Thomas Cameron
2022-Nov-16 17:48 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
What does: grep denied /var/log/audit/audit.log give you? Also, what's the output of ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent please? Thomas On 11/16/22 04:41, Leszek Szczepanowski wrote:> Hi, > > So this is the flow: > > [root at fs01 lszczepa]# semanage fcontext -a -t ctdbd_var_lib_t > "/var/lib/ctdb/persistent(/.*)?" > [root at fs01 lszczepa]# getenforce > Permissive > [root at fs01 samba]# setenforce 1 > [root at fs01 samba]# tail -f log.samba-dcerpcd > > [attempt to browse shares after setenforce 1] log.samba-dcerpcd: > [2022/11/16 11:27:20.055038, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > ? rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients > [2022/11/16 11:27:20.063589, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > ? rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients > [2022/11/16 11:27:20.064348, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > ? rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > [2022/11/16 11:27:48.997477, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > ? rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > [2022/11/16 11:28:02.217934, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > ? rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > > Corresponding /var/log/messages: > > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:19.826956, ?1] > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: ?rpc_pipe_open_ncalrpc: > connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:19.878835, ?1] > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: ?rpc_worker_exited: No > worker with PID 365905 > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:20.055038, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: > ?rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:20.063589, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: > ?rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:20.064348, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: > ?rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:27:48.997477, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: > ?rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: [2022/11/16 > 11:28:02.217934, ?1] > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: > ?rpc_host_distribute_clients: Sending new client > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients > Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: ?op=setenforce > lsm=selinux enforcing=1 res=1 > Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: ?op=load_policy > lsm=selinux seqno=4 res=1 > Nov 16 11:30:04 fs01 systemd[1]: Starting system activity accounting > tool... > Nov 16 11:30:04 fs01 systemd[1]: sysstat-collect.service: Deactivated > successfully. > Nov 16 11:30:04 fs01 systemd[1]: Finished system activity accounting tool. > > [after few 4 minutes] log.samba-dcerpcd: > [2022/11/16 11:32:05, ?0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > ? Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > Permission denied > [2022/11/16 11:32:05, ?0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > ? db_open: failed to attach to ctdb registry.tdb > [2022/11/16 11:32:05, ?0] > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > ? Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > Permission denied > [2022/11/16 11:32:05, ?0] > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > ? db_open: failed to attach to ctdb registry.tdb > [2022/11/16 11:32:05, ?1] > ../../source3/registry/reg_backend_db.c:759(regdb_init) > ? regdb_init: Failed to open registry /var/lib/samba/registry.tdb > (Permission denied) > [2022/11/16 11:32:05, ?0] > ../../source3/registry/reg_init_basic.c:35(registry_init_common) > ? Failed to initialize the registry: WERR_ACCESS_DENIED > [2022/11/16 11:32:05, ?1] > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > ? error initializing registry configuration: SBC_ERR_BADFILE > Can't load /etc/samba/smb.conf - run testparm to debug it > samba-dcerpcd - Failed to load config file! > > [root at fs01 samba]# audit2allow -al > [root at fs01 samba]# > > Nothing interesting in /var/log/audit/audit.log: > > type=USER_MAC_CONFIG_CHANGE msg=audit(1668594292.322:525): pid=365125 > uid=0 auid=1000 ses=5 > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg='resrc=fcontext op=add tglob="/var/lib/ctdb/persistent(/.*)?" > ftype=any tcontext=system_u:object_r:ctdbd_var_lib_t: comm="semanage" > exe="/usr/bin/python3.9" hostname=? addr=? terminal=? > res=success'UID="root" AUID="lszczepa" > type=MAC_STATUS msg=audit(1668594460.442:526): enforcing=1 > old_enforcing=0 auid=1000 ses=5 enabled=1 old-enabled=1 lsm=selinux > res=1AUID="lszczepa" > type=SYSCALL msg=audit(1668594460.442:526): arch=c000003e syscall=1 > success=yes exit=1 a0=3 a1=7ffecb7da5b0 a2=1 a3=1 items=0 ppid=364844 > pid=366003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=pts0 ses=5 comm="setenforce" exe="/usr/sbin/setenforce" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > key=(null)ARCH=x86_64 SYSCALL=write AUID="lszczepa" UID="root" > GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" > SGID="root" FSGID="root" > type=PROCTITLE msg=audit(1668594460.442:526): > proctitle=736574656E666F7263650031 > type=SERVICE_START msg=audit(1668594604.562:527): pid=1 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 > msg='unit=sysstat-collect comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? > res=success'UID="root" AUID="unset" > type=SERVICE_STOP msg=audit(1668594604.562:528): pid=1 uid=0 > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 > msg='unit=sysstat-collect comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? > res=success'UID="root" AUID="unset" > > Nothing in /var/log/messages related to SELinux, but something is > still blocking samba-dcerpcd from accessing /var/lib/ctdb/persistent > > [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t > "/var/lib/ctdb(/.*)?" > ValueError: File context for /var/lib/ctdb(/.*)? already defined > [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t > "/var/lib/ctdb/persistent(/.*)?" > ValueError: File context for /var/lib/ctdb/persistent(/.*)? already > defined > > So to have browsing back, I needed to do setenforce 0 again :( > > ?r., 16 lis 2022 o 04:05?Thomas Cameron via samba > <samba at lists.samba.org> napisa?(a): > > I'm wondering if something weird is happening like it creates the > file > initially as /var/lib/ctdb/persistent/registry.tdb and then > renames it > to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error > could be > on the initial file it's creating or something like that. > > And you say that, when you set SELinux to permissive, the problem > goes > away completely, right? > > Can you maybe run the server in permissive mode, then run through > all of > the paces, THEN run audit2allow and see if it throws any errors? > > I'm just brainstorming here. This is a weird problem. I am kinda > surprised that it worked for a while and then failed. Again, I > wonder if > it's creating a file and then renaming it. What's the context of the > parent directory (ls -Z)? > > Maybe you could do something like: > semanage fcontext -a -t ctdbd_var_lib_t > /var/lib/ctdb/persistent/account_policy.tdb > > or even: > > semanage fcontext -a -t ctdbd_var_lib_t /var/lib/ctdb/persistent(/.