Thomas Cameron
2022-Nov-16 03:04 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
I'm wondering if something weird is happening like it creates the file initially as /var/lib/ctdb/persistent/registry.tdb and then renames it to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error could be on the initial file it's creating or something like that. And you say that, when you set SELinux to permissive, the problem goes away completely, right? Can you maybe run the server in permissive mode, then run through all of the paces, THEN run audit2allow and see if it throws any errors? I'm just brainstorming here. This is a weird problem. I am kinda surprised that it worked for a while and then failed. Again, I wonder if it's creating a file and then renaming it. What's the context of the parent directory (ls -Z)? Maybe you could do something like: semanage fcontext -a -t ctdbd_var_lib_t /var/lib/ctdb/persistent/account_policy.tdb or even: semanage fcontext -a -t ctdbd_var_lib_t /var/lib/ctdb/persistent(/.*)? That would make any file created under /var/lib/ctdb/persistent/ labeled as ctdbd_var_lib_t. Thomas On 11/15/22 15:47, Leszek Szczepanowski via samba wrote:> Additionally: > > [root at fs01 symptoms]# ctdb getdbmap > Number of databases:19 > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.0 > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.0 > dbid:0x521b7544 name:smbXsrv_version_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.0 > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.0 > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.0 > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.0 > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.0 > dbid:0x7a19d84d name:locking.tdb path:/var/lib/ctdb/volatile/locking.tdb.0 > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.0 > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.0 > dbid:0x1313cc83 name:autorid.tdb > path:/var/lib/ctdb/persistent/autorid.tdb.0 PERSISTENT > dbid:0x5bcfcbd7 name:printer_list.tdb > path:/var/lib/ctdb/persistent/printer_list.tdb.0 PERSISTENT > dbid:0x3ef19640 name:passdb.tdb path:/var/lib/ctdb/persistent/passdb.tdb.0 > PERSISTENT > dbid:0x2ca251cf name:account_policy.tdb > path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT > dbid:0xa1413774 name:group_mapping.tdb > path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT > dbid:0xc3078fba name:share_info.tdb > path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.0 > PERSISTENT > dbid:0x7132c184 name:secrets.tdb > path:/var/lib/ctdb/persistent/secrets.tdb.0 PERSISTENT > dbid:0x6cf2837d name:registry.tdb > path:/var/lib/ctdb/persistent/registry.tdb.0 PERSISTENT > > It seems, it uses suffix of node number on each node, here node 3: > > [root at fs03 lszczepa]# ctdb getdbmap > Number of databases:19 > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.2 > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.2 > dbid:0x7a19d84d name:locking.tdb path:/var/lib/ctdb/volatile/locking.tdb.2 > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.2 > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.2 > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.2 > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.2 > dbid:0x521b7544 name:smbXsrv_version_global.tdb > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.2 > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.2 > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.2 > dbid:0x1313cc83 name:autorid.tdb > path:/var/lib/ctdb/persistent/autorid.tdb.2 PERSISTENT > dbid:0x5bcfcbd7 name:printer_list.tdb > path:/var/lib/ctdb/persistent/printer_list.tdb.2 PERSISTENT > dbid:0x3ef19640 name:passdb.tdb path:/var/lib/ctdb/persistent/passdb.tdb.2 > PERSISTENT > dbid:0x2ca251cf name:account_policy.tdb > path:/var/lib/ctdb/persistent/account_policy.tdb.2 PERSISTENT > dbid:0xa1413774 name:group_mapping.tdb > path:/var/lib/ctdb/persistent/group_mapping.tdb.2 PERSISTENT > dbid:0xc3078fba name:share_info.tdb > path:/var/lib/ctdb/persistent/share_info.tdb.2 PERSISTENT > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.2 > PERSISTENT > dbid:0x7132c184 name:secrets.tdb > path:/var/lib/ctdb/persistent/secrets.tdb.2 PERSISTENT > dbid:0x6cf2837d name:registry.tdb > path:/var/lib/ctdb/persistent/registry.tdb.2 PERSISTENT > > > > wt., 15 lis 2022 o 22:44 Leszek Szczepanowski <twinsen at mspanc.net> > napisa?