several wired errors with samba4
Andrew Bartlett
abartlet at samba.org
Tue Feb 24 17:04:54 MST 2009
On Tue, 2009-02-24 at 16:42 +0300, Matthieu Patou wrote:
> On 02/23/2009 02:23 AM, Andrew Bartlett wrote:
> > On Thu, 2009-02-19 at 00:06 +0300, Matthieu Patou wrote:
> >
> >> On 02/13/2009 02:33 AM, Andrew Bartlett wrote:
> >>
> >>> On Thu, 2009-02-12 at 15:21 +0300, Matthieu Patou wrote:
> >>>
> >>>
> >>>> Dear all,
> >>>>
> >>>> While trying to search a problem I had a look at my samba4 log today,
> >>>> and I saw this errors:
> >>>>
> >>>> * /usr/local/samba/private/smbd.tmp/messaging/names.tdb
> >>>> * keytab /usr/local/samba/private/secrets.keytab open failed: Permission
> >>>> denied
> >>>> *
> >>>> '/usr/local/samba/private/smbd.tmp/messaging/msg.0.0.146':NT_STATUS_ACCESS_DENIED
> >>>>
> >>>> It seems to me that the samba process is started with root so unless it
> >>>> tries to lower its rights I do not see a reason for this because all
> >>>> files and folders (even parent folders) are owned by root with a least
> >>>> rw rights.
> >>>>
> >>>> Any idea of what could cause this problem ?
> >>>>
> >>>>
> >>> Are you sure it started as root?
> >>>
> >>> Is SeLinux or some other tool denying access?
> >>>
> >>> Samba does change user to perform filesystem access (in the SMB server),
> >>> but should change back as soon as it needs to access anything else.
> >>>
> >>> In short, I'm a bit stumped - the best route forward would be to print
> >>> the real and effective UID in the debug messages.
> >>>
> >>>
> >>>
> >> So I made some changes (prod env ... more lengthy than expected ...)
> >>
> >> * For permission denied with /usr/local/samba/private/smbd.tmp/messaging/names.tdb it comes from one user 10080 (which correspond to one of my domain users in idmap.tdb), I know that last days he has been using the server for storing files (our samba4 server is not used much appart from logon/logoff and ldap/kerberos).
> >> * For keytab /usr/local/samba/private/secrets.keytab open failed: Permission denied, I have a few errors with 10080 and others workstation accounts as well
> >> * For /usr/local/samba/private/smbd.tmp/messaging/msg.0.0.xxx: NT_STATUS_ACCESS_DENIED, I have also only user 10080
> >>
> >
> > OK, so this means we have some codepath where we do not move back to
> > root soon enough. We need to add some code to print a backtrace at this
> > point, so we can try and see why this happens.
> >
> >
> Ok ready for patching.
> Apart for the fact it adds errors in the log file, what are the
> consequence of the error (I guess it depends on the request made).
If you add a call to call_backtrace() in the case where we get this
error (where you print the uid at the moment), then we can see what the
call stack is, and try to debug this further.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090225/f49ad835/attachment.bin
More information about the samba-technical
mailing list