[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS

Leszek Szczepanowski twinsen at mspanc.net
Tue Nov 15 16:36:31 UTC 2022 

I'm getting this:

type=AVC msg=audit(1668528098.389:291): avc:  denied  { getattr } for
 pid=84190 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668528098.389:292): avc:  denied  { map } for
 pid=84190 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668528098.391:293): avc:  denied  { setattr } for
 pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:308): avc:  denied  { read write } for
 pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0"
ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:308): avc:  denied  { open } for
 pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:309): avc:  denied  { lock } for
 pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:310): avc:  denied  { getattr } for
 pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.875:311): avc:  denied  { setattr } for
 pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1

I did
audit2allow -al -M dcerpcd
semodule -i dcerpcd.pp

It was working in Enforcing 1 mode for like 1 minute. After that, again not
working. But this time:

[root at fs02 samba]# audit2allow -al
[root at fs02 samba]#

So the module is active, nothing is denied (no new entries in
/var/log/audit/audit.log), however it's again:

[2022/11/15 17:33:13,  0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
denied
[2022/11/15 17:33:13,  0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
denied
[2022/11/15 17:33:13,  0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13,  1]
../../source3/registry/reg_backend_db.c:759(regdb_init)
  regdb_init: Failed to open registry /var/lib/samba/registry.tdb
(Permission denied)
[2022/11/15 17:33:13,  0]
../../source3/registry/reg_init_basic.c:35(registry_init_common)
  Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 17:33:13,  1]
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
  error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!




wt., 15 lis 2022 o 16:09 Thomas Cameron via samba <samba at lists.samba.org>
napisał(a):

> As root, what does audit2allow -al tell you?
>
> Here's a video I did when I was at Red Hat, talking through SELinux. I
> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
>
> Thomas
>
> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
> > I think with security=user the rest is simply ignored, and the local auth
> > is working fine.
> > I will comment out that option for now. The AD integration will be done
> > later.
> > The main problem is probably not related directly to CTDB, but to what
> > Samba is trying to access with SELinux in Enforcing mode.
> > As there are no errors in /var/log/messages or in /var/log/audit, I'm
> lost.
> > I forgot to say versions, so:
> >
> > [root at fs01 samba]# cat /etc/redhat-release
> > CentOS Stream release 9
> > [root at fs01 samba]# rpm -qa | grep samba
> > samba-common-4.16.4-101.el9.noarch
> > samba-client-libs-4.16.4-101.el9.x86_64
> > samba-common-libs-4.16.4-101.el9.x86_64
> > samba-libs-4.16.4-101.el9.x86_64
> > python3-samba-4.16.4-101.el9.x86_64
> > samba-common-tools-4.16.4-101.el9.x86_64
> > samba-4.16.4-101.el9.x86_64
> > samba-client-4.16.4-101.el9.x86_64
> > samba-winbind-modules-4.16.4-101.el9.x86_64
> > samba-winbind-4.16.4-101.el9.x86_64
> > samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> > samba-winbind-clients-4.16.4-101.el9.x86_64
> > [root at fs01 samba]# rpm -qa | grep ctdb
> > ctdb-4.16.4-101.el9.x86_64
> > [root at fs01 samba]# uname -a
> > Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
> > 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> >
> > Also, the provided errors were wrong, I was playing with permissive mode.
> > In enforcing it is:
> >
> > [2022/11/15 11:02:08,  0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> > denied
> > [2022/11/15 11:02:08,  0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >    db_open: failed to attach to ctdb registry.tdb
> > [2022/11/15 11:02:08,  0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> > denied
> > [2022/11/15 11:02:08,  0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >    db_open: failed to attach to ctdb registry.tdb
> > [2022/11/15 11:02:08,  1]
> > ../../source3/registry/reg_backend_db.c:759(regdb_init)
> >    regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> > (Permission denied)
> > [2022/11/15 11:02:08,  0]
> > ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> >    Failed to initialize the registry: WERR_ACCESS_DENIED
> > [2022/11/15 11:02:08,  1]
> > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> >    error initializing registry configuration: SBC_ERR_BADFILE
> > Can't load /etc/samba/smb.conf - run testparm to debug it
> > samba-dcerpcd - Failed to load config file!
> >
> > But in the same time, I can do testparm without any issues:
> >
> > [root at fs01 samba]# testparm
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed
> >
> > Server role: ROLE_STANDALONE
> >
> > Press enter to see a dump of your service definitions
> >
> > # Global parameters
> > [global]
> >          clustering = Yes
> >          logging = syslog
> >          netbios name = FS
> >          realm = FS.xxx
> >          registry shares = Yes
> >          security = USER
> >          workgroup = xxx
> >          idmap config * : range = 1000000-1999999
> >          ctdb:registry.tdb = yes
> >          idmap config * : backend = autorid
> >
> >
> > [symptoms]
> >          path = /mnt/glusterfs/symptoms/
> >          read only = No
> >
> >
> > wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org>
> > napisał(a):
> >
> >>
> >> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
> >>> I have very simple config for HA Samba, using CTDB.
> >>> I have set all possible SELinux options until "denied" messages stopped
> >>> appearch in /var/log/messages.
> >>>
> >>> All works flawlessly, just the problem is with browsing Samba shares
> with
> >>> enforcing setting.
> >>>
> >>> When I try to browse shares, I'm getting this:
> >>>
> >>>     samba-dcerpcd version 4.16.4 started.
> >>>     Copyright Andrew Tridgell and the Samba Team 1992-2022
> >>> [2022/11/15 10:10:57.674555,  1]
> >>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> >>>     rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER)
> failed: No
> >>> such file or directory
> >>> [2022/11/15 10:10:57.820626,  1]
> >>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> >>>     rpc_worker_exited: No worker with PID 3281
> >>> [2022/11/15 10:10:58.040001,  1]
> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>     rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>> [2022/11/15 10:10:58.048701,  1]
> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>     rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>> [2022/11/15 10:10:58.049474,  1]
> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>     rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>> [2022/11/15 10:10:58.560868,  1]
> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>     rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>>
> >>> Samba is in clustered mode + registry:
> >>>
> >>> [root at fs01 samba]# net conf list
> >>> [global]
> >>>           logging = syslog
> >>>           log level = 1
> >>>           netbios name = fs
> >>>           workgroup = xxx
> >>>           realm = xxx
> >>>           idmap config * : backend = autorid
> >>>           idmap config * : range = 1000000-1999999
> >>>           security = user
> >> Now I do not know a lot about CTDB, but I do know that you cannot use
> >> 'idmap config' lines with 'security = user', they are are only used with
> >> a domain, so if this cluster is joined to a domain, I would start by
> >> changing 'security = user' to 'security = ADS'
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

More information about the samba mailing list