*)? > > That would make any file created under /var/lib/ctdb/persistent/ > labeled > as ctdbd_var_lib_t. > > Thomas > > On 11/15/22 15:47, Leszek Szczepanowski via samba wrote: > > Additionally: > > > > [root at fs01 symptoms]# ctdb getdbmap > > Number of databases:19 > > dbid:0x4d2a432b name:g_lock.tdb > path:/var/lib/ctdb/volatile/g_lock.tdb.0 > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.0 > > dbid:0x521b7544 name:smbXsrv_version_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.0 > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.0 > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.0 > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.0 > > dbid:0x4e66c2b2 name:brlock.tdb > path:/var/lib/ctdb/volatile/brlock.tdb.0 > > dbid:0x7a19d84d name:locking.tdb > path:/var/lib/ctdb/volatile/locking.tdb.0 > > dbid:0x06916e77 name:leases.tdb > path:/var/lib/ctdb/volatile/leases.tdb.0 > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.0 > > dbid:0x1313cc83 name:autorid.tdb > > path:/var/lib/ctdb/persistent/autorid.tdb.0 PERSISTENT > > dbid:0x5bcfcbd7 name:printer_list.tdb > > path:/var/lib/ctdb/persistent/printer_list.tdb.0 PERSISTENT > > dbid:0x3ef19640 name:passdb.tdb > path:/var/lib/ctdb/persistent/passdb.tdb.0 > > PERSISTENT > > dbid:0x2ca251cf name:account_policy.tdb > > path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT > > dbid:0xa1413774 name:group_mapping.tdb > > path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT > > dbid:0xc3078fba name:share_info.tdb > > path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT > > dbid:0x6645c6c4 name:ctdb.tdb > path:/var/lib/ctdb/persistent/ctdb.tdb.0 > > PERSISTENT > > dbid:0x7132c184 name:secrets.tdb > > path:/var/lib/ctdb/persistent/secrets.tdb.0 PERSISTENT > > dbid:0x6cf2837d name:registry.tdb > > path:/var/lib/ctdb/persistent/registry.tdb.0 PERSISTENT > > > > It seems, it uses suffix of node number on each node, here node 3: > > > > [root at fs03 lszczepa]# ctdb getdbmap > > Number of databases:19 > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.2 > > dbid:0x06916e77 name:leases.tdb > path:/var/lib/ctdb/volatile/leases.tdb.2 > > dbid:0x7a19d84d name:locking.tdb > path:/var/lib/ctdb/volatile/locking.tdb.2 > > dbid:0x4e66c2b2 name:brlock.tdb > path:/var/lib/ctdb/volatile/brlock.tdb.2 > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.2 > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.2 > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.2 > > dbid:0x521b7544 name:smbXsrv_version_global.tdb > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.2 > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.2 > > dbid:0x4d2a432b name:g_lock.tdb > path:/var/lib/ctdb/volatile/g_lock.tdb.2 > > dbid:0x1313cc83 name:autorid.tdb > > path:/var/lib/ctdb/persistent/autorid.tdb.2 PERSISTENT > > dbid:0x5bcfcbd7 name:printer_list.tdb > > path:/var/lib/ctdb/persistent/printer_list.tdb.2 PERSISTENT > > dbid:0x3ef19640 name:passdb.tdb > path:/var/lib/ctdb/persistent/passdb.tdb.2 > > PERSISTENT > > dbid:0x2ca251cf name:account_policy.tdb > > path:/var/lib/ctdb/persistent/account_policy.tdb.2 PERSISTENT > > dbid:0xa1413774 name:group_mapping.tdb > > path:/var/lib/ctdb/persistent/group_mapping.tdb.2 PERSISTENT > > dbid:0xc3078fba name:share_info.tdb > > path:/var/lib/ctdb/persistent/share_info.tdb.2 PERSISTENT > > dbid:0x6645c6c4 name:ctdb.tdb > path:/var/lib/ctdb/persistent/ctdb.tdb.2 > > PERSISTENT > > dbid:0x7132c184 name:secrets.tdb > > path:/var/lib/ctdb/persistent/secrets.tdb.2 PERSISTENT > > dbid:0x6cf2837d name:registry.tdb > > path:/var/lib/ctdb/persistent/registry.tdb.2 PERSISTENT > > > > > > > > wt., 15 lis 2022 o 22:44 Leszek Szczepanowski <twinsen at mspanc.net> > > napisa?(a): > > > >> Hi, > >> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/registry.tdb > >> ls: cannot access '/var/lib/ctdb/persistent/registry.tdb': No > such file or > >> directory > >> [root at fs01 symptoms]# find / -name registry.tdb > >> [root at fs01 symptoms]# > >> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/ > >> total 20832 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 7892992 Nov > >> 15 18:50 account_policy.tdb.0 > >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1327104 Nov > >> 15 18:50 autorid.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1310720 Nov > >> 15 18:50 ctdb.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1310720 Nov > >> 15 18:50 group_mapping.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 2560000 Nov > >> 15 18:50 passdb.tdb.0 > >> -rw-r--r--. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1310720 Nov > >> 15 18:50 printer_list.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1736704 Nov > >> 15 18:50 registry.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 2146304 Nov > >> 15 18:50 secrets.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1736704 Nov > >> 15 18:50 share_info.tdb.0 > >> > >> [root at fs01 symptoms]# ls -lZ > /var/lib/ctdb/persistent/registry.tdb.0 > >> -rw-------. 1 root root system_u:object_r:ctdbd_var_lib_t:s0 > 1736704 Nov > >> 15 18:50 /var/lib/ctdb/persistent/registry.tdb.0 > >> > >> That is strange. Why .0? > >> > >> wt., 15 lis 2022 o 21:28 Thomas Cameron > <thomas.cameron at camerontech.com> > >> napisa?(a): > >> > >>> What's the label for /var/lib/ctdb/persistent/registry.tdb.1? > What does > >>> ls -lZ tell you? > >>> > >>> Thomas > >>> > >>> On 11/15/22 10:36, Leszek Szczepanowski wrote: > >>> > >>> I'm getting this: > >>> > >>> type=AVC msg=audit(1668528098.389:291): avc: denied? { getattr > } for > >>>? ?pid=84190 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" > ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668528098.389:292): avc: denied? { map } for > >>>? ?pid=84190 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" > ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668528098.391:293): avc: denied? { setattr > } for > >>>? ?pid=84190 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" > >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668529035.873:308): avc: denied? { read > write } for > >>>? ?pid=89129 comm="samba-dcerpcd" name="registry.tdb.1" dev="dm-0" > >>> ino=117620565 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668529035.873:308): avc: denied? { open } for > >>>? ?pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" > ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668529035.873:309): avc: denied? { lock } for > >>>? ?pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" > ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668529035.873:310): avc: denied? { getattr > } for > >>>? ?pid=89129 comm="samba-dcerpcd" > >>> path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0" > ino=117620565 > >>> scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> type=AVC msg=audit(1668529035.875:311): avc: denied? { setattr > } for > >>>? ?pid=89129 comm="samba-dcerpcd" name="g_lock.tdb.1" dev="dm-0" > >>> ino=152097603 scontext=system_u:system_r:winbind_rpcd_t:s0 > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file > permissive=1 > >>> > >>> I did > >>> audit2allow -al -M dcerpcd > >>> semodule -i dcerpcd.pp > >>> > >>> It was working in Enforcing 1 mode for like 1 minute. After > that, again > >>> not working. But this time: > >>> > >>> [root at fs02 samba]# audit2allow -al > >>> [root at fs02 samba]# > >>> > >>> So the module is active, nothing is denied (no new entries in > >>> /var/log/audit/audit.log), however it's again: > >>> > >>> [2022/11/15 17:33:13,? 