Thomas Cameron
2022-Nov-15 14:23 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
As root, what does audit2allow -al tell you? Here's a video I did when I was at Red Hat, talking through SELinux. I hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4 Thomas On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:> I think with security=user the rest is simply ignored, and the local auth > is working fine. > I will comment out that option for now. The AD integration will be done > later. > The main problem is probably not related directly to CTDB, but to what > Samba is trying to access with SELinux in Enforcing mode. > As there are no errors in /var/log/messages or in /var/log/audit, I'm lost. > I forgot to say versions, so: > > [root at fs01 samba]# cat /etc/redhat-release > CentOS Stream release 9 > [root at fs01 samba]# rpm -qa | grep samba > samba-common-4.16.4-101.el9.noarch > samba-client-libs-4.16.4-101.el9.x86_64 > samba-common-libs-4.16.4-101.el9.x86_64 > samba-libs-4.16.4-101.el9.x86_64 > python3-samba-4.16.4-101.el9.x86_64 > samba-common-tools-4.16.4-101.el9.x86_64 > samba-4.16.4-101.el9.x86_64 > samba-client-4.16.4-101.el9.x86_64 > samba-winbind-modules-4.16.4-101.el9.x86_64 > samba-winbind-4.16.4-101.el9.x86_64 > samba-winbind-krb5-locator-4.16.4-101.el9.x86_64 > samba-winbind-clients-4.16.4-101.el9.x86_64 > [root at fs01 samba]# rpm -qa | grep ctdb > ctdb-4.16.4-101.el9.x86_64 > [root at fs01 samba]# uname -a > Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31 > 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > > Also, the provided errors were wrong, I was playing with permissive mode. > In enforcing it is: > > [2022/11/15 11:02:08, 0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > denied > [2022/11/15 11:02:08, 0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > db_open: failed to attach to ctdb registry.tdb > [2022/11/15 11:02:08, 0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission > denied > [2022/11/15 11:02:08, 0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > db_open: failed to attach to ctdb registry.tdb > [2022/11/15 11:02:08, 1] > ../../source3/registry/reg_backend_db.c:759(regdb_init) > regdb_init: Failed to open registry /var/lib/samba/registry.tdb > (Permission denied) > [2022/11/15 11:02:08, 0] > ../../source3/registry/reg_init_basic.c:35(registry_init_common) > Failed to initialize the registry: WERR_ACCESS_DENIED > [2022/11/15 11:02:08, 1] > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > error initializing registry configuration: SBC_ERR_BADFILE > Can't load /etc/samba/smb.conf - run testparm to debug it > samba-dcerpcd - Failed to load config file! > > But in the same time, I can do testparm without any issues: > > [root at fs01 samba]# testparm > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_STANDALONE > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > clustering = Yes > logging = syslog > netbios name = FS > realm = FS.xxx > registry shares = Yes > security = USER > workgroup = xxx > idmap config * : range = 1000000-1999999 > ctdb:registry.tdb = yes > idmap config * : backend = autorid > > > [symptoms] > path = /mnt/glusterfs/symptoms/ > read only = No > > > wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at lists.samba.org> > napisa?(a): > >> >> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote: >>> I have very simple config for HA Samba, using CTDB. >>> I have set all possible SELinux options until "denied" messages stopped >>> appearch in /var/log/messages. >>> >>> All works flawlessly, just the problem is with browsing Samba shares with >>> enforcing setting. >>> >>> When I try to browse shares, I'm getting this: >>> >>> samba-dcerpcd version 4.16.4 started. >>> Copyright Andrew Tridgell and the Samba Team 1992-2022 >>> [2022/11/15 10:10:57.674555, 1] >>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) >>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No >>> such file or directory >>> [2022/11/15 10:10:57.820626, 1] >>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) >>> rpc_worker_exited: No worker with PID 3281 >>> [2022/11/15 10:10:58.040001, 1] >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>> rpc_host_distribute_clients: Sending new client >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients >>> [2022/11/15 10:10:58.048701, 1] >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>> rpc_host_distribute_clients: Sending new client >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients >>> [2022/11/15 10:10:58.049474, 1] >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>> rpc_host_distribute_clients: Sending new client >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients >>> [2022/11/15 10:10:58.560868, 1] >>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>> rpc_host_distribute_clients: Sending new client >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients >>> >>> Samba is in clustered mode + registry: >>> >>> [root at fs01 samba]# net conf list >>> [global] >>> logging = syslog >>> log level = 1 >>> netbios name = fs >>> workgroup = xxx >>> realm = xxx >>> idmap config * : backend = autorid >>> idmap config * : range = 1000000-1999999 >>> security = user >> Now I do not know a lot about CTDB, but I do know that you cannot use >> 'idmap config' lines with 'security = user', they are are only used with >> a domain, so if this cluster is joined to a domain, I would start by >> changing 'security = user' to 'security = ADS' >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
