happens.
>
>
Ok ready for patching.
Apart for the fact it adds errors in the log file, what are the
consequence of the error (I guess it depends on the request made).
>> I just restarted my server with a loglevel of 9 just in case it will give me more information about the context.
>>
>
> I don't think it will help :-(
>
>
Well it just helps filling my filesystem way more quickly :-) (in any
case I've moved back to a more reasonable log level but saved I day log
just in case ...).
Matthieu.
More information about the samba-technical
mailing list