[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS

Thomas Cameron thomas.cameron at camerontech.com
Tue Nov 15 20:28:01 UTC 2022 

What's the label for /var/lib/ctdb/persistent/registry.tdb.1? What does 
ls -lZ tell you?

Thomas

On 11/15/22 10:36, Leszek Szczepanowski wrote:
> I'm getting this:
>
> type=AVC msg=audit(1668528098.389:291): avc:  denied  { getattr } for 
>  pid=84190 comm="samba-dcerpcd" 
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668528098.389:292): avc:  denied  { map } for 
>  pid=84190 comm="samba-dcerpcd" 
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668528098.391:293): avc:  denied  { setattr } for 
>  pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" 
> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:308): avc:  denied  { read write } 
> for  pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:308): avc:  denied  { open } for 
>  pid=89129 comm="samba-dcerpcd" 
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:309): avc:  denied  { lock } for 
>  pid=89129 comm="samba-dcerpcd" 
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:310): avc:  denied  { getattr } for 
>  pid=89129 comm="samba-dcerpcd" 
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" 
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.875:311): avc:  denied  { setattr } for 
>  pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" 
> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
>
> I did
> audit2allow -al -M dcerpcd
> semodule -i dcerpcd.pp
>
> It was working in Enforcing 1 mode for like 1 minute. After that, 
> again not working. But this time:
>
> [root at fs02 samba]# audit2allow -al
> [root at fs02 samba]#
>
> So the module is active, nothing is denied (no new entries in 
> /var/log/audit/audit.log), however it's again:
>
> [2022/11/15 17:33:13,  0] 
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>   Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: 
> Permission denied
> [2022/11/15 17:33:13,  0] 
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>   db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 17:33:13,  0] 
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>   Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: 
> Permission denied
> [2022/11/15 17:33:13,  0] 
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>   db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 17:33:13,  1] 
> ../../source3/registry/reg_backend_db.c:759(regdb_init)
>   regdb_init: Failed to open registry /var/lib/samba/registry.tdb 
> (Permission denied)
> [2022/11/15 17:33:13,  0] 
> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
>   Failed to initialize the registry: WERR_ACCESS_DENIED
> [2022/11/15 17:33:13,  1] 
> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
>   error initializing registry configuration: SBC_ERR_BADFILE
> Can't load /etc/samba/smb.conf - run testparm to debug it
> samba-dcerpcd - Failed to load config file!
>
>
>
>
> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba 
> <samba at lists.samba.org> napisał(a):
>
>     As root, what does audit2allow -al tell you?
>
>     Here's a video I did when I was at Red Hat, talking through
>     SELinux. I
>     hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
>
>     Thomas
>
>     On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
>     > I think with security=user the rest is simply ignored, and the
>     local auth
>     > is working fine.
>     > I will comment out that option for now. The AD integration will
>     be done
>     > later.
>     > The main problem is probably not related directly to CTDB, but
>     to what
>     > Samba is trying to access with SELinux in Enforcing mode.
>     > As there are no errors in /var/log/messages or in
>     /var/log/audit, I'm lost.
>     > I forgot to say versions, so:
>     >
>     > [root at fs01 samba]# cat /etc/redhat-release
>     > CentOS Stream release 9
>     > [root at fs01 samba]# rpm -qa | grep samba
>     > samba-common-4.16.4-101.el9.noarch
>     > samba-client-libs-4.16.4-101.el9.x86_64
>     > samba-common-libs-4.16.4-101.el9.x86_64
>     > samba-libs-4.16.4-101.el9.x86_64
>     > python3-samba-4.16.4-101.el9.x86_64
>     > samba-common-tools-4.16.4-101.el9.x86_64
>     > samba-4.16.4-101.el9.x86_64
>     > samba-client-4.16.4-101.el9.x86_64
>     > samba-winbind-modules-4.16.4-101.el9.x86_64
>     > samba-winbind-4.16.4-101.el9.x86_64
>     > samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
>     > samba-winbind-clients-4.16.4-101.el9.x86_64
>     > [root at fs01 samba]# rpm -qa | grep ctdb
>     > ctdb-4.16.4-101.el9.x86_64
>     > [root at fs01 samba]# uname -a
>     > Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon
>     Oct 31
>     > 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
>     >
>     > Also, the provided errors were wrong, I was playing with
>     permissive mode.
>     > In enforcing it is:
>     >
>     > [2022/11/15 11:02:08,  0]
>     > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>     >    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
>     Permission
>     > denied
>     > [2022/11/15 11:02:08,  0]
