samba - Nov 2022 - Strange issue with Samba+CTDB+SELinux+GlusterFS

I think with security=user the rest is simply ignored, and the local auth
is working fine.
I will comment out that option for now. The AD integration will be done
later.
The main problem is probably not related directly to CTDB, but to what
Samba is trying to access with SELinux in Enforcing mode.
As there are no errors in /var/log/messages or in /var/log/audit, I'm lost.
I forgot to say versions, so:

[root at fs01 samba]# cat /etc/redhat-release
CentOS Stream release 9
[root at fs01 samba]# rpm -qa | grep samba
samba-common-4.16.4-101.el9.noarch
samba-client-libs-4.16.4-101.el9.x86_64
samba-common-libs-4.16.4-101.el9.x86_64
samba-libs-4.16.4-101.el9.x86_64
python3-samba-4.16.4-101.el9.x86_64
samba-common-tools-4.16.4-101.el9.x86_64
samba-4.16.4-101.el9.x86_64
samba-client-4.16.4-101.el9.x86_64
samba-winbind-modules-4.16.4-101.el9.x86_64
samba-winbind-4.16.4-101.el9.x86_64
samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
samba-winbind-clients-4.16.4-101.el9.x86_64
[root at fs01 samba]# rpm -qa | grep ctdb
ctdb-4.16.4-101.el9.x86_64
[root at fs01 samba]# uname -a
Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Also, the provided errors were wrong, I was playing with permissive mode.
In enforcing it is:

[2022/11/15 11:02:08,  0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/15 11:02:08,  0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 11:02:08,  0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
  Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
denied
[2022/11/15 11:02:08,  0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
  db_open: failed to attach to ctdb registry.tdb
[2022/11/15 11:02:08,  1]
../../source3/registry/reg_backend_db.c:759(regdb_init)
  regdb_init: Failed to open registry /var/lib/samba/registry.tdb
(Permission denied)
[2022/11/15 11:02:08,  0]
../../source3/registry/reg_init_basic.c:35(registry_init_common)
  Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 11:02:08,  1]
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
  error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!

But in the same time, I can do testparm without any issues:

[root at fs01 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        clustering = Yes
        logging = syslog
        netbios name = FS
        realm = FS.xxx
        registry shares = Yes
        security = USER
        workgroup = xxx
        idmap config * : range = 1000000-1999999
        ctdb:registry.tdb = yes
        idmap config * : backend = autorid


[symptoms]
        path = /mnt/glusterfs/symptoms/
        read only = No


wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at
lists.samba.org>
napisa?(a):
>
>
> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
> > I have very simple config for HA Samba, using CTDB.
> > I have set all possible SELinux options until "denied"
messages stopped
> > appearch in /var/log/messages.
> >
> > All works flawlessly, just the problem is with browsing Samba shares
with
> > enforcing setting.
> >
> > When I try to browse shares, I'm getting this:
> >
> >    samba-dcerpcd version 4.16.4 started.
> >    Copyright Andrew Tridgell and the Samba Team 1992-2022
> > [2022/11/15 10:10:57.674555,  1]
> > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> >    rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed:
No
> > such file or directory
> > [2022/11/15 10:10:57.820626,  1]
> > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> >    rpc_worker_exited: No worker with PID 3281
> > [2022/11/15 10:10:58.040001,  1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >    rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> > [2022/11/15 10:10:58.048701,  1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >    rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> > [2022/11/15 10:10:58.049474,  1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >    rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> > [2022/11/15 10:10:58.560868,  1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >    rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >
> > Samba is in clustered mode + registry:
> >
> > [root at fs01 samba]# net conf list
> > [global]
> >          logging = syslog
> >          log level = 1
> >          netbios name = fs
> >          workgroup = xxx
> >          realm = xxx
> >          idmap config * : backend = autorid
> >          idmap config * : range = 1000000-1999999
> >          security = user
>
> Now I do not know a lot about CTDB, but I do know that you cannot use
> 'idmap config' lines with 'security = user', they are are
only used with
> a domain, so if this cluster is joined to a domain, I would start by
> changing 'security = user' to 'security = ADS'
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

As root, what does audit2allow -al tell you?

