samba - Nov 2022 - Strange issue with Samba+CTDB+SELinux+GlusterFS

I have very simple config for HA Samba, using CTDB.
I have set all possible SELinux options until "denied" messages
stopped
appearch in /var/log/messages.

All works flawlessly, just the problem is with browsing Samba shares with
enforcing setting.

When I try to browse shares, I'm getting this:

  samba-dcerpcd version 4.16.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2022
[2022/11/15 10:10:57.674555,  1]
../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
  rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No
such file or directory
[2022/11/15 10:10:57.820626,  1]
../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
  rpc_worker_exited: No worker with PID 3281
[2022/11/15 10:10:58.040001,  1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
  rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
[2022/11/15 10:10:58.048701,  1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
  rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
[2022/11/15 10:10:58.049474,  1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
  rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_classic to 3292 with 0 clients
[2022/11/15 10:10:58.560868,  1]
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
  rpc_host_distribute_clients: Sending new client
/usr/libexec/samba/rpcd_classic to 3292 with 0 clients

Samba is in clustered mode + registry:

[root at fs01 samba]# net conf list
[global]
        logging = syslog
        log level = 1
        netbios name = fs
        workgroup = xxx
        realm = xxx
        idmap config * : backend = autorid
        idmap config * : range = 1000000-1999999
        security = user
        ctdb:registry.tdb = yes
        clustering = yes
        nt pipe support = yes

[symptoms]
        path = /mnt/glusterfs/symptoms/
        guest ok = no
        read only = no
        browseable = yes

[root at fs01 samba]# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> on
samba_export_all_rw --> on
samba_load_libgfapi --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_samba --> off
tmpreaper_use_samba --> off
use_samba_home_dirs --> on
virt_use_samba --> off

If I only set to permissive, browsing shares starts working immediately.
-- 
Leszek A. Szczepanowski
twinsen at mspanc.net

On 15/11/2022 09:21, Leszek Szczepanowski via samba
wrote:
> I have very simple config for HA Samba, using CTDB.
> I have set all possible SELinux options until "denied" messages
stopped
> appearch in /var/log/messages.
> 
> All works flawlessly, just the problem is with browsing Samba shares with
> enforcing setting.
> 
> When I try to browse shares, I'm getting this:
> 
>    samba-dcerpcd version 4.16.4 started.
>    Copyright Andrew Tridgell and the Samba Team 1992-2022
> [2022/11/15 10:10:57.674555,  1]
> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
>    rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No
> such file or directory
> [2022/11/15 10:10:57.820626,  1]
> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
>    rpc_worker_exited: No worker with PID 3281
> [2022/11/15 10:10:58.040001,  1]
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>    rpc_host_distribute_clients: Sending new client
> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> [2022/11/15 10:10:58.048701,  1]
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>    rpc_host_distribute_clients: Sending new client
> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> [2022/11/15 10:10:58.049474,  1]
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>    rpc_host_distribute_clients: Sending new client
> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> [2022/11/15 10:10:58.560868,  1]
> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
>    rpc_host_distribute_clients: Sending new client
> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> 
> Samba is in clustered mode + registry:
> 
> [root at fs01 samba]# net conf list
> [global]
>          logging = syslog
>          log level = 1
>          netbios name = fs
>          workgroup = xxx
>          realm = xxx
>          idmap config * : backend = autorid
>          idmap config * : range = 1000000-1999999
>          security = user
Now I do not know a lot about CTDB, but I do know that you cannot use 
'idmap config' lines with 'security = user', they are are only
used with
a domain, so if this cluster is joined to a domain, I would start by 
changing 'security = user' to 'security = ADS'

Rowland