[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Leszek Szczepanowski
twinsen at mspanc.net
Wed Nov 16 10:41:37 UTC 2022
Hi,
So this is the flow:
[root at fs01 lszczepa]# semanage fcontext -a -t ctdbd_var_lib_t
"/var/lib/ctdb/persistent(/.*)?"
[root at fs01 lszczepa]# getenforce
Permissive
[root at fs01 samba]# setenforce 1
[root at fs01 samba]# tail -f log.samba-dcerpcd
[attempt to browse shares after setenforce 1] log.samba-dcerpcd:
[2022/11/16 11:27:20.055038, 1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
[2022/11/16 11:27:20.063589, 1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
[2022/11/16 11:27:20.064348, 1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_classic to 365916 with 0 clients
[2022/11/16 11:27:48.997477, 1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_classic to 365916 with 0 clients
[2022/11/16 11:28:02.217934, 1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_classic to 365916 with 0 clients
Corresponding /var/log/messages:
Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:19.826956,
1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_pipe_open_ncalrpc:
connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory
Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:19.878835,
1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_worker_exited: No worker
with PID 365905
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.055038,
1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients:
Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.063589,
1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients:
Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.064348,
1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients:
Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:48.997477,
1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients:
Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: [2022/11/16 11:28:02.217934,
1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients:
Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=setenforce
lsm=selinux enforcing=1 res=1
Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=load_policy
lsm=selinux seqno=4 res=1
Nov 16 11:30:04 fs01 systemd[1]: Starting system activity accounting tool...
Nov 16 11:30:04 fs01 systemd[1]: sysstat-collect.service: Deactivated
successfully.
Nov 16 11:30:04 fs01 systemd[1]: Finished system activity accounting tool.
[after few 4 minutes] log.samba-dcerpcd:
[2022/11/16 11:32:05, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/16 11:32:05, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/16 11:32:05, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/16 11:32:05, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/16 11:32:05, 1]
../../source3/registry/reg_backend_db.c:759(regdb_init)
regdb_init: Failed to open registry /var/lib/samba/registry.tdb
(Permission denied)
[2022/11/16 11:32:05, 0]
../../source3/registry/reg_init_basic.c:35(registry_init_common)
Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/16 11:32:05, 1]
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!
[root at fs01 samba]# audit2allow -al
[root at fs01 samba]#
Nothing interesting in /var/log/audit/audit.log:
type=USER_MAC_CONFIG_CHANGE msg=audit(1668594292.322:525): pid=365125 uid=0
auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='resrc=fcontext op=add tglob="/var/lib/ctdb/persistent(/.*)?" ftype=any
tcontext=system_u:object_r:ctdbd_var_lib_t: comm="semanage"
exe="/usr/bin/python3.9" hostname=? addr=? terminal=?
res=success'UID="root" AUID="lszczepa"
type=MAC_STATUS msg=audit(1668594460.442:526): enforcing=1 old_enforcing=0
auid=1000 ses=5 enabled=1 old-enabled=1 lsm=selinux res=1AUID="lszczepa"
type=SYSCALL msg=audit(1668594460.442:526): arch=c000003e syscall=1
success=yes exit=1 a0=3 a1=7ffecb7da5b0 a2=1 a3=1 items=0 ppid=364844
pid=366003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 ses=5 comm="setenforce" exe="/usr/sbin/setenforce"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)ARCH=x86_64 SYSCALL=write AUID="lszczepa" UID="root" GID="root"
EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1668594460.442:526):
proctitle=736574656E666F7263650031
type=SERVICE_START msg=audit(1668594604.562:527): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1668594604.562:528): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd"
hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
Nothing in /var/log/messages related to SELinux, but something is still
blocking samba-dcerpcd from accessing /var/lib/ctdb/persistent
[root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t
"/var/lib/ctdb(/.*)?"
ValueError: File context for /var/lib/ctdb(/.*)? already defined
[root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t
"/var/lib/ctdb/persistent(/.*)?"
