Rowland Penny
2022-Nov-15 09:47 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:> I have very simple config for HA Samba, using CTDB. > I have set all possible SELinux options until "denied" messages stopped > appearch in /var/log/messages. > > All works flawlessly, just the problem is with browsing Samba shares with > enforcing setting. > > When I try to browse shares, I'm getting this: > > samba-dcerpcd version 4.16.4 started. > Copyright Andrew Tridgell and the Samba Team 1992-2022 > [2022/11/15 10:10:57.674555, 1] > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) > rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No > such file or directory > [2022/11/15 10:10:57.820626, 1] > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) > rpc_worker_exited: No worker with PID 3281 > [2022/11/15 10:10:58.040001, 1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > [2022/11/15 10:10:58.048701, 1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > [2022/11/15 10:10:58.049474, 1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > [2022/11/15 10:10:58.560868, 1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > > Samba is in clustered mode + registry: > > [root at fs01 samba]# net conf list > [global] > logging = syslog > log level = 1 > netbios name = fs > workgroup = xxx > realm = xxx > idmap config * : backend = autorid > idmap config * : range = 1000000-1999999 > security = userNow I do not know a lot about CTDB, but I do know that you cannot use 'idmap config' lines with 'security = user', they are are only used with a domain, so if this cluster is joined to a domain, I would start by changing 'security = user' to 'security = ADS' Rowland
Leszek Szczepanowski
2022-Nov-15 10:04 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
I think with security=user the rest is simply ignored, and the local auth is working fine. I will comment out that option for now. The AD integration will be done later. The main problem is probably not related directly to CTDB, but to what Samba is trying to access with SELinux in Enforcing mode. As there are no errors in /var/log/messages or in /var/log/audit, I'm lost. I forgot to say versions, so: [root at fs01 samba]# cat /etc/redhat-release CentOS Stream release 9 [root at fs01 samba]# rpm -qa | grep samba samba-common-4.16.4-101.el9.noarch samba-client-libs-4.16.4-101.el9.x86_64 samba-common-libs-4.16.4-101.el9.x86_64 samba-libs-4.16.4-101.el9.x86_64 python3-samba-4.16.4-101.el9.x86_64 samba-common-tools-4.16.4-101.el9.x86_64 samba-4.16.4-101.el9.x86_64 samba-client-4.16.4-101.el9.x86_64 samba-winbind-modules-4.16.4-101.el9.x86_64 samba-winbind-4.16.4-101.el9.x86_64 samba-winbind-krb5-locator-4.16.4-101.el9.x86_64 samba-winbind-clients-4.16.4-101.el9.x86_64 [root at fs01 samba]# rpm -qa | grep ctdb ctdb-4.16.4-101.el9.x86_64 [root at fs01 samba]# uname -a Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux Also, the provided errors were wrong, I was playing with permissive mode. In enforcing it is: [2022/11/15 11:02:08, 0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission denied [2022/11/15 11:02:08, 0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) db_open: failed to attach to ctdb registry.tdb [2022/11/15 11:02:08, 0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission denied [2022/11/15 11:02:08, 0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) db_open: failed to attach to ctdb registry.tdb [2022/11/15 11:02:08, 1] ../../source3/registry/reg_backend_db.c:759(regdb_init) regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied) [2022/11/15 11:02:08, 0] ../../source3/registry/reg_init_basic.c:35(registry_init_common) Failed to initialize the registry: WERR_ACCESS_DENIED [2022/11/15 11:02:08, 1] ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) error initializing registry configuration: SBC_ERR_BADFILE Can't load /etc/samba/smb.conf - run testparm to debug it samba-dcerpcd - Failed to load config file! But in the same time, I can do testparm without any issues: [root at fs01 samba]# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] clustering = Yes logging = syslog netbios name = FS realm = FS.xxx registry shares = Yes security = USER workgroup = xxx idmap config * : range = 1000000-1999999 ctdb:registry.tdb = yes idmap config * : backend = autorid [symptoms] path = /mnt/glusterfs/symptoms/ read only = No wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org> napisa?(a):> > > On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote: > > I have very simple config for HA Samba, using CTDB. > > I have set all possible SELinux options until "denied" messages stopped > > appearch in /var/log/messages. > > > > All works flawlessly, just the problem is with browsing Samba shares with > > enforcing setting. > > > > When I try to browse shares, I'm getting this: > > > > samba-dcerpcd version 4.16.4 started. > > Copyright Andrew Tridgell and the Samba Team 1992-2022 > > [2022/11/15 10:10:57.674555, 1] > > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) > > rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No > > such file or directory > > [2022/11/15 10:10:57.820626, 1] > > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) > > rpc_worker_exited: No worker with PID 3281 > > [2022/11/15 10:10:58.040001, 1] > > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > > rpc_host_distribute_clients: Sending new client > > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > > [2022/11/15 10:10:58.048701, 1] > > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > > rpc_host_distribute_clients: Sending new client > > /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > > [2022/11/15 10:10:58.049474, 1] > > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > > rpc_host_distribute_clients: Sending new client > > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > > [2022/11/15 10:10:58.560868, 1] > > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > > rpc_host_distribute_clients: Sending new client > > /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > > > > Samba is in clustered mode + registry: > > > > [root at fs01 samba]# net conf list > > [global] > > logging = syslog > > log level = 1 > > netbios name = fs > > workgroup = xxx > > realm = xxx > > idmap config * : backend = autorid > > idmap config * : range = 1000000-1999999 > > security = user > > Now I do not know a lot about CTDB, but I do know that you cannot use > 'idmap config' lines with 'security = user', they are are only used with > a domain, so if this cluster is joined to a domain, I would start by > changing 'security = user' to 'security = ADS' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- -- Leszek A. Szczepanowski twinsen at mspanc.net