Leszek Szczepanowski
2022-Nov-15 16:36 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
I'm getting this:
type=AVC msg=audit(1668528098.389:291): avc: denied { getattr } for
pid=84190 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668528098.389:292): avc: denied { map } for
pid=84190 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668528098.391:293): avc: denied { setattr } for
pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1"
dev="dm-0"
ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:308): avc: denied { read write } for
pid=89129 comm="samba-dcerpcd" name="registry.tdb.1"
dev="dm-0"
ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:308): avc: denied { open } for
pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:309): avc: denied { lock } for
pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.873:310): avc: denied { getattr } for
pid=89129 comm="samba-dcerpcd"
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1668529035.875:311): avc: denied { setattr } for
pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1"
dev="dm-0"
ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1
I did
audit2allow -al -M dcerpcd
semodule -i dcerpcd.pp
It was working in Enforcing 1 mode for like 1 minute. After that, again not
working. But this time:
[root at fs02 samba]# audit2allow -al
[root at fs02 samba]#
So the module is active, nothing is denied (no new entries in
/var/log/audit/audit.log), however it's again:
[2022/11/15 17:33:13, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
denied
[2022/11/15 17:33:13, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13, 0]
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission
denied
[2022/11/15 17:33:13, 0]
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
db_open: failed to attach to ctdb registry.tdb
[2022/11/15 17:33:13, 1]
../../source3/registry/reg_backend_db.c:759(regdb_init)
regdb_init: Failed to open registry /var/lib/samba/registry.tdb
(Permission denied)
[2022/11/15 17:33:13, 0]
../../source3/registry/reg_init_basic.c:35(registry_init_common)
Failed to initialize the registry: WERR_ACCESS_DENIED
[2022/11/15 17:33:13, 1]
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
error initializing registry configuration: SBC_ERR_BADFILE
Can't load /etc/samba/smb.conf - run testparm to debug it
samba-dcerpcd - Failed to load config file!
wt., 15 lis 2022 o 16:09 Thomas Cameron via samba <samba at
lists.samba.org>
napisa?(a):
> As root, what does audit2allow -al tell you?
>
> Here's a video I did when I was at Red Hat, talking through SELinux. I
> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4
>
> Thomas
>
> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote:
> > I think with security=user the rest is simply ignored, and the local
auth
> > is working fine.
> > I will comment out that option for now. The AD integration will be
done
> > later.
> > The main problem is probably not related directly to CTDB, but to what
> > Samba is trying to access with SELinux in Enforcing mode.
> > As there are no errors in /var/log/messages or in /var/log/audit,
I'm
> lost.
> > I forgot to say versions, so:
> >
> > [root at fs01 samba]# cat /etc/redhat-release
> > CentOS Stream release 9
> > [root at fs01 samba]# rpm -qa | grep samba
> > samba-common-4.16.4-101.el9.noarch
> > samba-client-libs-4.16.4-101.el9.x86_64
> > samba-common-libs-4.16.4-101.el9.x86_64
> > samba-libs-4.16.4-101.el9.x86_64
> > python3-samba-4.16.4-101.el9.x86_64
> > samba-common-tools-4.16.4-101.el9.x86_64
> > samba-4.16.4-101.el9.x86_64
> > samba-client-4.16.4-101.el9.x86_64
> > samba-winbind-modules-4.16.4-101.el9.x86_64
> > samba-winbind-4.16.4-101.el9.x86_64
> > samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> > samba-winbind-clients-4.16.4-101.el9.x86_64
> > [root at fs01 samba]# rpm -qa | grep ctdb
> > ctdb-4.16.4-101.el9.x86_64
> > [root at fs01 samba]# uname -a
> > Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31
> > 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
> >
> > Also, the provided errors were wrong, I was playing with permissive
mode.