ValueError: File context for /var/lib/ctdb/persistent(/.*)? already defined
So to have browsing back, I needed to do setenforce 0 again :(
śr., 16 lis 2022 o 04:05 Thomas Cameron via samba <samba at lists.samba.org>
napisał(a):
> I'm wondering if something weird is happening like it creates the file
> initially as /var/lib/ctdb/persistent/registry.tdb and then renames it
> to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error could be
> on the initial file it's creating or something like that.
>
> And you say that, when you set SELinux to permissive, the problem goes
> away completely, right?
>
> Can you maybe run the server in permissive mode, then run through all of
> the paces, THEN run audit2allow and see if it throws any errors?
>
> I'm just brainstorming here. This is a weird problem. I am kinda
> surprised that it worked for a while and then failed. Again, I wonder if
> it's creating a file and then renaming it. What's the context of the
> parent directory (ls -Z)?
>
> Maybe you could do something like:
> semanage fcontext -a -t ctdbd_var_lib_t
> /var/lib/ctdb/persistent/account_policy.tdb
>
> or even:
>
> semanage fcontext -a -t ctdbd_var_lib_t /var/lib/ctdb/persistent(/.*)?
>
> That would make any file created under /var/lib/ctdb/persistent/ labeled
> as ctdbd_var_lib_t.
>
> Thomas
>
> On 11/15/22 15:47, Leszek Szczepanowski via samba wrote:
> > Additionally:
> >
> > [root at fs01 symptoms]# ctdb getdbmap
> > Number of databases:19
> > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.0
> > dbid:0x2d608c16 name:netlogon_creds_cli.tdb
> > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.0
> > dbid:0x521b7544 name:smbXsrv_version_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.0
> > dbid:0x477d2e20 name:smbXsrv_client_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.0
> > dbid:0x6b06a26d name:smbXsrv_session_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.0
> > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.0
> > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.0
> > dbid:0x7a19d84d name:locking.tdb
> path:/var/lib/ctdb/volatile/locking.tdb.0
> > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.0
> > dbid:0x66f71b8c name:smbXsrv_open_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.0
> > dbid:0x1313cc83 name:autorid.tdb
> > path:/var/lib/ctdb/persistent/autorid.tdb.0 PERSISTENT
> > dbid:0x5bcfcbd7 name:printer_list.tdb
> > path:/var/lib/ctdb/persistent/printer_list.tdb.0 PERSISTENT
> > dbid:0x3ef19640 name:passdb.tdb
> path:/var/lib/ctdb/persistent/passdb.tdb.0
> > PERSISTENT
> > dbid:0x2ca251cf name:account_policy.tdb
> > path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT
> > dbid:0xa1413774 name:group_mapping.tdb
> > path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT
> > dbid:0xc3078fba name:share_info.tdb
> > path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT
> > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.0
> > PERSISTENT
> > dbid:0x7132c184 name:secrets.tdb
> > path:/var/lib/ctdb/persistent/secrets.tdb.0 PERSISTENT
> > dbid:0x6cf2837d name:registry.tdb
> > path:/var/lib/ctdb/persistent/registry.tdb.0 PERSISTENT
> >
> > It seems, it uses suffix of node number on each node, here node 3:
> >
> > [root at fs03 lszczepa]# ctdb getdbmap
> > Number of databases:19
> > dbid:0x66f71b8c name:smbXsrv_open_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.2
> > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.2
> > dbid:0x7a19d84d name:locking.tdb
> path:/var/lib/ctdb/volatile/locking.tdb.2
> > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.2
> > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.2
> > dbid:0x6b06a26d name:smbXsrv_session_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.2
> > dbid:0x477d2e20 name:smbXsrv_client_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.2
> > dbid:0x521b7544 name:smbXsrv_version_global.tdb
> > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.2
> > dbid:0x2d608c16 name:netlogon_creds_cli.tdb
> > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.2
> > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.2
> > dbid:0x1313cc83 name:autorid.tdb
> > path:/var/lib/ctdb/persistent/autorid.tdb.2 PERSISTENT
> > dbid:0x5bcfcbd7 name:printer_list.tdb
> > path:/var/lib/ctdb/persistent/printer_list.tdb.2 PERSISTENT
> > dbid:0x3ef19640 name:passdb.tdb
> path:/var/lib/ctdb/persistent/passdb.tdb.2
> > PERSISTENT
> > dbid:0x2ca251cf name:account_policy.tdb
> > path:/var/lib/ctdb/persistent/account_policy.tdb.2 PERSISTENT
> > dbid:0xa1413774 name:group_mapping.tdb
> > path:/var/lib/ctdb/persistent/group_mapping.tdb.2 PERSISTENT
> > dbid:0xc3078fba name:share_info.tdb
> > path:/var/lib/ctdb/persistent/share_info.tdb.2 PERSISTENT
> > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.2
> > PERSISTENT
