spnti
2024-Jun-12 14:24 UTC
[Samba] Apparent conflict between shadow_copy and virusfilter modules
Hello
I'm having a problem using the virusfilter and shadow_copy2 modules which,
unless I'm mistaken, seems like a conflict between these modules. If I use
the virusfilter, acl_xattr, recycle, shadow_copy2 and full_audit modules
together, everything works perfectly, if I use the NOTHING, RENAME or
DELETE actions of the virusfilter module. If I choose to use the QUARANTINE
action for the virusfilter module, I lose access to my shares and the
following messages appear in the logs:
[2024/06/12 07:49:27.549438, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.549795, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.550885, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.551026, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.552212, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.552344, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.553955, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
[2024/06/12 07:49:27.554074, 0]
source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat)
shadow_copy2_stat() failed to get vfs_handle->data!
If I keep the virusfilter module using the QUARANTINE action, keep the
acl_xattr, recycle and full_audit modules and remove the shadow_copy2
module, everything works perfectly again.
If I keep the shadow_copy2, acl_xattr, recycle and full_audit modules and
remove the virusfilter module (QUARANTINE action), everything works
perfectly again.
If I keep all the virusfilter, acl_xattr, recycle, shadow_copy2 and
full_audit modules and change the virusfilter module action to NOTHING,
RENAME or DELETE everything works perfectly again.
As I was unable to solve the problem, nor did I find references on the
internet or in books, I read the source code of the virusfilter and
shadow_copy modules, but, as the log messages were very inconclusive for
me, even using logs at level 10, I just I managed to understand that the
log message comes from line 1180 of shadow_copy2.
I'm using Debian 12.5 with Samba 4.20.1 (backports), but I've already
tested the same settings in other versions of Samba and the problem repeats
itself.
Below are the settings I'm using for Samba.
*## Global parameters#[global]security = ADSserver role = member
servernetbios name = fileservernetbios aliases = fileserverworkgroup
EXAMPLErealm = EXAMPLE.ADLAN## Recommended Kerberos Setup#dedicated keytab
file = /etc/krb5.keytabkerberos method = secrets and keytab## Logs#log file
= /var/log/samba/%h.logmax log size = 2048log level = 2## To BUILTIN groups
and users#idmap config *:backend = tdbidmap config *:range = 3000-7999 ##
To other domain groups and users#idmap config EXAMPLE:backend = rididmap
config EXAMPLE:range = 1000000-1999999idmap config EXAMPLE:base_rid 0idmap
config EXAMPLE:unix_primary_group = yesidmap config
EXAMPLE:unix_nss_info = no## Automatic kerberos ticket renovation#winbind
refresh tickets = yes## Remove domain prefix#winbind use default domain yes##
Define shell#template shell = /bin/bashtemplate homedir /home/%D/%U## Disabling
printer share#load printers = noprinting bsdprintcap name = /dev/nulldisable
spoolss = yes## Load Samba modules#vfs
objects = virusfilter acl_xattr recycle shadow_copy2 full_audit## acl_xattr
module settings#map acl inherit = yes## Take care#sync always = yesstrict
sync = yes## File Enumeration#access based share enum = yeshide unreadable
= yeshide dot files = yeshide special files = yeshide files
/*.ntx/*.tmp/*.log/## Take care#veto files
/*.exe/*.run/*.bin/*.msi/*.php/*.asp/*.aspx/*.js/*.java/*.c/*.cpp/*.sh/*.bat/*.dll/*.{*}/delete
veto files = no## recycle module settings#recycle:keeptree yesrecycle:versions =
yesrecycle:repository /srv/data/shares/lixeira/%Urecycle:directory_mode =
0770recycle:exclude *.dll, *.tmp, *.log, *.bak, *.obj, *.old, ~*.*,
*.~*recycle:exclude_dir cache, temp, tmp, TEMP, TMP## virusfilter module
settings - Action NOTHING
- WORKS PERFECTLY##virusfilter:scanner = clamav#virusfilter:socket path
/run/clamav/clamd.ctl##virusfilter:socket path
/run/clamd.scan/clamd.sock#virusfilter:scan on open = yes#virusfilter:scan
on close = yes#virusfilter:max file size = 100000000#virusfilter:min file
size = 1#virusfilter:infected file action = nothing#virusfilter:infected
file command = /usr/sbin/createWarningFile.sh %U NOTHING #virusfilter:scan
error command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## virusfilter
module settings - Action QUARANTINE - CONFLICT WITH SHADOW_COPY2
MODULE#virusfilter:scanner = clamavvirusfilter:socket path
/run/clamav/clamd.ctl#virusfilter:socket path
/run/clamd.scan/clamd.sockvirusfilter:scan on open = yesvirusfilter:scan on
close = yesvirusfilter:max file size = 100000000virusfilter:min file size
1virusfilter:infected file action = quarantinevirusfilter:quarantine
directory = /srv/data/shares/quarantine/virusfilter:quarantine prefix