(a): > >> Hi, >> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb >> ls: cannot access '/var/lib/ctdb/persistent/registry.tdb': No such file or >> directory >> [root at fs01 symptoms]# find / -name registry.tdb >> [root at fs01 symptoms]# >> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/ >> total 20832 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 7892992 Nov >> 15 18:50 account_policy.tdb.0 >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1327104 Nov >> 15 18:50 autorid.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov >> 15 18:50 ctdb.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov >> 15 18:50 group_mapping.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2560000 Nov >> 15 18:50 passdb.tdb.0 >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov >> 15 18:50 printer_list.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov >> 15 18:50 registry.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2146304 Nov >> 15 18:50 secrets.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov >> 15 18:50 share_info.tdb.0 >> >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb.0 >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov >> 15 18:50 /var/lib/ctdb/persistent/registry.tdb.0 >> >> That is strange. Why .0? >> >> wt., 15 lis 2022 o 21:28 Thomas Cameron <thomas.cameron at camerontech.com> >> napisa?(a): >> >>> What's the label for /var/lib/ctdb/persistent/registry.tdb.1? What does >>> ls -lZ tell you? >>> >>> Thomas >>> >>> On 11/15/22 10:36, Leszek Szczepanowski wrote: >>> >>> I'm getting this: >>> >>> type=AVC msg=audit(1668528098.389:291): avc: denied { getattr } for >>> pid=84190 comm="samba-dcerpcd" >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 >>> scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668528098.389:292): avc: denied { map } for >>> pid=84190 comm="samba-dcerpcd" >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 >>> scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668528098.391:293): avc: denied { setattr } for >>> pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668529035.873:308): avc: denied { read write } for >>> pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0" >>> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668529035.873:308): avc: denied { open } for >>> pid=89129 comm="samba-dcerpcd" >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 >>> scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668529035.873:309): avc: denied { lock } for >>> pid=89129 comm="samba-dcerpcd" >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 >>> scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668529035.873:310): avc: denied { getattr } for >>> pid=89129 comm="samba-dcerpcd" >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 >>> scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> type=AVC msg=audit(1668529035.875:311): avc: denied { setattr } for >>> pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 >>> >>> I did >>> audit2allow -al -M dcerpcd >>> semodule -i dcerpcd.pp >>> >>> It was working in Enforcing 1 mode for like 1 minute. After that, again >>> not working. But this time: >>> >>> [root at fs02 samba]# audit2allow -al >>> [root at fs02 samba]# >>> >>> So the module is active, nothing is denied (no new entries in >>> /var/log/audit/audit.log), however it's again: >>> >>> [2022/11/15 17:33:13, 0] >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission >>> denied >>> [2022/11/15 17:33:13, 0] >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) >>> db_open: failed to attach to ctdb registry.tdb >>> [2022/11/15 17:33:13, 0] >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: Permission >>> denied >>> [2022/11/15 17:33:13, 0] >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) >>> db_open: failed to attach to ctdb registry.tdb >>> [2022/11/15 17:33:13, 1] >>> ../../source3/registry/reg_backend_db.c:759(regdb_init) >>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb >>> (Permission denied) >>> [2022/11/15 17:33:13, 0] >>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) >>> Failed to initialize the registry: WERR_ACCESS_DENIED >>> [2022/11/15 17:33:13, 1] >>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) >>> error initializing registry configuration: SBC_ERR_BADFILE >>> Can't load /etc/samba/smb.conf - run testparm to debug it >>> samba-dcerpcd - Failed to load config file! >>> >>> >>> >>> >>> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba <samba at lists.samba.org> >>> napisa?