Martin Schwenke
2022-Nov-16 22:40 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
On Wed, 16 Nov 2022 11:41:37 +0100, Leszek Szczepanowski via samba <samba at lists.samba.org> wrote: Time for a guess, so... [+Andreas] For Andreas' context, version is:> samba-4.16.4-101.el9.x86_64via CentOS Stream 9.> [...] > [after few 4 minutes] log.samba-dcerpcd: > [2022/11/16 11:32:05, 0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > denied > [2022/11/16 11:32:05, 0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > db_open: failed to attach to ctdb registry.tdb > [2022/11/16 11:32:05, 0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > denied > [2022/11/16 11:32:05, 0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > db_open: failed to attach to ctdb registry.tdb > [2022/11/16 11:32:05, 1] > ../../source3/registry/reg_backend_db.c:759(regdb_init) > regdb_init: Failed to open registry /var/lib/samba/registry.tdb > (Permission denied) > [2022/11/16 11:32:05, 0] > ../../source3/registry/reg_init_basic.c:35(registry_init_common) > Failed to initialize the registry: WERR_ACCESS_DENIED > [2022/11/16 11:32:05, 1] > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > error initializing registry configuration: SBC_ERR_BADFILE > Can't load /etc/samba/smb.conf - run testparm to debug it > samba-dcerpcd - Failed to load config file! > [...]Data points: * samba-dcerpcd was added in 4.16.0, so is quite new * Anything that uses dbwrap when clustering/CTDB is enabled (smbd, winbindd, ctdbd and, apparently, samba-dcerpcd) will need direct access to the TDBs * It appears that only access from samba-dcerpcd is failing when SELinux is enforcing Seems like a packaging bug, where all required access has not been configured for samba-dcerpcd in the SELinux magic? peace & happiness, martin
Andreas Schneider
2022-Nov-17 08:36 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
On Wednesday, 16 November 2022 23:40:03 CET Martin Schwenke wrote:> On Wed, 16 Nov 2022 11:41:37 +0100, Leszek Szczepanowski via samba > <samba at lists.samba.org> wrote: > > Time for a guess, so... > > [+Andreas] > > For Andreas' context, version is: > > samba-4.16.4-101.el9.x86_64 > > via CentOS Stream 9. > > > [...] > > [after few 4 minutes] log.samba-dcerpcd: > > [2022/11/16 11:32:05, 0] > > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > > > > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > > > > denied > > [2022/11/16 11:32:05, 0] > > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > > > > db_open: failed to attach to ctdb registry.tdb > > > > [2022/11/16 11:32:05, 0] > > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > > > > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > > > > denied > > [2022/11/16 11:32:05, 0] > > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > > > > db_open: failed to attach to ctdb registry.tdb > > > > [2022/11/16 11:32:05, 1] > > ../../source3/registry/reg_backend_db.c:759(regdb_init) > > > > regdb_init: Failed to open registry /var/lib/samba/registry.tdb > > > > (Permission denied) > > [2022/11/16 11:32:05, 0] > > ../../source3/registry/reg_init_basic.c:35(registry_init_common) > > > > Failed to initialize the registry: WERR_ACCESS_DENIED > > > > [2022/11/16 11:32:05, 1] > > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > > > > error initializing registry configuration: SBC_ERR_BADFILE > > > > Can't load /etc/samba/smb.conf - run testparm to debug it > > samba-dcerpcd - Failed to load config file! > > [...] > > Data points: > > * samba-dcerpcd was added in 4.16.0, so is quite new > > * Anything that uses dbwrap when clustering/CTDB is enabled (smbd, > winbindd, ctdbd and, apparently, samba-dcerpcd) will need direct > access to the TDBs > > * It appears that only access from samba-dcerpcd is failing when > SELinux is enforcing > > Seems like a packaging bug, where all required access has not been > configured for samba-dcerpcd in the SELinux magic?Please open a bug at Red Hat's bugzilla against the selinux-policy component. Thanks Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D