> > In enforcing it is:
> >
> > [2022/11/15 11:02:08, 0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
Permission
> > denied
> > [2022/11/15 11:02:08, 0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > db_open: failed to attach to ctdb registry.tdb
> > [2022/11/15 11:02:08, 0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
Permission
> > denied
> > [2022/11/15 11:02:08, 0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > db_open: failed to attach to ctdb registry.tdb
> > [2022/11/15 11:02:08, 1]
> > ../../source3/registry/reg_backend_db.c:759(regdb_init)
> > regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> > (Permission denied)
> > [2022/11/15 11:02:08, 0]
> > ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> > Failed to initialize the registry: WERR_ACCESS_DENIED
> > [2022/11/15 11:02:08, 1]
> > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> > error initializing registry configuration: SBC_ERR_BADFILE
> > Can't load /etc/samba/smb.conf - run testparm to debug it
> > samba-dcerpcd - Failed to load config file!
> >
> > But in the same time, I can do testparm without any issues:
> >
> > [root at fs01 samba]# testparm
> > Load smb config files from /etc/samba/smb.conf
> > Loaded services file OK.
> > Weak crypto is allowed
> >
> > Server role: ROLE_STANDALONE
> >
> > Press enter to see a dump of your service definitions
> >
> > # Global parameters
> > [global]
> > clustering = Yes
> > logging = syslog
> > netbios name = FS
> > realm = FS.xxx
> > registry shares = Yes
> > security = USER
> > workgroup = xxx
> > idmap config * : range = 1000000-1999999
> > ctdb:registry.tdb = yes
> > idmap config * : backend = autorid
> >
> >
> > [symptoms]
> > path = /mnt/glusterfs/symptoms/
> > read only = No
> >
> >
> > wt., 15 lis 2022 o 10:47 Rowland Penny via samba <samba at
lists.samba.org>
> > napisa?(a):
> >
> >>
> >> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote:
> >>> I have very simple config for HA Samba, using CTDB.
> >>> I have set all possible SELinux options until
"denied" messages stopped
> >>> appearch in /var/log/messages.
> >>>
> >>> All works flawlessly, just the problem is with browsing Samba
shares
> with
> >>> enforcing setting.
> >>>
> >>> When I try to browse shares, I'm getting this:
> >>>
> >>> samba-dcerpcd version 4.16.4 started.
> >>> Copyright Andrew Tridgell and the Samba Team 1992-2022
> >>> [2022/11/15 10:10:57.674555, 1]
> >>>
../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> >>> rpc_pipe_open_ncalrpc:
connect(/run/samba/ncalrpc/EPMAPPER)
> failed: No
> >>> such file or directory
> >>> [2022/11/15 10:10:57.820626, 1]
> >>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> >>> rpc_worker_exited: No worker with PID 3281
> >>> [2022/11/15 10:10:58.040001, 1]
> >>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>> rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>> [2022/11/15 10:10:58.048701, 1]
> >>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>> rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients
> >>> [2022/11/15 10:10:58.049474, 1]
> >>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>> rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>> [2022/11/15 10:10:58.560868, 1]
> >>>
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> >>> rpc_host_distribute_clients: Sending new client
> >>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients
> >>>
> >>> Samba is in clustered mode + registry:
> >>>
> >>> [root at fs01 samba]# net conf list
> >>> [global]
> >>> logging = syslog
> >>> log level = 1
> >>> netbios name = fs
> >>> workgroup = xxx
> >>> realm = xxx
> >>> idmap config * : backend = autorid
> >>> idmap config * : range = 1000000-1999999
> >>> security = user
> >> Now I do not know a lot about CTDB, but I do know that you cannot
use
> >> 'idmap config' lines with 'security = user', they
are are only used with
> >> a domain, so if this cluster is joined to a domain, I would start
by
> >> changing 'security = user' to 'security = ADS'
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net