(a): >>> >>>> As root, what does audit2allow -al tell you? >>>> >>>> Here's a video I did when I was at Red Hat, talking through SELinux. I >>>> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4 >>>> >>>> Thomas >>>> >>>> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote: >>>>> I think with security=user the rest is simply ignored, and the local >>>> auth >>>>> is working fine. >>>>> I will comment out that option for now. The AD integration will be done >>>>> later. >>>>> The main problem is probably not related directly to CTDB, but to what >>>>> Samba is trying to access with SELinux in Enforcing mode. >>>>> As there are no errors in /var/log/messages or in /var/log/audit, I'm >>>> lost. >>>>> I forgot to say versions, so: >>>>> >>>>> [root at fs01 samba]# cat /etc/redhat-release >>>>> CentOS Stream release 9 >>>>> [root at fs01 samba]# rpm -qa | grep samba >>>>> samba-common-4.16.4-101.el9.noarch >>>>> samba-client-libs-4.16.4-101.el9.x86_64 >>>>> samba-common-libs-4.16.4-101.el9.x86_64 >>>>> samba-libs-4.16.4-101.el9.x86_64 >>>>> python3-samba-4.16.4-101.el9.x86_64 >>>>> samba-common-tools-4.16.4-101.el9.x86_64 >>>>> samba-4.16.4-101.el9.x86_64 >>>>> samba-client-4.16.4-101.el9.x86_64 >>>>> samba-winbind-modules-4.16.4-101.el9.x86_64 >>>>> samba-winbind-4.16.4-101.el9.x86_64 >>>>> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64 >>>>> samba-winbind-clients-4.16.4-101.el9.x86_64 >>>>> [root at fs01 samba]# rpm -qa | grep ctdb >>>>> ctdb-4.16.4-101.el9.x86_64 >>>>> [root at fs01 samba]# uname -a >>>>> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct 31 >>>>> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux >>>>> >>>>> Also, the provided errors were wrong, I was playing with permissive >>>> mode. >>>>> In enforcing it is: >>>>> >>>>> [2022/11/15 11:02:08, 0] >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: >>>> Permission >>>>> denied >>>>> [2022/11/15 11:02:08, 0] >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) >>>>> db_open: failed to attach to ctdb registry.tdb >>>>> [2022/11/15 11:02:08, 0] >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: >>>> Permission >>>>> denied >>>>> [2022/11/15 11:02:08, 0] >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) >>>>> db_open: failed to attach to ctdb registry.tdb >>>>> [2022/11/15 11:02:08, 1] >>>>> ../../source3/registry/reg_backend_db.c:759(regdb_init) >>>>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb >>>>> (Permission denied) >>>>> [2022/11/15 11:02:08, 0] >>>>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) >>>>> Failed to initialize the registry: WERR_ACCESS_DENIED >>>>> [2022/11/15 11:02:08, 1] >>>>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) >>>>> error initializing registry configuration: SBC_ERR_BADFILE >>>>> Can't load /etc/samba/smb.conf - run testparm to debug it >>>>> samba-dcerpcd - Failed to load config file! >>>>> >>>>> But in the same time, I can do testparm without any issues: >>>>> >>>>> [root at fs01 samba]# testparm >>>>> Load smb config files from /etc/samba/smb.conf >>>>> Loaded services file OK. >>>>> Weak crypto is allowed >>>>> >>>>> Server role: ROLE_STANDALONE >>>>> >>>>> Press enter to see a dump of your service definitions >>>>> >>>>> # Global parameters >>>>> [global] >>>>> clustering = Yes >>>>> logging = syslog >>>>> netbios name = FS >>>>> realm = FS.xxx >>>>> registry shares = Yes >>>>> security = USER >>>>> workgroup = xxx >>>>> idmap config * : range = 1000000-1999999 >>>>> ctdb:registry.tdb = yes >>>>> idmap config * : backend = autorid >>>>> >>>>> >>>>> [symptoms] >>>>> path = /mnt/glusterfs/symptoms/ >>>>> read only = No >>>>> >>>>> >>>>> wt., 15 lis 2022 o 10:47 Rowland Penny via samba < >>>> samba at lists.samba.org> >>>>> napisa?(a): >>>>> >>>>>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote: >>>>>>> I have very simple config for HA Samba, using CTDB. >>>>>>> I have set all possible SELinux options until "denied" messages >>>> stopped >>>>>>> appearch in /var/log/messages. >>>>>>> >>>>>>> All works flawlessly, just the problem is with browsing Samba shares >>>> with >>>>>>> enforcing setting. >>>>>>> >>>>>>> When I try to browse shares, I'm getting this: >>>>>>> >>>>>>> samba-dcerpcd version 4.16.4 started. >>>>>>> Copyright Andrew Tridgell and the Samba Team 1992-2022 >>>>>>> [2022/11/15 10:10:57.674555, 1] >>>>>>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) >>>>>>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) >>>> failed: No >>>>>>> such file or directory >>>>>>> [2022/11/15 10:10:57.820626, 1] >>>>>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) >>>>>>> rpc_worker_exited: No worker with PID 3281 >>>>>>> [2022/11/15 10:10:58.040001, 1] >>>>>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>>>>>> rpc_host_distribute_clients: Sending new client >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients >>>>>>> [2022/11/15 10:10:58.048701, 1] >>>>>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>>>>>> rpc_host_distribute_clients: Sending new client >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients >>>>>>> [2022/11/15 10:10:58.049474, 1] >>>>>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>>>>>> rpc_host_distribute_clients: Sending new client >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients >>>>>>> [2022/11/15 10:10:58.560868, 1] >>>>>>> ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) >>>>>>> rpc_host_distribute_clients: Sending new client >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients >>>>>>> >>>>>>> Samba is in clustered mode + registry: >>>>>>> >>>>>>> [root at fs01 samba]# net conf list >>>>>>> [global] >>>>>>> logging = syslog >>>>>>> log level = 1 >>>>>>> netbios name = fs >>>>>>> workgroup = xxx >>>>>>> realm = xxx >>>>>>> idmap config * : backend = autorid >>>>>>> idmap config * : range = 1000000-1999999 >>>>>>> security = user >>>>>> Now I do not know a lot about CTDB, but I do know that you cannot use >>>>>> 'idmap config' lines with 'security = user', they are are only used >>>> with >>>>>> a domain, so if this cluster is joined to a domain, I would start by >>>>>> changing 'security = user' to 'security = ADS' >>>>>> >>>>>> Rowland >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> -- >>> -- >>> Leszek A. Szczepanowski >>> twinsen at mspanc.net >>> >>> >>> >> -- >> -- >> Leszek A. Szczepanowski >> twinsen at mspanc.net >> >
Martin Schwenke
2022-Nov-16 05:54 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
On Tue, 15 Nov 2022 21:04:18 -0600, Thomas Cameron via samba <samba at lists.samba.org> wrote:> I'm wondering if something weird is happening like it creates the file > initially as /var/lib/ctdb/persistent/registry.tdb and then renames it > to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error could be > on the initial file it's creating or something like that.No, the node number is part of the name of the TDB that is opened: /* open the database */ ctdb_db->db_path = talloc_asprintf(ctdb_db, "%s/%s.%u", ctdb_db_persistent(ctdb_db) ? ctdb->db_directory_persistent : ctdb->db_directory, db_name, ctdb->pnn); tdb_flags = ctdb_db_tdb_flags(db_flags, ctdb->valgrinding, ctdb_config.tdb_mutexes); again: ctdb_db->ltdb = tdb_wrap_open(ctdb_db, ctdb_db->db_path, ctdb->tunable.database_hash_size, tdb_flags, O_CREAT|O_RDWR, mode); There is no manipulation of the filename below this level. Watching with interest... peace & happiness, martin
Leszek Szczepanowski
2022-Nov-16 10:41 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Hi, So this is the flow: [root at fs01 lszczepa]# semanage fcontext -a -t ctdbd_var_lib_t "/var/lib/ctdb/persistent(/.*)?" [root at fs01 lszczepa]# getenforce Permissive [root at fs01 samba]# setenforce 1 [root at fs01 samba]# tail -f log.samba-dcerpcd [attempt to browse shares after setenforce 1] log.samba-dcerpcd: [2022/11/16 11:27:20.055038, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients [2022/11/16 11:27:20.063589, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients [2022/11/16 11:27:20.064348, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients [2022/11/16 11:27:48.997477, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients [2022/11/16 11:28:02.217934, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients Corresponding /var/log/messages: Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:19.826956, 1] ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:19.878835, 1] ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_worker_exited: No worker with PID 365905 Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.055038, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.063589, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:20.064348, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: [2022/11/16 11:27:48.997477, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: [2022/11/16 11:28:02.217934, 1] ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: rpc_host_distribute_clients: Sending new client /usr/libexec/samba/rpcd_classic to 365916 with 0 clients Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=setenforce lsm=selinux enforcing=1 res=1 Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=load_policy lsm=selinux seqno=4 res=1 Nov 16 11:30:04 fs01 systemd[1]: Starting system activity accounting tool... Nov 16 11:30:04 fs01 systemd[1]: sysstat-collect.service: Deactivated successfully. Nov 16 11:30:04 fs01 systemd[1]: Finished system activity accounting tool. [after few 4 minutes] log.samba-dcerpcd: [2022/11/16 11:32:05, 0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission denied [2022/11/16 11:32:05, 0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) db_open: failed to attach to ctdb registry.tdb [2022/11/16 11:32:05, 0] ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: Permission denied [2022/11/16 11:32:05, 0] ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) db_open: failed to attach to ctdb registry.tdb [2022/11/16 11:32:05, 1] ../../source3/registry/reg_backend_db.c:759(regdb_init) regdb_init: Failed to open registry /var/lib/samba/registry.tdb (Permission denied) [2022/11/16 11:32:05, 0] ../../source3/registry/reg_init_basic.c:35(registry_init_common) Failed to initialize the registry: WERR_ACCESS_DENIED [2022/11/16 11:32:05, 1] ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) error initializing registry configuration: SBC_ERR_BADFILE Can't load /etc/samba/smb.conf - run testparm to debug it samba-dcerpcd - Failed to load config file! [root at fs01 samba]# audit2allow -al [root at fs01 samba]# Nothing interesting in /var/log/audit/audit.log: type=USER_MAC_CONFIG_CHANGE msg=audit(1668594292.322:525): pid=365125 uid=0 auid=1000 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='resrc=fcontext op=add tglob="/var/lib/ctdb/persistent(/.*)?" ftype=any tcontext=system_u:object_r:ctdbd_var_lib_t: comm="semanage" exe="/usr/bin/python3.9" hostname=? addr=? terminal=? res=success'UID="root" AUID="lszczepa" type=MAC_STATUS msg=audit(1668594460.442:526): enforcing=1 old_enforcing=0 auid=1000 ses=5 enabled=1 old-enabled=1 lsm=selinux res=1AUID="lszczepa" type=SYSCALL msg=audit(1668594460.442:526): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffecb7da5b0 a2=1 a3=1 items=0 ppid=364844 pid=366003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=write AUID="lszczepa" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root" type=PROCTITLE msg=audit(1668594460.442:526): proctitle=736574656E666F7263650031 type=SERVICE_START msg=audit(1668594604.562:527): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1668594604.562:528): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=sysstat-collect comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" Nothing in /var/log/messages related to SELinux, but something is still blocking samba-dcerpcd from accessing /var/lib/ctdb/persistent [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t "/var/lib/ctdb(/.*)?" ValueError: File context for /var/lib/ctdb(/.*)? already defined [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t "/var/lib/ctdb/persistent(/.*)?" ValueError: File context for /var/lib/ctdb/persistent(/.*)? already defined So to have browsing back, I needed to do setenforce 0 again :( ?r., 16 lis 2022 o 04:05 Thomas Cameron via samba <samba at lists.samba.org> napisa?(a):> I'm wondering if something weird is happening like it creates the file > initially as /var/lib/ctdb/persistent/registry.tdb and then renames it > to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error could be > on the initial file it's creating or something like that. > > And you say that, when you set SELinux to permissive, the problem goes > away completely, right? > > Can you maybe run the server in permissive mode, then run through all of > the paces, THEN run audit2allow and see if it throws any errors? > > I'm just brainstorming here. This is a weird problem. I am kinda > surprised that it worked for a while and then failed. Again, I wonder if > it's creating a file and then renaming it. What's the context of the > parent directory (ls -Z)? > > Maybe you could do something like: > semanage fcontext -a -t ctdbd_var_lib_t > /var/lib/ctdb/persistent/account_policy.tdb > > or even: > > semanage fcontext -a -t ctdbd_var_lib_t /var/lib/ctdb/persistent(/.*)? > > That would make any file created under /var/lib/ctdb/persistent/ labeled > as ctdbd_var_lib_t. > > Thomas > > On 11/15/22 15:47, Leszek Szczepanowski via samba wrote: > > Additionally: > > > > [root at fs01 symptoms]# ctdb getdbmap > > Number of databases:19 > > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.0 > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.0 > > dbid:0x521b7544 name:smbXsrv_version_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.0 > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.0 > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.0 > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.0 > > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.0 > > dbid:0x7a19d84d name:locking.tdb > path:/var/lib/ctdb/volatile/locking.tdb.0 > > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.0 > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.0 > > dbid:0x1313cc83 name:autorid.tdb > > path:/var/lib/ctdb/persistent/autorid.tdb.0 PERSISTENT > > dbid:0x5bcfcbd7 name:printer_list.tdb > > path:/var/lib/ctdb/persistent/printer_list.tdb.0 PERSISTENT > > dbid:0x3ef19640 name:passdb.tdb > path:/var/lib/ctdb/persistent/passdb.tdb.0 > > PERSISTENT > > dbid:0x2ca251cf name:account_policy.tdb > > path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT > > dbid:0xa1413774 name:group_mapping.tdb > > path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT > > dbid:0xc3078fba name:share_info.tdb > > path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT > > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.0 > > PERSISTENT > > dbid:0x7132c184 name:secrets.tdb > > path:/var/lib/ctdb/persistent/secrets.tdb.0 PERSISTENT > > dbid:0x6cf2837d name:registry.tdb > > path:/var/lib/ctdb/persistent/registry.tdb.0 PERSISTENT > > > > It seems, it uses suffix of node number on each node, here node 3: > > > > [root at fs03 lszczepa]# ctdb getdbmap > > Number of databases:19 > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.2 > > dbid:0x06916e77 name:leases.tdb path:/var/lib/ctdb/volatile/leases.tdb.2 > > dbid:0x7a19d84d name:locking.tdb > path:/var/lib/ctdb/volatile/locking.tdb.2 > > dbid:0x4e66c2b2 name:brlock.tdb path:/var/lib/ctdb/volatile/brlock.tdb.2 > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.2 > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.2 > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.2 > > dbid:0x521b7544 name:smbXsrv_version_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.2 > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.2 > > dbid:0x4d2a432b name:g_lock.tdb path:/var/lib/ctdb/volatile/g_lock.tdb.2 > > dbid:0x1313cc83 name:autorid.tdb > > path:/var/lib/ctdb/persistent/autorid.tdb.2 PERSISTENT > > dbid:0x5bcfcbd7 name:printer_list.tdb > > path:/var/lib/ctdb/persistent/printer_list.tdb.2 PERSISTENT > > dbid:0x3ef19640 name:passdb.tdb > path:/var/lib/ctdb/persistent/passdb.tdb.2 > > PERSISTENT > > dbid:0x2ca251cf name:account_policy.tdb > > path:/var/lib/ctdb/persistent/account_policy.tdb.2 PERSISTENT > > dbid:0xa1413774 name:group_mapping.tdb > > path:/var/lib/ctdb/persistent/group_mapping.tdb.2 PERSISTENT > > dbid:0xc3078fba name:share_info.tdb > > path:/var/lib/ctdb/persistent/share_info.tdb.2 PERSISTENT > > dbid:0x6645c6c4 name:ctdb.tdb path:/var/lib/ctdb/persistent/ctdb.tdb.2 > > PERSISTENT > > dbid:0x7132c184 name:secrets.tdb > > path:/var/lib/ctdb/persistent/secrets.tdb.2 PERSISTENT > > dbid:0x6cf2837d name:registry.tdb > > path:/var/lib/ctdb/persistent/registry.tdb.2 PERSISTENT > > > > > > > > wt., 15 lis 2022 o 22:44 Leszek Szczepanowski <twinsen at mspanc.net> > > napisa?(a): > > > >> Hi, > >> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb > >> ls: cannot access '/var/lib/ctdb/persistent/registry.tdb': No such file > or > >> directory > >> [root at fs01 symptoms]# find / -name registry.tdb > >> [root at fs01 symptoms]# > >> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/ > >> total 20832 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 7892992 Nov > >> 15 18:50 account_policy.tdb.0 > >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1327104 Nov > >> 15 18:50 autorid.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov > >> 15 18:50 ctdb.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov > >> 15 18:50 group_mapping.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2560000 Nov > >> 15 18:50 passdb.tdb.0 > >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1310720 Nov > >> 15 18:50 printer_list.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov > >> 15 18:50 registry.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 2146304 Nov > >> 15 18:50 secrets.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov > >> 15 18:50 share_info.tdb.0 > >> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 1736704 Nov > >> 15 18:50 /var/lib/ctdb/persistent/registry.tdb.0 > >> > >> That is strange. Why .0? > >> > >> wt., 15 lis 2022 o 21:28 Thomas Cameron <thomas.cameron at camerontech.com > > > >> napisa?