0] > >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>? ? Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: > Permission > >>> denied > >>> [2022/11/15 17:33:13,? 0] > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>? ? db_open: failed to attach to ctdb registry.tdb > >>> [2022/11/15 17:33:13,? 0] > >>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>? ? Could not open tdb /var/lib/ctdb/persistent/registry.tdb.1: > Permission > >>> denied > >>> [2022/11/15 17:33:13,? 0] > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>? ? db_open: failed to attach to ctdb registry.tdb > >>> [2022/11/15 17:33:13,? 1] > >>> ../../source3/registry/reg_backend_db.c:759(regdb_init) > >>>? ? regdb_init: Failed to open registry /var/lib/samba/registry.tdb > >>> (Permission denied) > >>> [2022/11/15 17:33:13,? 0] > >>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) > >>>? ? Failed to initialize the registry: WERR_ACCESS_DENIED > >>> [2022/11/15 17:33:13,? 1] > >>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > >>>? ? error initializing registry configuration: SBC_ERR_BADFILE > >>> Can't load /etc/samba/smb.conf - run testparm to debug it > >>> samba-dcerpcd - Failed to load config file! > >>> > >>> > >>> > >>> > >>> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba > <samba at lists.samba.org> > >>> napisa?(a): > >>> > >>>> As root, what does audit2allow -al tell you? > >>>> > >>>> Here's a video I did when I was at Red Hat, talking through > SELinux. I > >>>> hope it's helpful. https://www.youtube.com/watch?v=_WOKRaM-HI4 > >>>> > >>>> Thomas > >>>> > >>>> On 11/15/22 04:04, Leszek Szczepanowski via samba wrote: > >>>>> I think with security=user the rest is simply ignored, and > the local > >>>> auth > >>>>> is working fine. > >>>>> I will comment out that option for now. The AD integration > will be done > >>>>> later. > >>>>> The main problem is probably not related directly to CTDB, > but to what > >>>>> Samba is trying to access with SELinux in Enforcing mode. > >>>>> As there are no errors in /var/log/messages or in > /var/log/audit, I'm > >>>> lost. > >>>>> I forgot to say versions, so: > >>>>> > >>>>> [root at fs01 samba]# cat /etc/redhat-release > >>>>> CentOS Stream release 9 > >>>>> [root at fs01 samba]# rpm -qa | grep samba > >>>>> samba-common-4.16.4-101.el9.noarch > >>>>> samba-client-libs-4.16.4-101.el9.x86_64 > >>>>> samba-common-libs-4.16.4-101.el9.x86_64 > >>>>> samba-libs-4.16.4-101.el9.x86_64 > >>>>> python3-samba-4.16.4-101.el9.x86_64 > >>>>> samba-common-tools-4.16.4-101.el9.x86_64 > >>>>> samba-4.16.4-101.el9.x86_64 > >>>>> samba-client-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-modules-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-krb5-locator-4.16.4-101.el9.x86_64 > >>>>> samba-winbind-clients-4.16.4-101.el9.x86_64 > >>>>> [root at fs01 samba]# rpm -qa | grep ctdb > >>>>> ctdb-4.16.4-101.el9.x86_64 > >>>>> [root at fs01 samba]# uname -a > >>>>> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP PREEMPT_DYNAMIC > Mon Oct 31 > >>>>> 09:18:51 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux > >>>>> > >>>>> Also, the provided errors were wrong, I was playing with > permissive > >>>> mode. > >>>>> In enforcing it is: > >>>>> > >>>>> [2022/11/15 11:02:08,? 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>>>? ? ?Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > >>>> Permission > >>>>> denied > >>>>> [2022/11/15 11:02:08,? 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>>>? ? ?db_open: failed to attach to ctdb registry.tdb > >>>>> [2022/11/15 11:02:08,? 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb) > >>>>>? ? ?Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0: > >>>> Permission > >>>>> denied > >>>>> [2022/11/15 11:02:08,? 0] > >>>>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open) > >>>>>? ? ?db_open: failed to attach to ctdb registry.tdb > >>>>> [2022/11/15 11:02:08,? 1] > >>>>> ../../source3/registry/reg_backend_db.c:759(regdb_init) > >>>>>? ? ?regdb_init: Failed to open registry > /var/lib/samba/registry.tdb > >>>>> (Permission denied) > >>>>> [2022/11/15 11:02:08,? 0] > >>>>> ../../source3/registry/reg_init_basic.c:35(registry_init_common) > >>>>>? ? ?Failed to initialize the registry: WERR_ACCESS_DENIED > >>>>> [2022/11/15 11:02:08,? 1] > >>>>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx) > >>>>>? ? ?error initializing registry configuration: SBC_ERR_BADFILE > >>>>> Can't load /etc/samba/smb.conf - run testparm to debug it > >>>>> samba-dcerpcd - Failed to load config file! > >>>>> > >>>>> But in the same time, I can do testparm without any issues: > >>>>> > >>>>> [root at fs01 samba]# testparm > >>>>> Load smb config files from /etc/samba/smb.conf > >>>>> Loaded services file OK. > >>>>> Weak crypto is allowed > >>>>> > >>>>> Server role: ROLE_STANDALONE > >>>>> > >>>>> Press enter to see a dump of your service definitions > >>>>> > >>>>> # Global parameters > >>>>> [global] > >>>>>? ? ? ? ? ?clustering = Yes > >>>>>? ? ? ? ? ?logging = syslog > >>>>>? ? ? ? ? ?netbios name = FS > >>>>>? ? ? ? ? ?realm = FS.xxx > >>>>>? ? ? ? ? ?registry shares = Yes > >>>>>? ? ? ? ? ?security = USER > >>>>>? ? ? ? ? ?workgroup = xxx > >>>>>? ? ? ? ? ?idmap config * : range = 1000000-1999999 > >>>>>? ? ? ? ? ?ctdb:registry.tdb = yes > >>>>>? ? ? ? ? ?idmap config * : backend = autorid > >>>>> > >>>>> > >>>>> [symptoms] > >>>>>? ? ? ? ? ?path = /mnt/glusterfs/symptoms/ > >>>>>? ? ? ? ? ?read only = No > >>>>> > >>>>> > >>>>> wt., 15 lis 2022 o 10:47 Rowland Penny via samba < > >>>> samba at lists.samba.org> > >>>>> napisa?(a): > >>>>> > >>>>>> On 15/11/2022 09:21, Leszek Szczepanowski via samba wrote: > >>>>>>> I have very simple config for HA Samba, using CTDB. > >>>>>>> I have set all possible SELinux options until "denied" > messages > >>>> stopped > >>>>>>> appearch in /var/log/messages. > >>>>>>> > >>>>>>> All works flawlessly, just the problem is with browsing > Samba shares > >>>> with > >>>>>>> enforcing setting. > >>>>>>> > >>>>>>> When I try to browse shares, I'm getting this: > >>>>>>> > >>>>>>>? ? ? samba-dcerpcd version 4.16.4 started. > >>>>>>>? ? ? Copyright Andrew Tridgell and the Samba Team 1992-2022 > >>>>>>> [2022/11/15 10:10:57.674555,? 1] > >>>>>>> > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc) > >>>>>>>? ? ? rpc_pipe_open_ncalrpc: > connect(/run/samba/ncalrpc/EPMAPPER) > >>>> failed: No > >>>>>>> such file or directory > >>>>>>> [2022/11/15 10:10:57.820626,? 1] > >>>>>>> ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited) > >>>>>>>? ? ? rpc_worker_exited: No worker with PID 3281 > >>>>>>> [2022/11/15 10:10:58.040001,? 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>>? ? ? rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > >>>>>>> [2022/11/15 10:10:58.048701,? 