samba - Jan 2023 - Cannnot create chroot on a cifs-mounted linux homedir -- missing dev/exec

Hello!
 
Thanks.
Let me clarify some things.
That I came onto the idea to revert to "vers=1.0" stems from the
kernel developers, which show that for booting a kernel from
samba.
Tools like GTK, which claims some permission issues,
never tell, which these could be and  using "vers=1.0" resolved
that problem - it's samba.
---
>E: Cannot install into target '/home/ncu9/work/chr' mounted with
noexec or nodev

That may have something to do with whatever filesystem you are using, 
but it has nothing to do with Samba.<
---
No. On serverside this works ok, it happens only on the samba share and,
like I wrote: Because of missing EXEC+DEV options which debootstrap
explicitely says - this the reason of mypost.
 
Sorry for my short smb.conf - I used only the share settings.
Here the complete file.
---
[global]
    bind interfaces only = Yes
    client min protocol = NT1
    interfaces = eno1 192.168.0.1
    log file = /var/log/samba/log.%m
    logging = file
    map to guest = Bad User
    max log size = 1000
    name resolve order = bcast
    obey pam restrictions = Yes
    pam password change = Yes
    panic action = /usr/share/samba/panic-action %d
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
    passwd program = /usr/bin/passwd %u
    server min protocol = NT1
    server role = standalone server
    smb ports = 445
    unix password sync = Yes
    usershare allow guests = Yes
    workgroup = MBG
    idmap config * : backend = tdb
    create mask = 0777
    directory mask = 0777
    force create mode = 0666
    force directory mode = 0777
    inherit acls = Yes
    inherit owner = windows and unix
    inherit permissions = Yes
    vfs objects = readahead streams_xattr acl_xattr


[homes]
    browseable = No
    comment = Home Directories
    create mask = 0700
    directory mask = 0700
    include = /etc/samba/share.smb0
    valid users = %S


[kvmabc-homes--ncu2]
    comment = kvmabc home ncu
    force user = mbu
    include = /etc/samba/share.mt
    locking = No
    path = /pools/users/homes/kvmabc--ncu2
    read only = No
    root postexec = /ops/services/smb-mount-notify postexec %S c:%M ip:%I r:%P
    root preexec = /ops/services/smb-mount-notify preexec %S c:%M ip:%I r:%P
    valid users = root mbu-smb1 @users
    write list = root mbu-smb1 @users
---
Thanks so far,
Manfred



----- Original Message -----
 From: Rowland Penny via samba [mailto:samba at lists.samba.org]
 To: <samba at lists.samba.org>
 Cc: rpenny at samba.org
 Sent: Tue, 10 Jan 2023 08:56:31 +0000
 Subject: Re: [Samba] Cannnot create chroot on a cifs-mounted linux homedir --
missing dev/exec

 

On 10/01/2023 07:37, Manfred Braun via samba wrote:
> 
> Hallo!
> 
> I try to use a cifs/samba share (hosted on debian, samba 4.17) as
> a homedir for a user in a vm (kvm) runnig debian with X (with xfce4).
> In the beginning, I was not able to save settings, although
> permissions look right (can read/write/modify) and the GTK-Warning
> (which claims missing permissons, not telling, which) went away.
> 
> I found the biggest crux: degrade the connection
> to use "vers=1.0", which solves the first problem,
> solved the GtK-WARNINGs and saved setting.

You are going to have to find a way around that, eventually SMBv1 is 
going to go away.

> 
> There is a remaining problem: Cannot create a chroot
> on this filesystem using debootstrap.
> 
> What I see is, that there are no "dev" and
> "exec" mount properties, but on this profile (the users
> home) chroot's should be created and if one issues
> debootstrap there is an error message (using root):
> ---
> $ debootstrap --arch amd64 chimaera chr/ http://deb.devuan.org/merged
> mknod: /home/ncu9/work/chr/test-dev-null: Permission denied
> E: Cannot install into target '/home/ncu9/work/chr' mounted
with noexec or nodev

That may have something to do with whatever filesystem you are using, 
but it has nothing to do with Samba.

> ---
> Indeed, the mount options reflect this, requested are:
> 
> //192.168.26.1/kvmabc-homes--ncu2  /home/ncu9  cifs
mfsymlinks,rw,exec,dev,suid,user_xattr,vers=1.0,username=mbu1-smb1,password=918273,iocharset=utf8,uid=2009,gid=2009,dir_mode=0755,file_mode=0755
0 0
> 
> The resulting mount option are:
> 
>
vers=1.0,addr=192.168.26.1,gid=2009,uid=2009,acl,username=mbu1-smb1,relatime\
>
soft,rw,mfsymlinks,cache=strict,unix,actimeo=1,wsize=65536,rsize=1048576\
> forcegid,forceuid,mapposix,posixpaths,echo_interval=60,bsize=1048576
>  
> To note is, I tried this on debian and devuan and even with gid=100.
> 
> MISSING: DEV, EXEC.
> 
> How can this be solved?

Absolutely no idea, but someone else might.