> > dbid:0x7132c184 name:secrets.tdb
> > path:/var/lib/ctdb/persistent/secrets.tdb.2 PERSISTENT
> > dbid:0x6cf2837d name:registry.tdb
> > path:/var/lib/ctdb/persistent/registry.tdb.2 PERSISTENT
> >
> >
> >
> > wt., 15 lis 2022 o 22:44 Leszek Szczepanowski <twinsen at mspanc.net>
> > napisał(a):
> >
> >> Hi,
> >>
> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb
> >> ls: cannot access '/var/lib/ctdb/persistent/registry.tdb': No such file
> or
> >> directory
> >> [root at fs01 symptoms]# find / -name registry.tdb
> >> [root at fs01 symptoms]#
> >>
> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/
> >> total 20832
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 7892992 Nov
> >> 15 18:50 account_policy.tdb.0
> >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1327104 Nov
> >> 15 18:50 autorid.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov
> >> 15 18:50 ctdb.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov
> >> 15 18:50 group_mapping.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2560000 Nov
> >> 15 18:50 passdb.tdb.0
> >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov
> >> 15 18:50 printer_list.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov
> >> 15 18:50 registry.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2146304 Nov
> >> 15 18:50 secrets.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov
> >> 15 18:50 share_info.tdb.0
> >>
> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb.0
> >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov
> >> 15 18:50 /var/lib/ctdb/persistent/registry.tdb.0
> >>
> >> That is strange. Why .0?
> >>
> >> wt., 15 lis 2022 o 21:28 Thomas Cameron <thomas.cameron at camerontech.com
> >
> >> napisał(a):
> >>
> >>> What's the label for /var/lib/ctdb/persistent/registry.tdb.1? What does
> >>> ls -lZ tell you?
> >>>
> >>> Thomas
> >>>
> >>> On 11/15/22 10:36, Leszek Szczepanowski wrote:
> >>>
> >>> I'm getting this:
> >>>
> >>> type=AVC msg=audit(1668528098.389:291): avc: denied { getattr } for
> >>> pid=84190 comm="samba-dcerpcd"
> >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668528098.389:292): avc: denied { map } for
> >>> pid=84190 comm="samba-dcerpcd"
> >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668528098.391:293): avc: denied { setattr } for
> >>> pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
> >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668529035.873:308): avc: denied { read write }
> for
> >>> pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0"
> >>> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668529035.873:308): avc: denied { open } for
> >>> pid=89129 comm="samba-dcerpcd"
> >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668529035.873:309): avc: denied { lock } for
> >>> pid=89129 comm="samba-dcerpcd"
> >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668529035.873:310): avc: denied { getattr } for
> >>> pid=89129 comm="samba-dcerpcd"
> >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565
> >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>> type=AVC msg=audit(1668529035.875:311): avc: denied { setattr } for
> >>> pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0"
> >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
> >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
> >>>
> >>> I did
> >>> audit2allow -al -M dcerpcd
> >>> semodule -i dcerpcd.pp
> >>>
> >>> It was working in Enforcing 1 mode for like 1 minute. After that, again
> >>> not working. But this time:
> >>>
> >>> [root at fs02 samba]# audit2allow -al
> >>> [root at fs02 samba]#
> >>>
> >>> So the module is active, nothing is denied (no new entries in
> >>> /var/log/audit/audit.log), however it's again:
> >>>
> >>> [2022/11/15 17:33:13, 0]
> >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1:
> Permission
> >>> denied
> >>> [2022/11/15 17:33:13, 0]
> >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >>> db_open: failed to attach to ctdb registry.tdb
> >>> [2022/11/15 17:33:13, 0]
> >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1:
> Permission
> >>> denied
> >>> [2022/11/15 17:33:13, 0]
> >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >>> db_open: failed to attach to ctdb registry.tdb
> >>> [2022/11/15 17:33:13, 1]
> >>> ../../source3/registry/reg_backend_db.c:759(regdb_init)
> >>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> >>> (Permission denied)
> >>> [2022/11/15 17:33:13, 0]
> >>> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> >>> Failed to initialize the registry: WERR_ACCESS_DENIED
> >>> [2022/11/15 17:33:13, 1]
> >>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> >>> error initializing registry configuration: SBC_ERR_BADFILE
> >>> Can't load /etc/samba/smb.conf - run testparm to debug it
> >>> samba-dcerpcd - Failed to load config file!