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>>? ? ? rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_winreg to 3294 with 0 clients > >>>>>>> [2022/11/15 10:10:58.049474,? 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>>? ? ? rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > >>>>>>> [2022/11/15 10:10:58.560868,? 1] > >>>>>>> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients) > >>>>>>>? ? ? rpc_host_distribute_clients: Sending new client > >>>>>>> /usr/libexec/samba/rpcd_classic to 3292 with 0 clients > >>>>>>> > >>>>>>> Samba is in clustered mode + registry: > >>>>>>> > >>>>>>> [root at fs01 samba]# net conf list > >>>>>>> [global] > >>>>>>>? ? ? ? ? ? logging = syslog > >>>>>>>? ? ? ? ? ? log level = 1 > >>>>>>>? ? ? ? ? ? netbios name = fs > >>>>>>>? ? ? ? ? ? workgroup = xxx > >>>>>>>? ? ? ? ? ? realm = xxx > >>>>>>>? ? ? ? ? ? idmap config * : backend = autorid > >>>>>>>? ? ? ? ? ? idmap config * : range = 1000000-1999999 > >>>>>>>? ? ? ? ? ? security = user > >>>>>> Now I do not know a lot about CTDB, but I do know that you > cannot use > >>>>>> 'idmap config' lines with 'security = user', they are are > only used > >>>> with > >>>>>> a domain, so if this cluster is joined to a domain, I would > start by > >>>>>> changing 'security = user' to 'security = ADS' > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and > read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and > read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>> > >>> -- > >>> -- > >>> Leszek A. Szczepanowski > >>> twinsen at mspanc.net > >>> > >>> > >>> > >> -- > >> -- > >> Leszek A. Szczepanowski > >> twinsen at mspanc.net > >> > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > -- > Leszek A. Szczepanowski > twinsen at mspanc.net
Leszek Szczepanowski
2022-Nov-16 18:14 UTC
[Samba] Strange issue with Samba+CTDB+SELinux+GlusterFS
Hi,
So audit.log does not have timestamps, but few last lines are:
type=AVC msg=audit(1668453078.472:7812): avc: denied { read } for
pid=1145319 comm="samba-dcerpcd"
path="/mnt/glusterfs/symptoms" dev="fuse"
ino=12078604982724428835 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1668458126.204:7889): avc: denied { write } for
pid=1171820 comm="ctdb_vacuum" name="ctdbd.socket"
dev="tmpfs" ino=7063
scontext=system_u:system_r:ctdbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1668458140.407:7894): avc: denied { getattr } for
pid=1171898 comm="testparm" path="/run/ctdb/ctdbd.socket"
dev="tmpfs"
ino=7063 scontext=system_u:system_r:ctdbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1668458468.434:7903): avc: denied { write } for
pid=1173609 comm="ctdb_vacuum" name="ctdbd.socket"
dev="tmpfs" ino=7063
scontext=system_u:system_r:ctdbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1668458474.389:7906): avc: denied { getattr } for
pid=1173670 comm="testparm" path="/run/ctdb/ctdbd.socket"
dev="tmpfs"
ino=7063 scontext=system_u:system_r:ctdbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1668458476.270:7909): avc: denied { write } for
pid=1173702 comm="ctdb_vacuum" name="ctdbd.socket"
dev="tmpfs" ino=7063
scontext=system_u:system_r:ctdbd_t:s0
tcontext=system_u:object_r:samba_share_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1668502976.185:8211): avc: denied { bpf } for
pid=1400751 comm="plymouthd" capability=39
scontext=system_u:system_r:plymouthd_t:s0
tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability2 permissive=1
type=AVC msg=audit(1668524588.339:113): avc: denied { ioctl } for
pid=12431 comm="samba-dcerpcd"
path="/mnt/glusterfs/symptoms" dev="fuse"
ino=12078604982724428835 scontext=system_u:system_r:winbind_rpcd_t:s0
tcontext=system_u:object_r:fusefs_t:s0 tclass=dir permissive=1
But please be aware that the system is now running in Permissive mode. I
cannot say when those entries were created, but I guess before I made a
module enabling all related to samba-dcerpcd
As for the ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent:
[root at fs01 samba]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
-ts recent
<no matches>
[root at fs01 samba]# setenforce 1
[root at fs01 samba]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
-ts recent
<no matches>
[root at fs02 samba]# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
-ts recent
<no matches>
I'm lost :(
?r., 16 lis 2022 o 18:49 Thomas Cameron via samba <samba at
lists.samba.org>
napisa?(a):
> What does:
>
> grep denied /var/log/audit/audit.log
>
> give you?
>
> Also, what's the output of
>
> ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -ts recent
>
> please?
>
> Thomas
>
> On 11/16/22 04:41, Leszek Szczepanowski wrote:
> > Hi,
> >
> > So this is the flow:
> >
> > [root at fs01 lszczepa]# semanage fcontext -a -t ctdbd_var_lib_t
> > "/var/lib/ctdb/persistent(/.*)?"
> > [root at fs01 lszczepa]# getenforce
> > Permissive
> > [root at fs01 samba]# setenforce 1
> > [root at fs01 samba]# tail -f log.samba-dcerpcd
> >
> > [attempt to browse shares after setenforce 1] log.samba-dcerpcd:
> > [2022/11/16 11:27:20.055038, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
> > [2022/11/16 11:27:20.063589, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
> > [2022/11/16 11:27:20.064348, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> > [2022/11/16 11:27:48.997477, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> > [2022/11/16 11:28:02.217934, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> >
> > Corresponding /var/log/messages:
> >
> > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:19.826956, 1]
> > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_pipe_open_ncalrpc:
> > connect(/run/samba/ncalrpc/EPMAPPER) failed: No such file or directory
> > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:19.878835, 1]
> > ../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> > Nov 16 11:27:19 fs01 samba-dcerpcd[365899]: rpc_worker_exited: No
> > worker with PID 365905
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:20.055038, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]:
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:20.063589, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]:
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_winreg to 365918 with 0 clients
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:20.064348, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > Nov 16 11:27:20 fs01 samba-dcerpcd[365899]:
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> > Nov 16 11:27:48 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:27:48.997477, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > Nov 16 11:27:48 fs01 samba-dcerpcd[365899]:
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> > Nov 16 11:28:02 fs01 samba-dcerpcd[365899]: [2022/11/16
> > 11:28:02.217934, 1]
> > ../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > Nov 16 11:28:02 fs01 samba-dcerpcd[365899]:
> > rpc_host_distribute_clients: Sending new client
> > /usr/libexec/samba/rpcd_classic to 365916 with 0 clients
> > Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=setenforce
> > lsm=selinux enforcing=1 res=1
> > Nov 16 11:30:04 fs01 dbus-broker-launch[1295]: avc: op=load_policy
> > lsm=selinux seqno=4 res=1
> > Nov 16 11:30:04 fs01 systemd[1]: Starting system activity accounting
> > tool...
