[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Leszek Szczepanowski
twinsen at mspanc.net
Tue Nov 15 21:44:17 UTC 2022
Hi,
[root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb
ls: cannot access '/var/lib/ctdb/persistent/registry.tdb': No such file or
directory
[root at fs01 symptoms]# find / -name registry.tdb
[root at fs01 symptoms]#
[root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/
total 20832
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 7892992 Nov 15
18:50 account_policy.tdb.0
-rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1327104 Nov 15
18:50 autorid.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov 15
18:50 ctdb.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov 15
18:50 group_mapping.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2560000 Nov 15
18:50 passdb.tdb.0
-rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov 15
18:50 printer_list.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov 15
18:50 registry.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2146304 Nov 15
18:50 secrets.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov 15
18:50 share_info.tdb.0
[root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb.0
-rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov 15
18:50 /var/lib/ctdb/persistent/registry.tdb.0
That is strange. Why .0?
wt., 15 lis 2022 o 21:28 Thomas Cameron <thomas.cameron at camerontech.com>
napisał(a):
> What's the label for /var/lib/ctdb/persistent/registry.tdb.1? What does ls
> -lZ tell you?
>
> Thomas
>
> On 11/15/22 10:36, Leszek Szczepanowski wrote:
>
> I'm getting this:
>
> type=AVC msg=audit(1668528098.389:291): avc: denied { getattr } for
> pid=84190 comm="samba-dcerpcd"
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668528098.389:292): avc: denied { map } for
> pid=84190 comm="samba-dcerpcd"
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668528098.391:293): avc: denied { setattr } for
> pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:308): avc: denied { read write } for
> pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0"
> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:308): avc: denied { open } for
> pid=89129 comm="samba-dcerpcd"
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:309): avc: denied { lock } for
> pid=89129 comm="samba-dcerpcd"
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.873:310): avc: denied { getattr } for
> pid=89129 comm="samba-dcerpcd"
> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1668529035.875:311): avc: denied { setattr } for
> pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
>
> I did
> audit2allow -al -M dcerpcd
> semodule -i dcerpcd.pp
>
> It was working in Enforcing 1 mode for like 1 minute. After that, again
> not working. But this time:
>
> [root at fs02 samba]# audit2allow -al
> [root at fs02 samba]#
>
> So the module is active, nothing is denied (no new entries in
> /var/log/audit/audit.log), however it's again:
>
> [2022/11/15 17:33:13, 0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
> denied
> [2022/11/15 17:33:13, 0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 17:33:13, 0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
> denied
> [2022/11/15 17:33:13, 0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 17:33:13, 1]
> ../../source3/registry/reg_backend_db.c:759(regdb_init)
> regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> (Permission denied)
> [2022/11/15 17:33:13, 0]
> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> Failed to initialize the registry: WERR_ACCESS_DENIED
> [2022/11/15 17:33:13, 1]
> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> error initializing registry configuration: SBC_ERR_BADFILE
> Can't load /etc/samba/smb.conf - run testparm to debug it
> samba-dcerpcd - Failed to load config file!
>
>
>
>
> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba <samba at lists.samba.org>
> napisał(a):
>
>> As root, what does audit2allow -al tell you?
>>
>> Here's a video I did when I was at Red Hat, talking through SELinux. I
>> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
>>
>> Thomas
>>
>> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
>> > I think with security=user the rest is simply ignored, and the local
>> auth
>> > is working fine.
>> > I will comment out that option for now. The AD integration will be done
>> > later.
>> > The main problem is probably not related directly to CTDB, but to what
>> > Samba is trying to access with SELinux in Enforcing mode.
>> > As there are no errors in /var/log/messages or in /var/log/audit, I'm
>> lost.
>> > I forgot to say versions, so:
>> >
>> > [root at fs01 samba]# cat /etc/redhat-release
>> > CentOS Stream release 9
>> > [root at fs01 samba]# rpm -qa | grep samba
>> > samba-common-4.16.4-101.el9.noarch
>> > samba-client-libs-4.16.4-101.el9.x86_64
>> > samba-common-libs-4.16.4-101.el9.x86_64
>> > samba-libs-4.16.4-101.el9.x86_64
>> > python3-samba-4.16.4-101.el9.x86_64
>> > samba-common-tools-4.16.4-101.el9.x86_64
>> > samba-4.16.4-101.el9.x86_64
>> > samba-client-4.16.4-101.el9.x86_64
>> > samba-winbind-modules-4.16.4-101.el9.x86_64
>> > samba-winbind-4.16.4-101.el9.x86_64
>> > samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
>> > samba-winbind-clients-4.16.4-101.el9.x86_64
>> > [root at fs01 samba]# rpm -qa | grep ctdb
>> > ctdb-4.16.4-101.el9.x86_64
>> > [root at fs01 samba]# uname -a
>> > Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
>> > 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
>> >
>> > Also, the provided errors were wrong, I was playing with permissive
>> mode.