> >>>
> >>>
> >>>
> >>>
> >>> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba <
> samba at lists.samba.org>
> >>> napisał(a):
> >>>
> >>>> As root, what does audit2allow -al tell you?
> >>>>
> >>>> Here's a video I did when I was at Red Hat, talking through SELinux. I
> >>>> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
> >>>>
> >>>> Thomas
> >>>>
> >>>> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
> >>>>> I think with security=user the rest is simply ignored, and the local
> >>>> auth
> >>>>> is working fine.
> >>>>> I will comment out that option for now. The AD integration will be
> done
> >>>>> later.
> >>>>> The main problem is probably not related directly to CTDB, but to
> what
> >>>>> Samba is trying to access with SELinux in Enforcing mode.
> >>>>> As there are no errors in /var/log/messages or in /var/log/audit, I'm
> >>>> lost.
> >>>>> I forgot to say versions, so:
> >>>>>
> >>>>> [root at fs01 samba]# cat /etc/redhat-release
> >>>>> CentOS Stream release 9
> >>>>> [root at fs01 samba]# rpm -qa | grep samba
> >>>>> samba-common-4.16.4-101.el9.noarch
> >>>>> samba-client-libs-4.16.4-101.el9.x86_64
> >>>>> samba-common-libs-4.16.4-101.el9.x86_64
> >>>>> samba-libs-4.16.4-101.el9.x86_64
> >>>>> python3-samba-4.16.4-101.el9.x86_64
> >>>>> samba-common-tools-4.16.4-101.el9.x86_64
> >>>>> samba-4.16.4-101.el9.x86_64
> >>>>> samba-client-4.16.4-101.el9.x86_64
> >>>>> samba-winbind-modules-4.16.4-101.el9.x86_64
> >>>>> samba-winbind-4.16.4-101.el9.x86_64
> >>>>> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> >>>>> samba-winbind-clients-4.16.4-101.el9.x86_64
> >>>>> [root at fs01 samba]# rpm -qa | grep ctdb
> >>>>> ctdb-4.16.4-101.el9.x86_64
> >>>>> [root at fs01 samba]# uname -a
> >>>>> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct
> 31
> >>>>> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> >>>>>
> >>>>> Also, the provided errors were wrong, I was playing with permissive
> >>>> mode.
> >>>>> In enforcing it is:
> >>>>>
> >>>>> [2022/11/15 11:02:08, 0]
> >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
> >>>> Permission
> >>>>> denied
> >>>>> [2022/11/15 11:02:08, 0]
> >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >>>>> db_open: failed to attach to ctdb registry.tdb
> >>>>> [2022/11/15 11:02:08, 0]
> >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
> >>>> Permission
> >>>>> denied
> >>>>> [2022/11/15 11:02:08, 0]
> >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> >>>>> db_open: failed to attach to ctdb registry.tdb
> >>>>> [2022/11/15 11:02:08, 1]
> >>>>> ../../source3/registry/reg_backend_db.c:759(regdb_init)
> >>>>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> >>>>> (Permission denied)
> >>>>> [2022/11/15 11:02:08, 0]
> >>>>> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> >>>>> Failed to initialize the registry: WERR_ACCESS_DENIED
> >>>>> [2022/11/15 11:02:08, 1]
> >>>>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> >>>>> error initializing registry configuration: SBC_ERR_BADFILE
> >>>>> Can't load /etc/samba/smb.conf - run testparm to debug it
> >>>>> samba-dcerpcd - Failed to load config file!