> > Nov 16 11:30:04 fs01 systemd[1]: sysstat-collect.service: Deactivated
> > successfully.
> > Nov 16 11:30:04 fs01 systemd[1]: Finished system activity accounting
> tool.
> >
> > [after few 4 minutes] log.samba-dcerpcd:
> > [2022/11/16 11:32:05, 0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
> > Permission denied
> > [2022/11/16 11:32:05, 0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > db_open: failed to attach to ctdb registry.tdb
> > [2022/11/16 11:32:05, 0]
> > ../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > Could not open tdb /var/lib/ctdb/persistent/registry.tdb.0:
> > Permission denied
> > [2022/11/16 11:32:05, 0]
> > ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > db_open: failed to attach to ctdb registry.tdb
> > [2022/11/16 11:32:05, 1]
> > ../../source3/registry/reg_backend_db.c:759(regdb_init)
> > regdb_init: Failed to open registry /var/lib/samba/registry.tdb
> > (Permission denied)
> > [2022/11/16 11:32:05, 0]
> > ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> > Failed to initialize the registry: WERR_ACCESS_DENIED
> > [2022/11/16 11:32:05, 1]
> > ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> > error initializing registry configuration: SBC_ERR_BADFILE
> > Can't load /etc/samba/smb.conf - run testparm to debug it
> > samba-dcerpcd - Failed to load config file!
> >
> > [root at fs01 samba]# audit2allow -al
> > [root at fs01 samba]#
> >
> > Nothing interesting in /var/log/audit/audit.log:
> >
> > type=USER_MAC_CONFIG_CHANGE msg=audit(1668594292.322:525): pid=365125
> > uid=0 auid=1000 ses=5
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > msg='resrc=fcontext op=add
tglob="/var/lib/ctdb/persistent(/.*)?"
> > ftype=any tcontext=system_u:object_r:ctdbd_var_lib_t:
comm="semanage"
> > exe="/usr/bin/python3.9" hostname=? addr=? terminal=?
> > res=success'UID="root" AUID="lszczepa"
> > type=MAC_STATUS msg=audit(1668594460.442:526): enforcing=1
> > old_enforcing=0 auid=1000 ses=5 enabled=1 old-enabled=1 lsm=selinux
> > res=1AUID="lszczepa"
> > type=SYSCALL msg=audit(1668594460.442:526): arch=c000003e syscall=1
> > success=yes exit=1 a0=3 a1=7ffecb7da5b0 a2=1 a3=1 items=0 ppid=364844
> > pid=366003 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=pts0 ses=5 comm="setenforce"
exe="/usr/sbin/setenforce"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > key=(null)ARCH=x86_64 SYSCALL=write AUID="lszczepa"
UID="root"
> > GID="root" EUID="root" SUID="root"
FSUID="root" EGID="root"
> > SGID="root" FSGID="root"
> > type=PROCTITLE msg=audit(1668594460.442:526):
> > proctitle=736574656E666F7263650031
> > type=SERVICE_START msg=audit(1668594604.562:527): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> > msg='unit=sysstat-collect comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'UID="root" AUID="unset"
> > type=SERVICE_STOP msg=audit(1668594604.562:528): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> > msg='unit=sysstat-collect comm="systemd"
> > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
> > res=success'UID="root" AUID="unset"
> >
> > Nothing in /var/log/messages related to SELinux, but something is
> > still blocking samba-dcerpcd from accessing /var/lib/ctdb/persistent
> >
> > [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t
> > "/var/lib/ctdb(/.*)?"
> > ValueError: File context for /var/lib/ctdb(/.*)? already defined
> > [root at fs01 samba]# semanage fcontext -a -t ctdbd_var_lib_t
> > "/var/lib/ctdb/persistent(/.*)?"
> > ValueError: File context for /var/lib/ctdb/persistent(/.*)? already
> > defined
> >
> > So to have browsing back, I needed to do setenforce 0 again :(
> >
> > ?r., 16 lis 2022 o 04:05 Thomas Cameron via samba
> > <samba at lists.samba.org> napisa?(a):
> >
> > I'm wondering if something weird is happening like it creates
the
> > file
> > initially as /var/lib/ctdb/persistent/registry.tdb and then
> > renames it
> > to /var/lib/ctdb/persistent/registry.tdb.1. The SELinux error
> > could be
> > on the initial file it's creating or something like that.
> >
> > And you say that, when you set SELinux to permissive, the problem
> > goes
> > away completely, right?
> >
> > Can you maybe run the server in permissive mode, then run through
> > all of
> > the paces, THEN run audit2allow and see if it throws any errors?
> >
> > I'm just brainstorming here. This is a weird problem. I am
kinda
> > surprised that it worked for a while and then failed. Again, I
> > wonder if
> > it's creating a file and then renaming it. What's the
context of the
> > parent directory (ls -Z)?
> >
> > Maybe you could do something like:
> > semanage fcontext -a -t ctdbd_var_lib_t
> > /var/lib/ctdb/persistent/account_policy.tdb
> >
> > or even:
> >
> > semanage fcontext -a -t ctdbd_var_lib_t
> /var/lib/ctdb/persistent(/.*)?
> >
> > That would make any file created under /var/lib/ctdb/persistent/
> > labeled
> > as ctdbd_var_lib_t.