>     > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>     >    db_open: failed to attach to ctdb registry.tdb
>     > [2022/11/15 11:02:08,  0]
>     > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>     >    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
>     Permission
>     > denied
>     > [2022/11/15 11:02:08,  0]
>     > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>     >    db_open: failed to attach to ctdb registry.tdb
>     > [2022/11/15 11:02:08,  1]
>     > ../../source3/registry/reg_backend_db.c:759(regdb_init)
>     >    regdb_init: Failed to open registry /var/lib/samba/registry.tdb
>     > (Permission denied)
>     > [2022/11/15 11:02:08,  0]
>     > ../../source3/registry/reg_init_basic.c:35(registry_init_common)
>     >    Failed to initialize the registry: WERR_ACCESS_DENIED
>     > [2022/11/15 11:02:08,  1]
>     > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
>     >    error initializing registry configuration: SBC_ERR_BADFILE
>     > Can't load /etc/samba/smb.conf - run testparm to debug it
>     > samba-dcerpcd - Failed to load config file!
>     >
>     > But in the same time, I can do testparm without any issues:
>     >
>     > [root at fs01 samba]# testparm
>     > Load smb config files from /etc/samba/smb.conf
>     > Loaded services file OK.
>     > Weak crypto is allowed
>     >
>     > Server role: ROLE_STANDALONE
>     >
>     > Press enter to see a dump of your service definitions
>     >
>     > # Global parameters
>     > [global]
>     >          clustering = Yes
>     >          logging = syslog
>     >          netbios name = FS
>     >          realm = FS.xxx
>     >          registry shares = Yes
>     >          security = USER
>     >          workgroup = xxx
>     >          idmap config * : range = 1000000-1999999
>     >          ctdb:registry.tdb = yes
>     >          idmap config * : backend = autorid
>     >
>     >
>     > [symptoms]
>     >          path = /mnt/glusterfs/symptoms/
>     >          read only = No
>     >
>     >
>     > wt., 15 lis 2022 o 10:47 Rowland Penny via samba
>     <samba at lists.samba.org>
>     > napisał(a):
>     >
>     >>
>     >> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
>     >>> I have very simple config for HA Samba, using CTDB.
>     >>> I have set all possible SELinux options until "denied"
>     messages stopped
>     >>> appearch in /var/log/messages.
>     >>>
>     >>> All works flawlessly, just the problem is with browsing Samba
>     shares with
>     >>> enforcing setting.
>     >>>
>     >>> When I try to browse shares, I'm getting this:
>     >>>
>     >>>     samba-dcerpcd version 4.16.4 started.
>     >>>     Copyright Andrew Tridgell and the Samba Team 1992-2022
>     >>> [2022/11/15 10:10:57.674555,  1]
>     >>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>     >>>     rpc_pipe_open_ncalrpc:
>     connect(/run/samba/ncalrpc/EPMAPPER) failed: No
>     >>> such file or directory
>     >>> [2022/11/15 10:10:57.820626,  1]
>     >>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>     >>>     rpc_worker_exited: No worker with PID 3281
>     >>> [2022/11/15 10:10:58.040001,  1]
>     >>>
>     ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>     >>>     rpc_host_distribute_clients: Sending new client
>     >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>     >>> [2022/11/15 10:10:58.048701,  1]
>     >>>
>     ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>     >>>     rpc_host_distribute_clients: Sending new client
>     >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>     >>> [2022/11/15 10:10:58.049474,  1]
>     >>>
>     ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>     >>>     rpc_host_distribute_clients: Sending new client
>     >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>     >>> [2022/11/15 10:10:58.560868,  1]
>     >>>
>     ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>     >>>     rpc_host_distribute_clients: Sending new client
>     >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>     >>>
>     >>> Samba is in clustered mode + registry:
>     >>>
>     >>> [root at fs01 samba]# net conf list
>     >>> [global]
>     >>>           logging = syslog
>     >>>           log level = 1
>     >>>           netbios name = fs
>     >>>           workgroup = xxx
>     >>>           realm = xxx
>     >>>           idmap config * : backend = autorid
>     >>>           idmap config * : range = 1000000-1999999
>     >>>           security = user
>     >> Now I do not know a lot about CTDB, but I do know that you
>     cannot use
>     >> 'idmap config' lines with 'security = user', they are are only
>     used with
>     >> a domain, so if this cluster is joined to a domain, I would
>     start by
>     >> changing 'security = user' to 'security = ADS'
>     >>
>     >> Rowland
>     >>
>     >> --
>     >> To unsubscribe from this list go to the following URL and read the
>     >> instructions: https://lists.samba.org/mailman/options/samba
>     >>
>     >
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> -- 
> -- 
> Leszek A. Szczepanowski
> twinsen at mspanc.net

More information about the samba mailing list