Here's a video I did when I was at Red Hat, talking through SELinux. I 
hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4

Thomas

On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
> I think with security=user the rest is simply ignored, and the local auth
> is working fine.
> I will comment out that option for now. The AD integration will be done
> later.
> The main problem is probably not related directly to CTDB, but to what
> Samba is trying to access with SELinux in Enforcing mode.
> As there are no errors in /var/log/messages or in /var/log/audit, I'm
lost.
> I forgot to say versions, so:
>
> [root at fs01 samba]# cat /etc/redhat-release
> CentOS Stream release 9
> [root at fs01 samba]# rpm -qa | grep samba
> samba-common-4.16.4-101.el9.noarch
> samba-client-libs-4.16.4-101.el9.x86_64
> samba-common-libs-4.16.4-101.el9.x86_64
> samba-libs-4.16.4-101.el9.x86_64
> python3-samba-4.16.4-101.el9.x86_64
> samba-common-tools-4.16.4-101.el9.x86_64
> samba-4.16.4-101.el9.x86_64
> samba-client-4.16.4-101.el9.x86_64
> samba-winbind-modules-4.16.4-101.el9.x86_64
> samba-winbind-4.16.4-101.el9.x86_64
> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> samba-winbind-clients-4.16.4-101.el9.x86_64
> [root at fs01 samba]# rpm -qa | grep ctdb
> ctdb-4.16.4-101.el9.x86_64
> [root at fs01 samba]# uname -a
> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
>
> Also, the provided errors were wrong, I was playing with permissive mode.
> In enforcing it is:
>
> [2022/11/15 11:02:08,  0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> denied
> [2022/11/15 11:02:08,  0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>    db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 11:02:08,  0]
> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
>    Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission
> denied
> [2022/11/15 11:02:08,  0]
> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
>    db_open: failed to attach to ctdb registry.tdb
> [2022/11/15 11:02:08,  1]
> ../../source3/registry/reg_backend_db.c:759(regdb_init)
>    regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> (Permission denied)
> [2022/11/15 11:02:08,  0]
> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
>    Failed to initialize the registry: WERR_ACCESS_DENIED
> [2022/11/15 11:02:08,  1]
> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
>    error initializing registry configuration: SBC_ERR_BADFILE
> Can't load /etc/samba/smb.conf - run testparm to debug it
> samba-dcerpcd - Failed to load config file!
>
> But in the same time, I can do testparm without any issues:
>
> [root at fs01 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Weak crypto is allowed
>
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>          clustering = Yes
>          logging = syslog
>          netbios name = FS
>          realm = FS.xxx
>          registry shares = Yes
>          security = USER
>          workgroup = xxx
>          idmap config * : range = 1000000-1999999
>          ctdb:registry.tdb = yes
>          idmap config * : backend = autorid
>
>
> [symptoms]
>          path = /mnt/glusterfs/symptoms/
>          read only = No
>
>
> wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at
lists.samba.org>
> napisa?(a):
>
>>
>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
>>> I have very simple config for HA Samba, using CTDB.
>>> I have set all possible SELinux options until "denied"
messages stopped
>>> appearch in /var/log/messages.
>>>
>>> All works flawlessly, just the problem is with browsing Samba
shares with
>>> enforcing setting.
>>>
>>> When I try to browse shares, I'm getting this:
>>>
>>>     samba-dcerpcd version 4.16.4 started.
>>>     Copyright Andrew Tridgell and the Samba Team 1992-2022
>>> [2022/11/15 10:10:57.674555,  1]
>>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>>>     rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER)
failed: No
>>> such file or directory
>>> [2022/11/15 10:10:57.820626,  1]
>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>>>     rpc_worker_exited: No worker with PID 3281
>>> [2022/11/15 10:10:58.040001,  1]
>>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>>     rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>>> [2022/11/15 10:10:58.048701,  1]
>>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>>     rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
>>> [2022/11/15 10:10:58.049474,  1]
>>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>>     rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>>> [2022/11/15 10:10:58.560868,  1]
>>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>>>     rpc_host_distribute_clients: Sending new client
>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
>>>
>>> Samba is in clustered mode + registry:
>>>
>>> [root at fs01 samba]# net conf list
>>> [global]
>>>           logging = syslog
>>>           log level = 1
>>>           netbios name = fs
>>>           workgroup = xxx
>>>           realm = xxx
>>>           idmap config * : backend = autorid
>>>           idmap config * : range = 1000000-1999999
>>>           security = user
>> Now I do not know a lot about CTDB, but I do know that you cannot use
>> 'idmap config' lines with 'security = user', they are
are only used with
>> a domain, so if this cluster is joined to a domain, I would start by
>> changing 'security = user' to 'security = ADS'
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>