> 
> smb.conf:
> 
> [kvmabc-homes--ncu2]
>          path = /pools/users/homes/kvmabc--ncu2
>          browsable = yes
>          read only = no
>          locking = no
>          create mask = 0777
>          directory mask = 0777
>          force directory mode = 0777
> 
>          root preexec = /ops/services/smb-mount-notify preexec %S c:%M
ip:%I r:%P
>          root postexec = /ops/services/smb-mount-notify postexec %S
c:%M ip:%I r:%P
> 
>          force user = abc
>          force group = abc
> 
>          inherit acls = yes
>          inherit permissions = yes
>          inherit owner = yes
> 
>          guest ok = no
> 
>          valid users = root,mbu-smb1
>          write list  = root,mbu-smb1

No, that isn't your entire smb.conf, if is, then you have major 
problems, there is no '[global]' section. If you are going to post a 
smb.conf file, then post the entire smb.conf file, you can easily obtain 
this with 'testparm -s'.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 10/01/2023 09:34, webman at manfbraun.de wrote:
> Hello!
> Thanks.
> Let me clarify some things.
> That I came onto the idea to revert to "vers=1.0" stems from the
> kernel developers, which show that for booting a kernel from
> samba.
Why are you booting a kernel from Samba, it is a file sharing program.
> Tools like GTK, which claims some permission issues,
> never tell, which these could be and? using "vers=1.0" resolved
> that problem - it's samba.
No, its Gnome, they still haven't (seemingly) woken up to just how 
insecure SMBv1 is.
If you want to boot using a kernel stored on a Samba share, then I 
suggest that you talk to Gnome and get them to fix their problem, 
preferably using SMBv2 or later.
> ---
>>E: Cannot install into target '/home/ncu9/work/chr' mounted with
noexec or nodev
mount and mount.cifs have nothing to do with Samba.
> 
> That may have something to do with whatever filesystem you are using,
> but it has nothing to do with Samba.<
> ---
> No. On serverside this works ok, it happens only on the samba share and,
> like I wrote: Because of missing EXEC+DEV options which debootstrap
> explicitely says - this the reason of mypost.
It might work correctly when run directly, but it still has (in my 
opinion) nothing to do with Samba, Samba just provides access to files 
stored on a share, what happens to them after that is down to whatever 
tries to connect to the share. I repeat, it isn't Samba that
'mounts'
the share.
> Sorry for my short smb.conf - I used only the share settings.
> Here the complete file.
> ---
> [global]
>  ?? ?bind interfaces only = Yes
>  ?? ?client min protocol = NT1
>  ?? ?interfaces = eno1 192.168.0.1
>  ?? ?log file = /var/log/samba/log.%m
>  ?? ?logging = file
>  ?? ?map to guest = Bad User
>  ?? ?max log size = 1000
>  ?? ?name resolve order = bcast
>  ?? ?obey pam restrictions = Yes
>  ?? ?pam password change = Yes
>  ?? ?panic action = /usr/share/samba/panic-action %d
>  ?? ?passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>  ?? ?passwd program = /usr/bin/passwd %u
>  ?? ?server min protocol = NT1
>  ?? ?server role = standalone server
>  ?? ?smb ports = 445
>  ?? ?unix password sync = Yes
>  ?? ?usershare allow guests = Yes
>  ?? ?workgroup = MBG
>  ?? ?idmap config * : backend = tdb
>  ?? ?create mask = 0777
>  ?? ?directory mask = 0777
>  ?? ?force create mode = 0666
>  ?? ?force directory mode = 0777
>  ?? ?inherit acls = Yes
>  ?? ?inherit owner = windows and unix
>  ?? ?inherit permissions = Yes
>  ?? ?vfs objects = readahead streams_xattr acl_xattr
Not sure that is going to work as is, Fairly sure streams_xattr isn't 
stackable, try moving it to the end.
> 
> 
> [homes]
>  ?? ?browseable = No
>  ?? ?comment = Home Directories
>  ?? ?create mask = 0700
>  ?? ?directory mask = 0700
>  ?? ?include = /etc/samba/share.smb0
>  ?? ?valid users = %S
> 
> 
> [kvmabc-homes--ncu2]
>  ?? ?comment = kvmabc home ncu
>  ?? ?force user = mbu
>  ?? ?include = /etc/samba/share.mt
>  ?? ?locking = No
>  ?? ?path = /pools/users/homes/kvmabc--ncu2
>  ?? ?read only = No
>  ?? ?root postexec = /ops/services/smb-mount-notify postexec %S c:%M 
> ip:%I r:%P
>  ?? ?root preexec = /ops/services/smb-mount-notify preexec %S c:%M ip:%I 
> r:%P
>  ?? ?valid users = root mbu-smb1 @users
>  ?? ?write list = root mbu-smb1 @users
Is the only reason to use SMBv1 that it 'seems' to be required to
'boot'
the kernel ? If so, then you need to go back to Gnome and point out that 
SMBv1 will be removed from Samba and this could be sooner than they 
think. One of the Devs wants to enabled SMB3 Unix extensions, this has 
been declined at present. Once the SMB3 Unix extensions are enabled, 
then it will probably only be a short time before SMBv1 is removed, 
possibly totally deprecated (Note: these are just my thoughts) in 4.18.0 
and removed in 4.19.0 . Gnome needs to understand this and fix their 
packages now.

Also, can you just stick to one email address and reply to posts, we are 
now into the second thread on the same subject.

Rowland