[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Thomas Cameron
thomas.cameron at camerontech.com
Tue Nov 15 14:23:33 UTC 2022
As root, what does audit2allow -al tell you?
Here's a video I did when I was at Red Hat, talking through SELinux. I
hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
Thomas
On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
> I think with security=user the rest is simply ignored, and the local auth
> is working fine.
> I will comment out that option for now. The AD integration will be done
> later.
> The main problem is probably not related directly to CTDB, but to what
> Samba is trying to access with SELinux in Enforcing mode.
> As there are no errors in /var/log/messages or in /var/log/audit, I'm lost.
> I forgot to say versions, so:
>
> [root at fs01 samba]# cat /etc/redhat-release
> CentOS Stream release 9
> [root at fs01 samba]# rpm -qa | grep samba
> samba-common-4.16.4-101.el9.noarch
> samba-client-libs-4.16.4-101.el9.x86_64
> samba-common-libs-4.16.4-101.el9.x86_64
> samba-libs-4.16.4-101.el9.x86_64
> python3-samba-4.16.4-101.el9.x86_64
> samba-common-tools-4.16.4-101.el9.x86_64
> samba-4.16.4-101.el9.x86_64
> samba-client-4.16.4-101.el9.x86_64
> samba-winbind-modules-4.16.4-101.el9.x86_64
> samba-winbind-4.16.4-101.el9.x86_64
> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> samba-winbind-clients-4.16.4-101.el9.x86_64
> [root at fs01 samba]# rpm -qa | grep ctdb
> ctdb-4.16.4-101.el9.x86_64
> [root at fs01 samba]# uname -a
> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
>
> Also, the provided errors were wrong, I was playing with permissive mode.
> In enforcing it is:
>
> [2022/11/15 11:02:08, 0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> denied
> [2022/11/15 11:02:08, 0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 11:02:08, 0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> denied
> [2022/11/15 11:02:08, 0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 11:02:08, 1]
> ../../source3/registry/reg_backend_db.c:759(regdb_init)
> regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> (Permission denied)
> [2022/11/15 11:02:08, 0]
> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> Failed to initialize the registry: WERR_ACCESS_DENIED
> [2022/11/15 11:02:08, 1]
> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> error initializing registry configuration: SBC_ERR_BADFILE
> Can't load /etc/samba/smb.conf - run testparm to debug it
> samba-dcerpcd - Failed to load config file!
>
> But in the same time, I can do testparm without any issues:
>
> [root at fs01 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> clustering = Yes
> logging = syslog
> netbios name = FS
> realm = FS.xxx
> registry shares = Yes
> security = USER
> workgroup = xxx
> idmap config * : range = 1000000-1999999
> ctdb:registry.tdb = yes
> idmap config * : backend = autorid
>
>
> [symptoms]
> path = /mnt/glusterfs/symptoms/
> read only = No
>
>
> wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org>
> napisał(a):
>
>>
>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
>>> I have very simple config for HA Samba, using CTDB.
>>> I have set all possible SELinux options until "denied" messages stopped
>>> appearch in /var/log/messages.
>>>
>>> All works flawlessly, just the problem is with browsing Samba shares with
>>> enforcing setting.
>>>
>>> When I try to browse shares, I'm getting this:
>>>
>>> samba-dcerpcd version 4.16.4 started.
>>> Copyright Andrew Tridgell and the Samba Team 1992-2022
>>> [2022/11/15 10:10:57.674555, 1]
>>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No
>>> such file or directory
>>> [2022/11/15 10:10:57.820626, 1]
>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>>> rpc_worker_exited: No worker with PID 3281
>>> [2022/11/15 10:10:58.040001, 1]
>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>> rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>>> [2022/11/15 10:10:58.048701, 1]
>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>> rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>>> [2022/11/15 10:10:58.049474, 1]
>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>> rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>>> [2022/11/15 10:10:58.560868, 1]
>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>> rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>>>
>>> Samba is in clustered mode + registry:
>>>
>>> [root at fs01 samba]# net conf list
>>> [global]
>>> logging = syslog
>>> log level = 1
>>> netbios name = fs
>>> workgroup = xxx
>>> realm = xxx
>>> idmap config * : backend = autorid
>>> idmap config * : range = 1000000-1999999
>>> security = user
>> Now I do not know a lot about CTDB, but I do know that you cannot use
>> 'idmap config' lines with 'security = user', they are are only used with
>> a domain, so if this cluster is joined to a domain, I would start by
>> changing 'security = user' to 'security = ADS'
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list