> >
> > Thomas
> >
> > On 11/15/22 15:47, Leszek Szczepanowski via samba wrote:
> > > Additionally:
> > >
> > > [root at fs01 symptoms]# ctdb getdbmap
> > > Number of databases:19
> > > dbid:0x4d2a432b name:g_lock.tdb
> > path:/var/lib/ctdb/volatile/g_lock.tdb.0
> > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb
> > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.0
> > > dbid:0x521b7544 name:smbXsrv_version_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.0
> > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.0
> > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.0
> > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.0
> > > dbid:0x4e66c2b2 name:brlock.tdb
> > path:/var/lib/ctdb/volatile/brlock.tdb.0
> > > dbid:0x7a19d84d name:locking.tdb
> > path:/var/lib/ctdb/volatile/locking.tdb.0
> > > dbid:0x06916e77 name:leases.tdb
> > path:/var/lib/ctdb/volatile/leases.tdb.0
> > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.0
> > > dbid:0x1313cc83 name:autorid.tdb
> > > path:/var/lib/ctdb/persistent/autorid.tdb.0 PERSISTENT
> > > dbid:0x5bcfcbd7 name:printer_list.tdb
> > > path:/var/lib/ctdb/persistent/printer_list.tdb.0 PERSISTENT
> > > dbid:0x3ef19640 name:passdb.tdb
> > path:/var/lib/ctdb/persistent/passdb.tdb.0
> > > PERSISTENT
> > > dbid:0x2ca251cf name:account_policy.tdb
> > > path:/var/lib/ctdb/persistent/account_policy.tdb.0 PERSISTENT
> > > dbid:0xa1413774 name:group_mapping.tdb
> > > path:/var/lib/ctdb/persistent/group_mapping.tdb.0 PERSISTENT
> > > dbid:0xc3078fba name:share_info.tdb
> > > path:/var/lib/ctdb/persistent/share_info.tdb.0 PERSISTENT
> > > dbid:0x6645c6c4 name:ctdb.tdb
> > path:/var/lib/ctdb/persistent/ctdb.tdb.0
> > > PERSISTENT
> > > dbid:0x7132c184 name:secrets.tdb
> > > path:/var/lib/ctdb/persistent/secrets.tdb.0 PERSISTENT
> > > dbid:0x6cf2837d name:registry.tdb
> > > path:/var/lib/ctdb/persistent/registry.tdb.0 PERSISTENT
> > >
> > > It seems, it uses suffix of node number on each node, here
node 3:
> > >
> > > [root at fs03 lszczepa]# ctdb getdbmap
> > > Number of databases:19
> > > dbid:0x66f71b8c name:smbXsrv_open_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_open_global.tdb.2
> > > dbid:0x06916e77 name:leases.tdb
> > path:/var/lib/ctdb/volatile/leases.tdb.2
> > > dbid:0x7a19d84d name:locking.tdb
> > path:/var/lib/ctdb/volatile/locking.tdb.2
> > > dbid:0x4e66c2b2 name:brlock.tdb
> > path:/var/lib/ctdb/volatile/brlock.tdb.2
> > > dbid:0x68c12c2c name:smbXsrv_tcon_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_tcon_global.tdb.2
> > > dbid:0x6b06a26d name:smbXsrv_session_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_session_global.tdb.2
> > > dbid:0x477d2e20 name:smbXsrv_client_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_client_global.tdb.2
> > > dbid:0x521b7544 name:smbXsrv_version_global.tdb
> > > path:/var/lib/ctdb/volatile/smbXsrv_version_global.tdb.2
> > > dbid:0x2d608c16 name:netlogon_creds_cli.tdb
> > > path:/var/lib/ctdb/volatile/netlogon_creds_cli.tdb.2
> > > dbid:0x4d2a432b name:g_lock.tdb
> > path:/var/lib/ctdb/volatile/g_lock.tdb.2
> > > dbid:0x1313cc83 name:autorid.tdb
> > > path:/var/lib/ctdb/persistent/autorid.tdb.2 PERSISTENT
> > > dbid:0x5bcfcbd7 name:printer_list.tdb
> > > path:/var/lib/ctdb/persistent/printer_list.tdb.2 PERSISTENT
> > > dbid:0x3ef19640 name:passdb.tdb
> > path:/var/lib/ctdb/persistent/passdb.tdb.2
> > > PERSISTENT
> > > dbid:0x2ca251cf name:account_policy.tdb
> > > path:/var/lib/ctdb/persistent/account_policy.tdb.2 PERSISTENT
> > > dbid:0xa1413774 name:group_mapping.tdb
> > > path:/var/lib/ctdb/persistent/group_mapping.tdb.2 PERSISTENT
> > > dbid:0xc3078fba name:share_info.tdb
> > > path:/var/lib/ctdb/persistent/share_info.tdb.2 PERSISTENT
> > > dbid:0x6645c6c4 name:ctdb.tdb
> > path:/var/lib/ctdb/persistent/ctdb.tdb.2
> > > PERSISTENT
> > > dbid:0x7132c184 name:secrets.tdb
> > > path:/var/lib/ctdb/persistent/secrets.tdb.2 PERSISTENT
> > > dbid:0x6cf2837d name:registry.tdb
> > > path:/var/lib/ctdb/persistent/registry.tdb.2 PERSISTENT
> > >
> > >
> > >
> > > wt., 15 lis 2022 o 22:44 Leszek Szczepanowski <twinsen at
mspanc.net>
> > > napisa?(a):
> > >
> > >> Hi,
> > >>
> > >> [root at fs01 symptoms]# ls -lZ
> /var/lib/ctdb/persistent/registry.tdb
> > >> ls: cannot access
'/var/lib/ctdb/persistent/registry.tdb': No
> > such file or
> > >> directory
> > >> [root at fs01 symptoms]# find / -name registry.tdb
> > >> [root at fs01 symptoms]#
> > >>
> > >> [root at fs01 symptoms]# ls -lZ /var/lib/ctdb/persistent/
> > >> total 20832
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 7892992 Nov
> > >> 15 18:50 account_policy.tdb.0
> > >> -rw-r--r--. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1327104 Nov
> > >> 15 18:50 autorid.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1310720 Nov
> > >> 15 18:50 ctdb.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1310720 Nov
> > >> 15 18:50 group_mapping.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 2560000 Nov
> > >> 15 18:50 passdb.tdb.0
> > >> -rw-r--r--. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1310720 Nov
> > >> 15 18:50 printer_list.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1736704 Nov
> > >> 15 18:50 registry.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 2146304 Nov
> > >> 15 18:50 secrets.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1736704 Nov
> > >> 15 18:50 share_info.tdb.0
> > >>
> > >> [root at fs01 symptoms]# ls -lZ
> > /var/lib/ctdb/persistent/registry.tdb.0
> > >> -rw-------. 1 root root
system_u:object_r:ctdbd_var_lib_t:s0
> > 1736704 Nov
> > >> 15 18:50 /var/lib/ctdb/persistent/registry.tdb.0
> > >>
> > >> That is strange. Why .0?
> > >>
> > >> wt., 15 lis 2022 o 21:28 Thomas Cameron
> > <thomas.cameron at camerontech.com>
> > >> napisa?(a):
> > >>
> > >>> What's the label for
/var/lib/ctdb/persistent/registry.tdb.1?
> > What does
> > >>> ls -lZ tell you?