> >>>>>
> >>>>> But in the same time, I can do testparm without any issues:
> >>>>>
> >>>>> [root at fs01 samba]# testparm
> >>>>> Load smb config files from /etc/samba/smb.conf
> >>>>> Loaded services file OK.
> >>>>> Weak crypto is allowed
> >>>>>
> >>>>> Server role: ROLE_STANDALONE
> >>>>>
> >>>>> Press enter to see a dump of your service definitions
> >>>>>
> >>>>> # Global parameters
> >>>>> [global]
> >>>>> clustering = Yes
> >>>>> logging = syslog
> >>>>> netbios name = FS
> >>>>> realm = FS.xxx
> >>>>> registry shares = Yes
> >>>>> security = USER
> >>>>> workgroup = xxx
> >>>>> idmap config * : range = 1000000-1999999
> >>>>> ctdb:registry.tdb = yes
> >>>>> idmap config * : backend = autorid
> >>>>>
> >>>>>
> >>>>> [symptoms]
> >>>>> path = /mnt/glusterfs/symptoms/
> >>>>> read only = No
> >>>>>
> >>>>>
> >>>>> wt., 15 lis 2022 o 10:47 Rowland Penny via samba <
> >>>> samba at lists.samba.org>
> >>>>> napisał(a):
> >>>>>
> >>>>>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
> >>>>>>> I have very simple config for HA Samba, using CTDB.
> >>>>>>> I have set all possible SELinux options until "denied" messages
> >>>> stopped
> >>>>>>> appearch in /var/log/messages.
> >>>>>>>
> >>>>>>> All works flawlessly, just the problem is with browsing Samba
> shares
> >>>> with
> >>>>>>> enforcing setting.
> >>>>>>>
> >>>>>>> When I try to browse shares, I'm getting this:
> >>>>>>>
> >>>>>>> samba-dcerpcd version 4.16.4 started.
> >>>>>>> Copyright Andrew Tridgell and the Samba Team 1992-2022
> >>>>>>> [2022/11/15 10:10:57.674555, 1]
> >>>>>>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> >>>>>>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER)
> >>>> failed: No
> >>>>>>> such file or directory
> >>>>>>> [2022/11/15 10:10:57.820626, 1]
> >>>>>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> >>>>>>> rpc_worker_exited: No worker with PID 3281
> >>>>>>> [2022/11/15 10:10:58.040001, 1]
> >>>>>>>
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>>>>> rpc_host_distribute_clients: Sending new client
> >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>>>>>> [2022/11/15 10:10:58.048701, 1]
> >>>>>>>
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>>>>> rpc_host_distribute_clients: Sending new client
> >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>>>>>> [2022/11/15 10:10:58.049474, 1]
> >>>>>>>
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>>>>> rpc_host_distribute_clients: Sending new client
> >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>>>>>> [2022/11/15 10:10:58.560868, 1]
> >>>>>>>
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>>>>>> rpc_host_distribute_clients: Sending new client
> >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>>>>>>
> >>>>>>> Samba is in clustered mode + registry:
> >>>>>>>
> >>>>>>> [root at fs01 samba]# net conf list
> >>>>>>> [global]
> >>>>>>> logging = syslog
> >>>>>>> log level = 1
> >>>>>>> netbios name = fs
> >>>>>>> workgroup = xxx
> >>>>>>> realm = xxx
> >>>>>>> idmap config * : backend = autorid
> >>>>>>> idmap config * : range = 1000000-1999999
> >>>>>>> security = user
> >>>>>> Now I do not know a lot about CTDB, but I do know that you cannot
> use
> >>>>>> 'idmap config' lines with 'security = user', they are are only used
> >>>> with
> >>>>>> a domain, so if this cluster is joined to a domain, I would start by
> >>>>>> changing 'security = user' to 'security = ADS'
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>
> >>>
> >>> --
> >>> --
> >>> Leszek A. Szczepanowski
> >>> twinsen at mspanc.net
> >>>
> >>>
> >>>
> >> --
> >> --
> >> Leszek A. Szczepanowski
> >> twinsen at mspanc.net
> >>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net
More information about the samba
mailing list