[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Leszek Szczepanowski
twinsen at mspanc.net
Tue Nov 15 10:04:08 UTC 2022
I think with security=user the rest is simply ignored, and the local auth
is working fine.
I will comment out that option for now. The AD integration will be done
later.
The main problem is probably not related directly to CTDB, but to what
Samba is trying to access with SELinux in Enforcing mode.
As there are no errors in /var/log/messages or in /var/log/audit, I'm lost.
I forgot to say versions, so:
[root at fs01 samba]# cat /etc/redhat-release
CentOS Stream release 9
[root at fs01 samba]# rpm -qa | grep samba
samba-common-4.16.4-101.el9.noarch
samba-client-libs-4.16.4-101.el9.x86_64
samba-common-libs-4.16.4-101.el9.x86_64
samba-libs-4.16.4-101.el9.x86_64
python3-samba-4.16.4-101.el9.x86_64
samba-common-tools-4.16.4-101.el9.x86_64
samba-4.16.4-101.el9.x86_64
samba-client-4.16.4-101.el9.x86_64
samba-winbind-modules-4.16.4-101.el9.x86_64
samba-winbind-4.16.4-101.el9.x86_64
samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
samba-winbind-clients-4.16.4-101.el9.x86_64
[root at fs01 samba]# rpm -qa | grep ctdb
ctdb-4.16.4-101.el9.x86_64
[root at fs01 samba]# uname -a
Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Also, the provided errors were wrong, I was playing with permissive mode.
In enforcing it is:
[2022/11/15 11:02:08, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/15 11:02:08, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/15 11:02:08, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/15 11:02:08, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/15 11:02:08, 1]
../../source3/registry/reg_backend_db.c:759(regdb_init)
regdb_init: Failed to open registry /var/lib/samba/registry.tdb
(Permission denied)
[2022/11/15 11:02:08, 0]
../../source3/registry/reg_init_basic.c:35(registry_init_common)
Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 11:02:08, 1]
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!
But in the same time, I can do testparm without any issues:
[root at fs01 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
clustering = Yes
logging = syslog
netbios name = FS
realm = FS.xxx
registry shares = Yes
security = USER
workgroup = xxx
idmap config * : range = 1000000-1999999
ctdb:registry.tdb = yes
idmap config * : backend = autorid
[symptoms]
path = /mnt/glusterfs/symptoms/
read only = No
wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org>
napisał(a):
>
>
> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
> > I have very simple config for HA Samba, using CTDB.
> > I have set all possible SELinux options until "denied" messages stopped
> > appearch in /var/log/messages.
> >
> > All works flawlessly, just the problem is with browsing Samba shares with
> > enforcing setting.
> >
> > When I try to browse shares, I'm getting this:
> >
> > samba-dcerpcd version 4.16.4 started.
> > Copyright Andrew Tridgell and the Samba Team 1992-2022
> > [2022/11/15 10:10:57.674555, 1]
> > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> > rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No
> > such file or directory
> > [2022/11/15 10:10:57.820626, 1]
> > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> > rpc_worker_exited: No worker with PID 3281
> > [2022/11/15 10:10:58.040001, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> > [2022/11/15 10:10:58.048701, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> > [2022/11/15 10:10:58.049474, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> > [2022/11/15 10:10:58.560868, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >
> > Samba is in clustered mode + registry:
> >
> > [root at fs01 samba]# net conf list
> > [global]
> > logging = syslog
> > log level = 1
> > netbios name = fs
> > workgroup = xxx
> > realm = xxx
> > idmap config * : backend = autorid
> > idmap config * : range = 1000000-1999999
> > security = user
>
> Now I do not know a lot about CTDB, but I do know that you cannot use
> 'idmap config' lines with 'security = user', they are are only used with
> a domain, so if this cluster is joined to a domain, I would start by
> changing 'security = user' to 'security = ADS'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net
More information about the samba
mailing list