> > >>>
> > >>> Thomas
> > >>>
> > >>> On 11/15/22 10:36, Leszek Szczepanowski wrote:
> > >>>
> > >>> I'm getting this:
> > >>>
> > >>> type=AVC msg=audit(1668528098.389:291): avc: denied
{ getattr
> > } for
> > >>> pid=84190 comm="samba-dcerpcd"
> > >>>
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
> > ino=117620565
> > >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668528098.389:292): avc: denied
{ map } for
> > >>> pid=84190 comm="samba-dcerpcd"
> > >>>
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
> > ino=117620565
> > >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668528098.391:293): avc: denied
{ setattr
> > } for
> > >>> pid=84190 comm="samba-dcerpcd"
name="g_lock.tdb.1" dev="dm-0"
> > >>> ino=152097603
scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668529035.873:308): avc: denied
{ read
> > write } for
> > >>> pid=89129 comm="samba-dcerpcd"
name="registry.tdb.1" dev="dm-0"
> > >>> ino=117620565
scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668529035.873:308): avc: denied
{ open } for
> > >>> pid=89129 comm="samba-dcerpcd"
> > >>>
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
> > ino=117620565
> > >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668529035.873:309): avc: denied
{ lock } for
> > >>> pid=89129 comm="samba-dcerpcd"
> > >>>
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
> > ino=117620565
> > >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668529035.873:310): avc: denied
{ getattr
> > } for
> > >>> pid=89129 comm="samba-dcerpcd"
> > >>>
path="/var/lib/ctdb/persistent/registry.tdb.1" dev="dm-0"
> > ino=117620565
> > >>> scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>> type=AVC msg=audit(1668529035.875:311): avc: denied
{ setattr
> > } for
> > >>> pid=89129 comm="samba-dcerpcd"
name="g_lock.tdb.1" dev="dm-0"
> > >>> ino=152097603
scontext=system_u:system_r:winbind_rpcd_t:s0
> > >>> tcontext=system_u:object_r:ctdbd_var_lib_t:s0
tclass=file
> > permissive=1
> > >>>
> > >>> I did
> > >>> audit2allow -al -M dcerpcd
> > >>> semodule -i dcerpcd.pp
> > >>>
> > >>> It was working in Enforcing 1 mode for like 1 minute.
After
> > that, again
> > >>> not working. But this time:
> > >>>
> > >>> [root at fs02 samba]# audit2allow -al
> > >>> [root at fs02 samba]#
> > >>>
> > >>> So the module is active, nothing is denied (no new
entries in
> > >>> /var/log/audit/audit.log), however it's again:
> > >>>
> > >>> [2022/11/15 17:33:13, 0]
> > >>>
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > >>> Could not open tdb
/var/lib/ctdb/persistent/registry.tdb.1:
> > Permission
> > >>> denied
> > >>> [2022/11/15 17:33:13, 0]
> > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > >>> db_open: failed to attach to ctdb registry.tdb
> > >>> [2022/11/15 17:33:13, 0]
> > >>>
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > >>> Could not open tdb
/var/lib/ctdb/persistent/registry.tdb.1:
> > Permission
> > >>> denied
> > >>> [2022/11/15 17:33:13, 0]
> > >>> ../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > >>> db_open: failed to attach to ctdb registry.tdb
> > >>> [2022/11/15 17:33:13, 1]
> > >>>
../../source3/registry/reg_backend_db.c:759(regdb_init)
> > >>> regdb_init: Failed to open registry
> /var/lib/samba/registry.tdb
> > >>> (Permission denied)
> > >>> [2022/11/15 17:33:13, 0]
> > >>>
../../source3/registry/reg_init_basic.c:35(registry_init_common)
> > >>> Failed to initialize the registry:
WERR_ACCESS_DENIED
> > >>> [2022/11/15 17:33:13, 1]
> > >>> ../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> > >>> error initializing registry configuration:
SBC_ERR_BADFILE
> > >>> Can't load /etc/samba/smb.conf - run testparm to
debug it
> > >>> samba-dcerpcd - Failed to load config file!
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> wt., 15 lis 2022 o 16:09 Thomas Cameron via samba
> > <samba at lists.samba.org>
> > >>> napisa?(a):
> > >>>
> > >>>> As root, what does audit2allow -al tell you?
> > >>>>
> > >>>> Here's a video I did when I was at Red Hat,
talking through
> > SELinux. I
> > >>>> hope it's helpful.
https://www.youtube.com/watch?v=_WOKRaM-HI4
> > >>>>
> > >>>> Thomas
> > >>>>
> > >>>> On 11/15/22 04:04, Leszek Szczepanowski via samba
wrote:
> > >>>>> I think with security=user the rest is simply
ignored, and
> > the local
> > >>>> auth
> > >>>>> is working fine.
> > >>>>> I will comment out that option for now. The
AD integration
> > will be done
> > >>>>> later.
> > >>>>> The main problem is probably not related
directly to CTDB,
> > but to what
> > >>>>> Samba is trying to access with SELinux in
Enforcing mode.
> > >>>>> As there are no errors in /var/log/messages
or in
> > /var/log/audit, I'm
> > >>>> lost.
> > >>>>> I forgot to say versions, so:
> > >>>>>
> > >>>>> [root at fs01 samba]# cat /etc/redhat-release
> > >>>>> CentOS Stream release 9
> > >>>>> [root at fs01 samba]# rpm -qa | grep samba
> > >>>>> samba-common-4.16.4-101.el9.noarch
> > >>>>> samba-client-libs-4.16.4-101.el9.x86_64
> > >>>>> samba-common-libs-4.16.4-101.el9.x86_64
> > >>>>> samba-libs-4.16.4-101.el9.x86_64
> > >>>>> python3-samba-4.16.4-101.el9.x86_64
> > >>>>> samba-common-tools-4.16.4-101.el9.x86_64
> > >>>>> samba-4.16.4-101.el9.x86_64
> > >>>>> samba-client-4.16.4-101.el9.x86_64
> > >>>>> samba-winbind-modules-4.16.4-101.el9.x86_64
> > >>>>> samba-winbind-4.16.4-101.el9.x86_64
> > >>>>>
samba-winbind-krb5-locator-4.16.4-101.el9.x86_64
> > >>>>> samba-winbind-clients-4.16.4-101.el9.x86_64
> > >>>>> [root at fs01 samba]# rpm -qa | grep ctdb
> > >>>>> ctdb-4.16.4-101.el9.x86_64
> > >>>>> [root at fs01 samba]# uname -a
> > >>>>> Linux fs01.xxx 5.14.0-183.el9.x86_64 #1 SMP
PREEMPT_DYNAMIC
> > Mon Oct 31
> > >>>>> 09:18:51 UTC 2022 x86_64 x86_64 x86_64
GNU/Linux
> > >>>>>
> > >>>>> Also, the provided errors were wrong, I was
playing with
> > permissive
> > >>>> mode.
