samba - Jul 2022 - Validity of "testparm --parameter-name" output on a non-zero exit code

On Mon, 2022-07-18 at 15:14 +0300, Slava Aseev via samba
wrote:
> Hello!
> 
> I have a question about testparm (maybe a stupid question).
> 
> testparm exits with 1 if any errors in smb.conf was detected.
> Can this exit code be safely ignored if only the output of "testparm 
> --parameter-name" is needed?
> 
> For example, in case of "testparm --suppress-prompt --parameter-name 
> 'usershare path'" we can check path from the output for
existence,
> so 
> checking the exit code doesn't seem so useful. However, I am not 
> entirely sure about this, maybe there is something what I missed.
> 
> The whole problem is that there is a real case where I would like to 
> ignore the exit code:
> 
>    $ testparm --debuglevel=0 --suppress-prompt --verbose --parameter-
> name 'usershare path'
>    Load smb config files from /etc/samba/smb.conf
>    Loaded services file OK.
>    Weak crypto is allowed
> 
>    ERROR: Do not use the 'sss' backend as the default idmap
backend!
> 
>    /var/lib/samba/usershares
> 
>    $ echo $?
>    1
> 
> but I'm not sure if I really should.
The error seems to be pretty major, you appear to be using the 'sss'
backend for  the default '*' idmap backend and this isn't allowed.
You
are also using shares and the 'sss' backend only does authentication.

I think you need to post your smb.conf and tell us why you are using
sssd.

Rowland

18.07.2022 15:25, Rowland Penny via samba ?????:
> On Mon, 2022-07-18 at 15:14 +0300, Slava Aseev via samba wrote:
>> Hello!
>>
>> I have a question about testparm (maybe a stupid question).
>>
>> testparm exits with 1 if any errors in smb.conf was detected.
>> Can this exit code be safely ignored if only the output of
"testparm
>> --parameter-name" is needed?
>>
>> For example, in case of "testparm --suppress-prompt
--parameter-name
>> 'usershare path'" we can check path from the output for
existence,
>> so
>> checking the exit code doesn't seem so useful. However, I am not
>> entirely sure about this, maybe there is something what I missed.
>>
>> The whole problem is that there is a real case where I would like to
>> ignore the exit code:
>>
>>     $ testparm --debuglevel=0 --suppress-prompt --verbose --parameter-
>> name 'usershare path'
>>     Load smb config files from /etc/samba/smb.conf
>>     Loaded services file OK.
>>     Weak crypto is allowed
>>
>>     ERROR: Do not use the 'sss' backend as the default idmap
backend!
>>
>>     /var/lib/samba/usershares
>>
>>     $ echo $?
>>     1
>>
>> but I'm not sure if I really should.
> The error seems to be pretty major, you appear to be using the
'sss'
> backend for  the default '*' idmap backend and this isn't
allowed. You
> are also using shares and the 'sss' backend only does
authentication.
>
> I think you need to post your smb.conf and tell us why you are using
> sssd.
>
> Rowland
The question is not really about the error (in this case, it can be fixed by
specifying tdb as the default backend, and sss for some <DOMAIN>).

I will try to explain better.
There is a samba file sharing plugin called kdenetwork-filesharing (a file
properites plugin that allows to make directory shared in directory properties).
At some point the plugin calls "testparm --parameter-name" to get the
"usershare path" (to check/fix permissions on this path) and to get
"passdb backend" (to try to add the user to database, if passdb
backend is the tdbsam). In these cases the plugin is only interested in values
(and their correctness), not in the correctness of whole smb.conf, and I really
would not want to stop the plugin because of non-zero testparm exit code
(because eventually the requested values are output to stdout!). In other words
I would like "testparm --parameter-name" to behaves like "exit
with failure if there is an error in requested parameter", but it behaves
like "exit with failure if there is any error in the whole config".
Hence the question: is it permissible to ignore the exit code of testparm in
particular this case? Or is it worth playing it safe and not allowing output
values if testparm returns a non-zero code?

(perhaps I am worried too much)

-- 
Best regards,
Slava Aseev