(a): > >> > >>> What's the label for /var/lib/ctdb/persistent/registry.tdb.1? What does > >>> ls -lZ tell you? > >>> > >>> Thomas > >>> > >>> On 11/15/22 10:36, Leszek Szczepanowski wrote: > >>> > >>> I'm getting this: > >>> > >>> type=AVC msg=audit(1668528098.389:291): avc: denied { getattr } for > >>> pid=84190 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668528098.389:292): avc: denied { map } for > >>> pid=84190 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668528098.391:293): avc: denied { setattr } for > >>> pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" > >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668529035.873:308): avc: denied { read write } > for > >>> pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0" > >>> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668529035.873:308): avc: denied { open } for > >>> pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668529035.873:309): avc: denied { lock } for > >>> pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668529035.873:310): avc: denied { getattr } for > >>> pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> type=AVC msg=audit(1668529035.875:311): avc: denied { setattr } for > >>> pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" > >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 > >>> > >>> I did > >>> audit2allow -al -M dcerpcd > >>> semodule -i dcerpcd.pp > >>> > >>> It was working in Enforcing 1 mode for like 1 minute. After that, again > >>> not working. But this time: > >>> > >>> [root at fs02 samba]# audit2allow -al > >>> [root at fs02 samba]# > >>> > >>> So the module is active, nothing is denied (no new entries in > >>> /var/log/audit/audit.log), however it's again: > >>> > >>> [2022/11/15 17:33:13, 0] > >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: > Permission > >>> denied > >>> [2022/11/15 17:33:13, 0] > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>> db_open: failed to attach to ctdb registry.tdb > >>> [2022/11/15 17:33:13, 0] > >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: > Permission > >>> denied > >>> [2022/11/15 17:33:13, 0] > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>> db_open: failed to attach to ctdb registry.tdb > >>> [2022/11/15 17:33:13, 1] > >>> ../../source3/registry/reg_backend_db.c:759(regdb_init) > >>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb > >>> (Permission denied) > >>> [2022/11/15 17:33:13, 0] > >>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) > >>> Failed to initialize the registry: WERR_ACCESS_DENIED > >>> [2022/11/15 17:33:13, 1] > >>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > >>> error initializing registry configuration: SBC_ERR_BADFILE > >>> Can't load /etc/samba/smb.conf - run testparm to debug it > >>> samba-dcerpcd - Failed to load config file! > >>> > >>> > >>> > >>> > >>> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba < > samba at lists.samba.org> > >>> napisa?(a): > >>> > >>>> As root, what does audit2allow -al tell you? > >>>> > >>>> Here's a video I did when I was at Red Hat, talking through SELinux. I > >>>> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4 > >>>> > >>>> Thomas > >>>> > >>>> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote: > >>>>> I think with security=user the rest is simply ignored, and the local > >>>> auth > >>>>> is working fine. > >>>>> I will comment out that option for now. The AD integration will be > done > >>>>> later. > >>>>> The main problem is probably not related directly to CTDB, but to > what > >>>>> Samba is trying to access with SELinux in Enforcing mode. > >>>>> As there are no errors in /var/log/messages or in /var/log/audit, I'm > >>>> lost. > >>>>> I forgot to say versions, so: > >>>>> > >>>>> [root at fs01 samba]# cat /etc/redhat-release > >>>>> CentOS Stream release 9 > >>>>> [root at fs01 samba]# rpm -qa | grep samba > >>>>> samba-common-4.16.4-101.el9.noarch > >>>>> samba-client-libs-4.16.4-101.el9.x86_64 > >>>>> samba-common-libs-4.16.4-101.el9.x86_64 > >>>>> samba-libs-4.16.4-101.el9.x86_64 > >>>>> python3-samba-4.16.4-101.el9.x86_64 > >>>>> samba-common-tools-4.16.4-101.el9.x86_64 > >>>>> samba-4.16.4-101.el9.x86_64 > >>>>> samba-client-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-modules-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-clients-4.16.4-101.el9.x86_64 > >>>>> [root at fs01 samba]# rpm -qa | grep ctdb > >>>>> ctdb-4.16.4-101.el9.x86_64 > >>>>> [root at fs01 samba]# uname -a > >>>>> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Oct > 31 > >>>>> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > >>>>> > >>>>> Also, the provided errors were wrong, I was playing with permissive > >>>> mode. > >>>>> In enforcing it is: > >>>>> > >>>>> [2022/11/15 11:02:08, 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > >>>> Permission > >>>>> denied > >>>>> [2022/11/15 11:02:08, 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>>> db_open: failed to attach to ctdb registry.tdb > >>>>> [2022/11/15 11:02:08, 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>>> Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > >>>> Permission > >>>>> denied > >>>>> [2022/11/15 11:02:08, 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>>> db_open: failed to attach to ctdb registry.tdb > >>>>> [2022/11/15 11:02:08, 1] > >>>>> ../../source3/registry/reg_backend_db.c:759(regdb_init) > >>>>> regdb_init: Failed to open registry /var/lib/samba/registry.tdb > >>>>> (Permission denied) > >>>>> [2022/11/15 11:02:08, 0] > >>>>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) > >>>>> Failed to initialize the registry: WERR_ACCESS_DENIED > >>>>> [2022/11/15 11:02:08, 1] > >>>>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > >>>>> error initializing registry configuration: SBC_ERR_BADFILE > >>>>> Can't load /etc/samba/smb.conf - run testparm to debug it > >>>>> samba-dcerpcd - Failed to load config file! > >>>>> > >>>>> But in the same time, I can do testparm without any issues: > >>>>> > >>>>> [root at fs01 samba]# testparm > >>>>> Load smb config files from /etc/samba/smb.conf > >>>>> Loaded services file OK. > >>>>> Weak crypto is allowed > >>>>> > >>>>> Server role: ROLE_STANDALONE > >>>>> > >>>>> Press enter to see a dump of your service definitions > >>>>> > >>>>> # Global parameters > >>>>> [global] > >>>>> clustering = Yes > >>>>> logging = syslog > >>>>> netbios name = FS > >>>>> realm = FS.xxx > >>>>> registry shares = Yes > >>>>> security = USER > >>>>> workgroup = xxx > >>>>> idmap config * : range = 1000000-1999999 > >>>>> ctdb:registry.tdb = yes > >>>>> idmap config * : backend = autorid > >>>>> > >>>>> > >>>>> [symptoms] > >>>>> path = /mnt/glusterfs/symptoms/ > >>>>> read only = No > >>>>> > >>>>> > >>>>> wt., 15 lis 2022 o 10:47 Rowland Penny via samba < > >>>> samba at lists.samba.org> > >>>>> napisa?(a): > >>>>> > >>>>>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote: > >>>>>>> I have very simple config for HA Samba, using CTDB. > >>>>>>> I have set all possible SELinux options until "denied" messages > >>>> stopped > >>>>>>> appearch in /var/log/messages. > >>>>>>> > >>>>>>> All works flawlessly, just the problem is with browsing Samba > shares > >>>> with > >>>>>>> enforcing setting. > >>>>>>> > >>>>>>> When I try to browse shares, I'm getting this: > >>>>>>> > >>>>>>> samba-dcerpcd version 4.16.4 started. > >>>>>>> Copyright Andrew Tridgell and the Samba Team 1992-2022 > >>>>>>> [2022/11/15 10:10:57.674555, 1] > >>>>>>> ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) > >>>>>>> rpc_pipe_open_ncalrpc: connect(/run/samba/ncalrpc/EPMAPPER) > >>>> failed: No > >>>>>>> such file or directory > >>>>>>> [2022/11/15 10:10:57.820626, 1] > >>>>>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) > >>>>>>> rpc_worker_exited: No worker with PID 3281 > >>>>>>> [2022/11/15 10:10:58.040001, 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>> rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > >>>>>>> [2022/11/15 10:10:58.048701, 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>> rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > >>>>>>> [2022/11/15 10:10:58.049474, 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>> rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > >>>>>>> [2022/11/15 10:10:58.560868, 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>> rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > >>>>>>> > >>>>>>> Samba is in clustered mode + registry: > >>>>>>> > >>>>>>> [root at fs01 samba]# net conf list > >>>>>>> [global] > >>>>>>> logging = syslog > >>>>>>> log level = 1 > >>>>>>> netbios name = fs > >>>>>>> workgroup = xxx > >>>>>>> realm = xxx > >>>>>>> idmap config * : backend = autorid > >>>>>>> idmap config * : range = 1000000-1999999 > >>>>>>> security = user > >>>>>> Now I do not know a lot about CTDB, but I do know that you cannot > use > >>>>>> 'idmap config' lines with 'security = user', they are are only used > >>>> with > >>>>>> a domain, so if this cluster is joined to a domain, I would start by > >>>>>> changing 'security = user' to 'security = ADS' > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>> > >>> -- > >>> -- > >>> Leszek A. Szczepanowski > >>> twinsen at mspanc.net > >>> > >>> > >>> > >> -- > >> -- > >> Leszek A. Szczepanowski > >> twinsen at mspanc.net > >> > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- -- Leszek A. Szczepanowski twinsen at mspanc.net