Matthias Kühne | Ellerhold Aktiengesellschaft
2023-Jan-23 08:27 UTC
[Samba] Permissions on rpcd_classic and missing logrotate config
Hello fellow samba users, we're using Samba 4.16 from corpit.ru/mjt/samba in debian 11 and having some problems (I guess?). Weve got two problems in that configuration that may be less samba related but more packaging related. Nethertheless input is valuable from samba itself. Our first problem is the permissions for the log.rpcd_class file. [2023/01/20 17:30:19.408261,? 0] ../../lib/util/debug.c:1224(reopen_one_log) Jan 20 17:30:19 fileserver rpcd_classic[497878]:?? reopen_one_log: Unable to open new log file '/var/log/samba/log.rpcd_classic': Permission denied /var/log/samba has permission of 0750 and the log.rpcd_classic has 0644. The process rpcd_classic is run as root but as soon as you connect it seems to switch to the UID of the connecting user. And because the world writable bit on the log file is missing and the execute bit on the directory is missing. What we've done is given the parent directory 0755 and 0666 to the log file. Correct? Can this be done in either packaging or samba itself? During debug we've discovered a second problem: the logrotate configuration is incomplete. The following files are not rotated properly: * /var/log/samba/log.rpcd_* * /var/log/samba/log.samba-* * /var/log/samba/log.wb-* * /var/log/samba/log.winbindd-* We've added a new logrotate config for that, but we're unsure which services need to be reloaded in order for the daemons to open the new files. Thats why we've used "smbcontrol winbindd reload-config" and "smbcontrol smbd reload-config" together. @Samba: Can you tell us which services needs to be reloaded for which files? @MJT: Can you add this logrotate config to the packages pls? Thanks! -- Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Web:www.ellerhold.de Facebook:www.facebook.com/ellerhold.gruppe Instagram:www.instagram.com/ellerhold.gruppe Twitter:https://twitter.com/EllerholdGruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Michael Tokarev
2023-Jan-23 12:20 UTC
[Samba] Permissions on rpcd_classic and missing logrotate config
23.01.2023 11:27, Matthias K?hne | Ellerhold Aktiengesellschaft via samba wrote:> Hello fellow samba users, > > we're using Samba 4.16 from corpit.ru/mjt/samba in debian 11 and having > some problems (I guess?). > > Weve got two problems in that configuration that may be less samba > related but more packaging related. Nethertheless input is valuable from > samba itself. > > Our first problem is the permissions for the log.rpcd_class file. > > [2023/01/20 17:30:19.408261,? 0] ../../lib/util/debug.c:1224(reopen_one_log) > Jan 20 17:30:19 fileserver rpcd_classic[497878]:?? reopen_one_log: > Unable to open new log file '/var/log/samba/log.rpcd_classic': > Permission deniedThis one I can not comment for now, looks like it is a samba problem indeed. I don't even know what this service is for, and how to use it. IIRC, it is something new in 4.16. ..> During debug we've discovered a second problem: the logrotate > configuration is incomplete. The following files are not rotated properly: > > * /var/log/samba/log.rpcd_* > * /var/log/samba/log.samba-* > * /var/log/samba/log.wb-* > * /var/log/samba/log.winbindd-*I haven't looked at the logrotate config in the package since I inherited it. You're right, this list needs to be extended with 4.16+ (and it looks like it needed to be extended even before 4.16). I'm tempted to use /var/log/samba/log.* pattern in there because of the changing nature of these files and because of the possibility to use log.%m (or log.%I) patterns in there too.> @Samba: Can you tell us which services needs to be reloaded for which > files?This is a good question. I'm not sure it needs to be reloaded at all though - I'll take a look.> @MJT: Can you add this logrotate config to the packages pls?I don't plan to change 4.16 packages at this time, besides adding upstream releases as they come. But I sure will include the logrotate changes into 4.17/4.18 packages for debian (and hence ubuntu). Thank you for noticing this omission! /mjt