>> > In enforcing it is:
>> >
>> > [2022/11/15 11:02:08, 0]
>> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
>> Permission
>> > denied
>> > [2022/11/15 11:02:08, 0]
>> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>> > db_open: failed to attach to ctdb registry.tdb
>> > [2022/11/15 11:02:08, 0]
>> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
>> Permission
>> > denied
>> > [2022/11/15 11:02:08, 0]
>> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>> > db_open: failed to attach to ctdb registry.tdb
>> > [2022/11/15 11:02:08, 1]
>> > ../../source3/registry/reg_backend_db.c:759(regdb_init)
>> > regdb_init: Failed to open registry /var/lib/samba/registry.tdb
>> > (Permission denied)
>> > [2022/11/15 11:02:08, 0]
>> > ../../source3/registry/reg_init_basic.c:35(registry_init_common)
>> > Failed to initialize the registry: WERR_ACCESS_DENIED
>> > [2022/11/15 11:02:08, 1]
>> > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
>> > error initializing registry configuration: SBC_ERR_BADFILE
>> > Can't load /etc/samba/smb.conf - run testparm to debug it
>> > samba-dcerpcd - Failed to load config file!
>> >
>> > But in the same time, I can do testparm without any issues:
>> >
>> > [root at fs01 samba]# testparm
>> > Load smb config files from /etc/samba/smb.conf
>> > Loaded services file OK.
>> > Weak crypto is allowed
>> >
>> > Server role: ROLE_STANDALONE
>> >
>> > Press enter to see a dump of your service definitions
>> >
>> > # Global parameters
>> > [global]
>> > clustering = Yes
>> > logging = syslog
>> > netbios name = FS
>> > realm = FS.xxx
>> > registry shares = Yes
>> > security = USER
>> > workgroup = xxx
>> > idmap config * : range = 1000000-1999999
>> > ctdb:registry.tdb = yes
>> > idmap config * : backend = autorid
>> >
>> >
>> > [symptoms]
>> > path = /mnt/glusterfs/symptoms/
>> > read only = No
>> >
>> >
>> > wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org
>> >
>> > napisał(a):
>> >
>> >>
>> >> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
>> >>> I have very simple config for HA Samba, using CTDB.
>> >>> I have set all possible SELinux options until "denied" messages
>> stopped
>> >>> appearch in /var/log/messages.
>> >>>
>> >>> All works flawlessly, just the problem is with browsing Samba shares
>> with
>> >>> enforcing setting.
>> >>>
>> >>> When I try to browse shares, I'm getting this:
>> >>>
>> >>> samba-dcerpcd version 4.16.4 started.
>> >>> Copyright Andrew Tridgell and the Samba Team 1992-2022
>> >>> [2022/11/15 10:10:57.674555, 1]
>> >>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>> >>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER)
>> failed: No
>> >>> such file or directory
>> >>> [2022/11/15 10:10:57.820626, 1]
>> >>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>> >>> rpc_worker_exited: No worker with PID 3281
>> >>> [2022/11/15 10:10:58.040001, 1]
>> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>> >>> rpc_host_distribute_clients: Sending new client
>> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>> >>> [2022/11/15 10:10:58.048701, 1]
>> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>> >>> rpc_host_distribute_clients: Sending new client
>> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>> >>> [2022/11/15 10:10:58.049474, 1]
>> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>> >>> rpc_host_distribute_clients: Sending new client
>> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>> >>> [2022/11/15 10:10:58.560868, 1]
>> >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>> >>> rpc_host_distribute_clients: Sending new client
>> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>> >>>
>> >>> Samba is in clustered mode + registry:
>> >>>
>> >>> [root at fs01 samba]# net conf list
>> >>> [global]
>> >>> logging = syslog
>> >>> log level = 1
>> >>> netbios name = fs
>> >>> workgroup = xxx
>> >>> realm = xxx
>> >>> idmap config * : backend = autorid
>> >>> idmap config * : range = 1000000-1999999
>> >>> security = user
>> >> Now I do not know a lot about CTDB, but I do know that you cannot use
>> >> 'idmap config' lines with 'security = user', they are are only used
>> with
>> >> a domain, so if this cluster is joined to a domain, I would start by
>> >> changing 'security = user' to 'security = ADS'
>> >>
>> >> Rowland
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >>
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> --
> Leszek A. Szczepanowski
> twinsen at mspanc.net
>
>
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net
More information about the samba
mailing list