[Samba] Validity of "testparm --parameter-name" output on a non-zero exit code

Mon Jul 18 18:17:49 UTC 2022

On Mon, 2022-07-18 at 20:50 +0300, Slava Aseev via samba wrote:
> 18.07.2022 15:25, Rowland Penny via samba пишет:
> > On Mon, 2022-07-18 at 15:14 +0300, Slava Aseev via samba wrote:
> > > Hello!
> > > 
> > > I have a question about testparm (maybe a stupid question).
> > > 
> > > testparm exits with 1 if any errors in smb.conf was detected.
> > > Can this exit code be safely ignored if only the output of
> > > "testparm
> > > --parameter-name" is needed?
> > > 
> > > For example, in case of "testparm --suppress-prompt --parameter-
> > > name
> > > 'usershare path'" we can check path from the output for
> > > existence,
> > > so
> > > checking the exit code doesn't seem so useful. However, I am not
> > > entirely sure about this, maybe there is something what I missed.
> > > 
> > > The whole problem is that there is a real case where I would like
> > > to
> > > ignore the exit code:
> > > 
> > >     $ testparm --debuglevel=0 --suppress-prompt --verbose --
> > > parameter-
> > > name 'usershare path'
> > >     Load smb config files from /etc/samba/smb.conf
> > >     Loaded services file OK.
> > >     Weak crypto is allowed
> > > 
> > >     ERROR: Do not use the 'sss' backend as the default idmap
> > > backend!
> > > 
> > >     /var/lib/samba/usershares
> > > 
> > >     $ echo $?
> > >     1
> > > 
> > > but I'm not sure if I really should.
> > The error seems to be pretty major, you appear to be using the
> > 'sss'
> > backend for  the default '*' idmap backend and this isn't allowed.
> > You
> > are also using shares and the 'sss' backend only does
> > authentication.
> > 
> > I think you need to post your smb.conf and tell us why you are
> > using
> > sssd.
> > 
> > Rowland
> 
> The question is not really about the error (in this case, it can be
> fixed by specifying tdb as the default backend, and sss for some
> <DOMAIN>).

That would fix it, but if shares are involved, I wouldn't use idmap_sss
and there is no point in using Samba if there are no SMB shares, so
just use sssd.

> 
> I will try to explain better.
> There is a samba file sharing plugin called kdenetwork-filesharing (a
> file properites plugin that allows to make directory shared in
> directory properties).

Yes I have heard of it, but I do not use KDE, cockpit works in a
similar way.

> At some point the plugin calls "testparm --parameter-name" to get the
> "usershare path" (to check/fix permissions on this path) and to get
> "passdb backend" (to try to add the user to database, if passdb
> backend is the tdbsam).

Two things, idmap_sss doesn't do ACL's (I think this is what the script
is trying to work around) and unless you have set the passdb to the old
smbpasswd (or are using an ldap backend), the default passdb is tdbsam.

>  In these cases the plugin is only interested in values (and their
> correctness), not in the correctness of whole smb.conf, and I really
> would not want to stop the plugin because of non-zero testparm exit
> code (because eventually the requested values are output to stdout!).
> In other words I would like "testparm --parameter-name" to behaves
> like "exit with failure if there is an error in requested parameter",
> but it behaves like "exit with failure if there is any error in the
> whole config".
> Hence the question: is it permissible to ignore the exit code of
> testparm in particular this case? Or is it worth playing it safe and
> not allowing output values if testparm returns a non-zero code?

Having not seen the code, I cannot relly comment on the overall error,
but you should be able to pull the parameter from smb.conf (error if it
isn't there), test if the supplied path exists (error if it doesn't)
and check permissions on the share (error if they are not correct).

> 
> (perhaps I am worried too much)

Perhaps you are worrying about the wrong thing :-)

Rowland