> > >>>>> In enforcing it is:
> > >>>>>
> > >>>>> [2022/11/15 11:02:08, 0]
> > >>>>>
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > >>>>> Could not open tdb
/var/lib/ctdb/persistent/registry.tdb.0:
> > >>>> Permission
> > >>>>> denied
> > >>>>> [2022/11/15 11:02:08, 0]
> > >>>>>
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > >>>>> db_open: failed to attach to ctdb
registry.tdb
> > >>>>> [2022/11/15 11:02:08, 0]
> > >>>>>
../../source3/lib/dbwrap/dbwrap_ctdb.c:1926(db_open_ctdb)
> > >>>>> Could not open tdb
/var/lib/ctdb/persistent/registry.tdb.0:
> > >>>> Permission
> > >>>>> denied
> > >>>>> [2022/11/15 11:02:08, 0]
> > >>>>>
../../source3/lib/dbwrap/dbwrap_open.c:169(db_open)
> > >>>>> db_open: failed to attach to ctdb
registry.tdb
> > >>>>> [2022/11/15 11:02:08, 1]
> > >>>>>
../../source3/registry/reg_backend_db.c:759(regdb_init)
> > >>>>> regdb_init: Failed to open registry
> > /var/lib/samba/registry.tdb
> > >>>>> (Permission denied)
> > >>>>> [2022/11/15 11:02:08, 0]
> > >>>>>
> ../../source3/registry/reg_init_basic.c:35(registry_init_common)
> > >>>>> Failed to initialize the registry:
WERR_ACCESS_DENIED
> > >>>>> [2022/11/15 11:02:08, 1]
> > >>>>>
../../source3/param/loadparm.c:2157(lp_smbconf_ctx)
> > >>>>> error initializing registry
configuration: SBC_ERR_BADFILE
> > >>>>> Can't load /etc/samba/smb.conf - run
testparm to debug it
> > >>>>> samba-dcerpcd - Failed to load config file!
> > >>>>>
> > >>>>> But in the same time, I can do testparm
without any issues:
> > >>>>>
> > >>>>> [root at fs01 samba]# testparm
> > >>>>> Load smb config files from
/etc/samba/smb.conf
> > >>>>> Loaded services file OK.
> > >>>>> Weak crypto is allowed
> > >>>>>
> > >>>>> Server role: ROLE_STANDALONE
> > >>>>>
> > >>>>> Press enter to see a dump of your service
definitions
> > >>>>>
> > >>>>> # Global parameters
> > >>>>> [global]
> > >>>>> clustering = Yes
> > >>>>> logging = syslog
> > >>>>> netbios name = FS
> > >>>>> realm = FS.xxx
> > >>>>> registry shares = Yes
> > >>>>> security = USER
> > >>>>> workgroup = xxx
> > >>>>> idmap config * : range =
1000000-1999999
> > >>>>> ctdb:registry.tdb = yes
> > >>>>> idmap config * : backend = autorid
> > >>>>>
> > >>>>>
> > >>>>> [symptoms]
> > >>>>> path = /mnt/glusterfs/symptoms/
> > >>>>> read only = No
> > >>>>>
> > >>>>>
> > >>>>> wt., 15 lis 2022 o 10:47 Rowland Penny via
samba <
> > >>>> samba at lists.samba.org>
> > >>>>> napisa?(a):
> > >>>>>
> > >>>>>> On 15/11/2022 09:21, Leszek Szczepanowski
via samba wrote:
> > >>>>>>> I have very simple config for HA
Samba, using CTDB.
> > >>>>>>> I have set all possible SELinux
options until "denied"
> > messages
> > >>>> stopped
> > >>>>>>> appearch in /var/log/messages.
> > >>>>>>>
> > >>>>>>> All works flawlessly, just the
problem is with browsing
> > Samba shares
> > >>>> with
> > >>>>>>> enforcing setting.
> > >>>>>>>
> > >>>>>>> When I try to browse shares, I'm
getting this:
> > >>>>>>>
> > >>>>>>> samba-dcerpcd version 4.16.4
started.
> > >>>>>>> Copyright Andrew Tridgell and
the Samba Team 1992-2022
> > >>>>>>> [2022/11/15 10:10:57.674555, 1]
> > >>>>>>>
> > ../../source3/rpc_client/cli_pipe.c:3014(rpc_pipe_open_ncalrpc)
> > >>>>>>> rpc_pipe_open_ncalrpc:
> > connect(/run/samba/ncalrpc/EPMAPPER)
> > >>>> failed: No
> > >>>>>>> such file or directory
> > >>>>>>> [2022/11/15 10:10:57.820626, 1]
> > >>>>>>>
../../source3/rpc_server/rpc_host.c:1763(rpc_worker_exited)
> > >>>>>>> rpc_worker_exited: No worker
with PID 3281
> > >>>>>>> [2022/11/15 10:10:58.040001, 1]
> > >>>>>>>
> >
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > >>>>>>> rpc_host_distribute_clients:
Sending new client
> > >>>>>>> /usr/libexec/samba/rpcd_winreg to
3294 with 0 clients
> > >>>>>>> [2022/11/15 10:10:58.048701, 1]
> > >>>>>>>
> >
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > >>>>>>> rpc_host_distribute_clients:
Sending new client
> > >>>>>>> /usr/libexec/samba/rpcd_winreg to
3294 with 0 clients
> > >>>>>>> [2022/11/15 10:10:58.049474, 1]
> > >>>>>>>
> >
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > >>>>>>> rpc_host_distribute_clients:
Sending new client
> > >>>>>>> /usr/libexec/samba/rpcd_classic to
3292 with 0 clients
> > >>>>>>> [2022/11/15 10:10:58.560868, 1]
> > >>>>>>>
> >
../../source3/rpc_server/rpc_host.c:1350(rpc_host_distribute_clients)
> > >>>>>>> rpc_host_distribute_clients:
Sending new client
> > >>>>>>> /usr/libexec/samba/rpcd_classic to
3292 with 0 clients
> > >>>>>>>
> > >>>>>>> Samba is in clustered mode +
registry:
> > >>>>>>>
> > >>>>>>> [root at fs01 samba]# net conf list
> > >>>>>>> [global]
> > >>>>>>> logging = syslog
> > >>>>>>> log level = 1
> > >>>>>>> netbios name = fs
> > >>>>>>> workgroup = xxx
> > >>>>>>> realm = xxx
> > >>>>>>> idmap config * : backend =
autorid
> > >>>>>>> idmap config * : range =
1000000-1999999
> > >>>>>>> security = user
> > >>>>>> Now I do not know a lot about CTDB, but I
do know that you
> > cannot use
> > >>>>>> 'idmap config' lines with
'security = user', they are are
> > only used
> > >>>> with
> > >>>>>> a domain, so if this cluster is joined to
a domain, I would
> > start by
> > >>>>>> changing 'security = user' to
'security = ADS'
> > >>>>>>
> > >>>>>> Rowland
> > >>>>>>
> > >>>>>> --
> > >>>>>> To unsubscribe from this list go to the
following URL and
> > read the
> > >>>>>> instructions:
https://lists.samba.org/mailman/options/samba
> > >>>>>>
> > >>>>
> > >>>> --
> > >>>> To unsubscribe from this list go to the following
URL and
> > read the
> > >>>> instructions:
https://lists.samba.org/mailman/options/samba
> > >>>>
> > >>>
> > >>> --
> > >>> --
> > >>> Leszek A. Szczepanowski
> > >>> twinsen at mspanc.net
> > >>>
> > >>>
> > >>>
> > >> --
> > >> --
> > >> Leszek A. Szczepanowski
> > >> twinsen at mspanc.net
> > >>
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > --
> > Leszek A. Szczepanowski
> > twinsen at mspanc.net
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Leszek A. Szczepanowski
twinsen at mspanc.net