samba - Feb 2024 - Error: Failed to open share info database /var/lib/samba/share_info.tdb

Hello people,

on my way to implement a new file server for my enterprise I stumble 
over a problem which I never had before with older samba versions and 
this _might_ be a new unaddressed bug in samba. First some details 
regarding my environment:

-------
OS: Debian bookworm (12)
Samba-Version: stock debian 4.17.12 (also tried 4.19.4 from backports 
with no luck)
Environment: Samba configured as member server in an existing 
environment
smb.conf (see end of my mail for better readability):
-------

As you can see in my smb.conf I have a share named "Users" which will 
hold users personal data later on. As per the recommendations in the 
samba wiki I have to set share permissions on it (see 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs)
and THIS does not work.
When I try to set share permissions (not the security tab, I really talk 
about the tab "share permission") my settings are not stored in any
way
but reverted immediately after cliking "ok". Samba log spits out the 
following message:

Feb 01 08:20:19 fs1 rpcd_classic[600]: [2024/02/01 08:20:19.721212,  0] 
source3/lib/sharesec.c:161(share_info_db_init)
Feb 01 08:20:19 fs1 rpcd_classic[600]:   Failed to open share info 
database /var/lib/samba/share_info.tdb (Keine Berechtigung)

"Keine Berechtigung" means "no permission" or "access
denied". These are
the permissions on the file:
root at fs1:/var/lib/samba# ls -la share_info.tdb
-rwx------ 1 root root 421888  1. Feb 08:20 share_info.tdb

Now I tried just for testing to set permissions 777 on this file an et 
voila, share permissions are beeing stored without any error.

I have found a bug on bugzilla which looks similar but with a different 
topic - but maybe the reason for the bug might be the same:
https://bugzilla.samba.org/show_bug.cgi?id=15265

Now we are at the point where I need your help to identify the cause for 
my problem:
a) is it wrong file system permissions on the file, so I should blame 
debian package maintainers to correct it?
b) is there a bug similar to bug no. 15265 as stated above, so I would 
open a new bug on samba bugzilla
c) is it may fault because I have made a configuration error, so I would 
blame myself and ask you kindly for a hint into the right direction ...

Thank you in advance for your advice :)
Thomas



################
### SMB.CONF ###
################

[global]
### Grundkonfiguration ###
      security = ADS
      workgroup = ADVITT
      realm = ADVITT.SITE

      log file = /var/log/samba/%m.log
      log level = 1

      # The default (*) domain:
      idmap config * : backend = tdb
      idmap config * : range = 3000-7999

      # The ADVITT Domain:
      idmap config ADVITT : backend = rid
      idmap config ADVITT : range = 10000-99000

      template shell = /bin/bash
      template homedir = /home/%U

      vfs objects = acl_xattr full_audit recycle
      map acl inherit = yes

### Erweiterte Konfiguration ? Features ###
### G?ltig f?r alle Shares

      full_audit:prefix = %u|%I|%m|%S
      full_audit:failure = none
      full_audit:facility = local7
      full_audit:priority = NOTICE

      recycle:repository = .recycle
      recycle:directory_mode = 0770
      recycle:keeptree = yes
      recycle:versions = yes
      recycle:touch = yes
      recycle:touch_mtime = yes
      recycle:maxsize = 0

############################
### Allgemeine Freigaben ###
############################

[Users]
      path = /data/shares/Users
      comment = Pers?nliche Benutzerordner
      read only = no

### [cut of other share definitions because they are all the same 
config] ###

-- 
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Rochusstra?e 176
53123 Bonn-Duisdorf
Registergericht: Amtsgericht Bonn, HRA 7958

Facebook:     http://www.facebook.de/bestattungenvitt
Gedenkportal: http://begleiten.bestattungen-vitt.de
Internet:     http://www.bestattungen-vitt.de

Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36

On Thu, 01 Feb 2024 08:58:29 +0100
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:
> Hello people,
> 
> on my way to implement a new file server for my enterprise I stumble 
> over a problem which I never had before with older samba versions and 
> this _might_ be a new unaddressed bug in samba. First some details 
> regarding my environment:
> 
> -------
> OS: Debian bookworm (12)
> Samba-Version: stock debian 4.17.12 (also tried 4.19.4 from backports 
> with no luck)
> Environment: Samba configured as member server in an existing 
> environment
> smb.conf (see end of my mail for better readability):
> -------
> 
> As you can see in my smb.conf I have a share named "Users" which
will
> hold users personal data later on. As per the recommendations in the 
> samba wiki I have to set share permissions on it (see 
>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Setting_Share_Permissions_and_ACLs)
> and THIS does not work.
> When I try to set share permissions (not the security tab, I really
> talk about the tab "share permission") my settings are not stored
in
> any way but reverted immediately after cliking "ok". Samba log
spits
> out the following message:
> 
> Feb 01 08:20:19 fs1 rpcd_classic[600]: [2024/02/01 08:20:19.721212,
> 0] source3/lib/sharesec.c:161(share_info_db_init)
> Feb 01 08:20:19 fs1 rpcd_classic[600]:   Failed to open share info 
> database /var/lib/samba/share_info.tdb (Keine Berechtigung)
> 
> "Keine Berechtigung" means "no permission" or
"access denied". These
> are the permissions on the file:
> root at fs1:/var/lib/samba# ls -la share_info.tdb
> -rwx------ 1 root root 421888  1. Feb 08:20 share_info.tdb
> 
> Now I tried just for testing to set permissions 777 on this file an
> et voila, share permissions are beeing stored without any error.
> 
> I have found a bug on bugzilla which looks similar but with a
> different topic - but maybe the reason for the bug might be the same:
> https://bugzilla.samba.org/show_bug.cgi?id=15265
> 
> Now we are at the point where I need your help to identify the cause
> for my problem:
> a) is it wrong file system permissions on the file, so I should blame 
> debian package maintainers to correct it?
> b) is there a bug similar to bug no. 15265 as stated above, so I
> would open a new bug on samba bugzilla
> c) is it may fault because I have made a configuration error, so I
> would blame myself and ask you kindly for a hint into the right
> direction ...
> 
> Thank you in advance for your advice :)
> Thomas
You may be correct about the reason, but using 'become_root()' isn't
really a good idea (in my opinion), it possibly might lead to another
attack vector.

What I cannot understand is why you feel you need to alter the 'share'
tab, I never have. It is always (in my experience) set to just
'EVERYONE' with 'Allow' Full Control, Change and Read
permissions.

The tab you need to change is the 'Security' tab and the wiki page
tells you this.

Rowland

Am 01.02.24 um 08:58 schrieb Bestattungen Vitt - Thomas Reitelbach via 
samba:
> c) is it may fault because I have made a configuration error, so I would 
> blame myself and ask you kindly for a hint into the right direction ...
Are you doing this with an account that has "SeDiskOperatorPrivilege"
set?

Regards


Christian