virusfilter:quarantine suffix = virusfilter:quarantine keep tree
novirusfilter:quarantine keep name = yesvirusfilter:infected file errno on
open = EACCESvirusfilter:infected file errno on close EACCESvirusfilter:infected
file command = /usr/sbin/createWarningFile.sh %U
QUARANTINEvirusfilter:scan error command = /usr/bin/python3
/usr/sbin/alert.pyc ERROR %h## virusfilter module settings - Action RENAME
- WORKS PERFECTLY##virusfilter:scanner = clamav#virusfilter:socket path
/run/clamav/clamd.ctl#virusfilter:scan on open = yes#virusfilter:scan on
close = yes#virusfilter:max file size = 100000000#virusfilter:min file size
= 1#virusfilter:infected file action = rename#virusfilter:infected file
command = /usr/sbin/createWarningFile.sh %U RENAME #virusfilter:scan error
command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## virusfilter
module settings - Action DELETE - WORKS PERFECTLY##virusfilter:scanner
clamav#virusfilter:socket path = /run/clamav/clamd.ctl#virusfilter:scan on
open = yes#virusfilter:scan on close = yes#virusfilter:max file size
100000000#virusfilter:min file size = 1#virusfilter:infected file action
delete#virusfilter:infected file errno on open EACCES#virusfilter:infected file
errno on close EACCES#virusfilter:infected file command =
/usr/sbin/createWarningFile.sh
%U DELETE#virusfilter:scan error command = /usr/bin/python3
/usr/sbin/alert.pyc ERROR %h## shadow_copy2 module settings#shadow:basedir
= /srv/data/sharesshadow:snapdir = .zfs/snapshotshadow:sort descshadow:format =
UTC-3-%Y.%m.%d-%H.%M.%Sshadow:localtime = yes##
full_audit module settings#full_audit:prefix = %U|%I|%Sfull_audit:success fchmod
fchown lchown mkdirat open read renameat writefull_audit:failure all
!openfull_audit:facility = LOCAL7full_audit:priority ALERT[public_share] path
= /srv/data/shares/public_share read only no acl_xattr:ignore system acl =
yes[trash] path /srv/data/shares/trash/%U read only = no browseable = no
root preexec
= /usr/sbin/create_user_dir.sh /srv/data/shares/trash %U vfs objects
virusfilter acl_xattr full_audit[quarantine] path /srv/data/shares/quarantine
read only = no vfs objects = acl_xattr
full_audit*
I appreciate the help. Thanks.
Rowland Penny
2024-Jun-12 14:43 UTC
[Samba] Apparent conflict between shadow_copy and virusfilter modules
On Wed, 12 Jun 2024 11:24:51 -0300 spnti via samba <samba at lists.samba.org> wrote:> Hello > > I'm having a problem using the virusfilter and shadow_copy2 modules > which, unless I'm mistaken, seems like a conflict between these > modules. If I use the virusfilter, acl_xattr, recycle, shadow_copy2 > and full_audit modules together, everything works perfectly, if I use > the NOTHING, RENAME or DELETE actions of the virusfilter module. If I > choose to use the QUARANTINE action for the virusfilter module, I > lose access to my shares and the following messages appear in the > logs: > > [2024/06/12 07:49:27.549438, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.549795, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.550885, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.551026, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.552212, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.552344, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.553955, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > [2024/06/12 07:49:27.554074, 0] > source3/modules/vfs_shadow_copy2.c:1180(shadow_copy2_stat) > shadow_copy2_stat() failed to get vfs_handle->data! > > If I keep the virusfilter module using the QUARANTINE action, keep the > acl_xattr, recycle and full_audit modules and remove the shadow_copy2 > module, everything works perfectly again. > > If I keep the shadow_copy2, acl_xattr, recycle and full_audit modules > and remove the virusfilter module (QUARANTINE action), everything > works perfectly again. > > If I keep all the virusfilter, acl_xattr, recycle, shadow_copy2 and > full_audit modules and change the virusfilter module action to > NOTHING, RENAME or DELETE everything works perfectly again. > > As I was unable to solve the problem, nor did I find references on the > internet or in books, I read the source code of the virusfilter and > shadow_copy modules, but, as the log messages were very inconclusive > for me, even using logs at level 10, I just I managed to understand > that the log message comes from line 1180 of shadow_copy2. > > I'm using Debian 12.5 with Samba 4.20.1 (backports), but I've already > tested the same settings in other versions of Samba and the problem > repeats itself. > > Below are the settings I'm using for Samba. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *## Global parameters#[global]security = ADSserver role = member > servernetbios name = fileservernetbios aliases = fileserverworkgroup > EXAMPLErealm = EXAMPLE.ADLAN## Recommended Kerberos Setup#dedicated > keytab file = /etc/krb5.keytabkerberos method = secrets and keytab## > Logs#log file = /var/log/samba/%h.logmax log size = 2048log level > 2## To BUILTIN groups and users#idmap config *:backend = tdbidmap > config *:range = 3000-7999 ## To other domain groups and users#idmap > config EXAMPLE:backend = rididmap config EXAMPLE:range > 1000000-1999999idmap config EXAMPLE:base_rid = 0idmap config > EXAMPLE:unix_primary_group = yesidmap config EXAMPLE:unix_nss_info > no## Automatic kerberos ticket renovation#winbind refresh tickets > yes## Remove domain prefix#winbind use default domain = yes## Define > shell#template shell = /bin/bashtemplate homedir = /home/%D/%U## > Disabling printer share#load printers = noprinting = bsdprintcap name > = /dev/nulldisable spoolss = yes## Load Samba modules#vfs objects > virusfilter acl_xattr recycle shadow_copy2 full_audit## acl_xattr > module settings#map acl inherit = yes## Take care#sync always > yesstrict sync = yes## File Enumeration#access based share enum > yeshide unreadable = yeshide dot files = yeshide special files > yeshide files = /*.ntx/*.tmp/*.log/## Take care#veto files > /*.exe/*.run/*.bin/*.msi/*.php/*.asp/*.aspx/*.js/*.java/*.c/*.cpp/*.sh/*.bat/*.dll/*.{*}/delete > veto files = no## recycle module settings#recycle:keeptree > yesrecycle:versions = yesrecycle:repository > /srv/data/shares/lixeira/%Urecycle:directory_mode > 0770recycle:exclude = *.dll, *.tmp, *.log, *.bak, *.obj, *.old, ~*.*, > *.~*recycle:exclude_dir = cache, temp, tmp, TEMP, TMP## virusfilter > module settings - Action NOTHING > - WORKS PERFECTLY##virusfilter:scanner = clamav#virusfilter:socket > path = /run/clamav/clamd.ctl##virusfilter:socket path > /run/clamd.scan/clamd.sock#virusfilter:scan on open > yes#virusfilter:scan on close = yes#virusfilter:max file size > 100000000#virusfilter:min file size = 1#virusfilter:infected file > action = nothing#virusfilter:infected file command > /usr/sbin/createWarningFile.sh %U NOTHING #virusfilter:scan error > command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## virusfilter > module settings - Action QUARANTINE - CONFLICT WITH SHADOW_COPY2 > MODULE#virusfilter:scanner = clamavvirusfilter:socket path > /run/clamav/clamd.ctl#virusfilter:socket path > /run/clamd.scan/clamd.sockvirusfilter:scan on open > yesvirusfilter:scan on close = yesvirusfilter:max file size > 100000000virusfilter:min file size = 1virusfilter:infected file > action = quarantinevirusfilter:quarantine directory > /srv/data/shares/quarantine/virusfilter:quarantine prefix > virusfilter:quarantine suffix = virusfilter:quarantine keep tree > novirusfilter:quarantine keep name = yesvirusfilter:infected file > errno on open = EACCESvirusfilter:infected file errno on close > EACCESvirusfilter:infected file command > /usr/sbin/createWarningFile.sh %U QUARANTINEvirusfilter:scan error > command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## virusfilter > module settings - Action RENAME > - WORKS PERFECTLY##virusfilter:scanner = clamav#virusfilter:socket > path = /run/clamav/clamd.ctl#virusfilter:scan on open > yes#virusfilter:scan on close = yes#virusfilter:max file size > 100000000#virusfilter:min file size = 1#virusfilter:infected file > action = rename#virusfilter:infected file command > /usr/sbin/createWarningFile.sh %U RENAME #virusfilter:scan error > command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## virusfilter > module settings - Action DELETE - WORKS > PERFECTLY##virusfilter:scanner = clamav#virusfilter:socket path > /run/clamav/clamd.ctl#virusfilter:scan on open = yes#virusfilter:scan > on close = yes#virusfilter:max file size = 100000000#virusfilter:min > file size = 1#virusfilter:infected file action > delete#virusfilter:infected file errno on open > EACCES#virusfilter:infected file errno on close > EACCES#virusfilter:infected file command > /usr/sbin/createWarningFile.sh %U DELETE#virusfilter:scan error > command = /usr/bin/python3 /usr/sbin/alert.pyc ERROR %h## > shadow_copy2 module settings#shadow:basedir > /srv/data/sharesshadow:snapdir = .zfs/snapshotshadow:sort > descshadow:format = UTC-3-%Y.%m.%d-%H.%M.%Sshadow:localtime = yes## > full_audit module settings#full_audit:prefix > %U|%I|%Sfull_audit:success = fchmod fchown lchown mkdirat open read > renameat writefull_audit:failure = all !openfull_audit:facility > LOCAL7full_audit:priority = ALERT[public_share] path > /srv/data/shares/public_share read only = no acl_xattr:ignore > system acl = yes[trash] path = /srv/data/shares/trash/%U read > only = no browseable = no root preexec > /usr/sbin/create_user_dir.sh /srv/data/shares/trash %U vfs objects > = virusfilter acl_xattr full_audit[quarantine] path > /srv/data/shares/quarantine read only = no vfs objects > acl_xattr full_audit* > > I appreciate the help. Thanks.The above is how I received it, can you please try again, but this time with an email client that doesn't squash your smb.conf onto to what appears to be one line. Rowland