[Bug 666450] New: smbd crash on start, cannot opnen secrets.tdb
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c0 Summary: smbd crash on start, cannot opnen secrets.tdb Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: Joachim.Reichelt@helmholtz-hzi.de QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- Created an attachment (id=409705) --> (http://bugzilla.novell.com/attachment.cgi?id=409705) strace -f `which smbd` > 1 2&>a User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b9) Gecko/20110110 Firefox/4.0b9 I cannot start smbd. It immideately crashes silently. Reproducible: Always Steps to Reproduce: rcsmbd start ps -ef | grep smbd (is empty) To see what is going on I did an strace: strace -F /usr/sbin/smbd after: rpm -e samba ... (all pakages with samba in the name rm -rf /etc/samba /var/lib/sambe /var/log/samba zypper in samba-client samba strace -f `which smbd` > 1 2&>a File a is attached -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c1 --- Comment #1 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-01-23 20:57:54 UTC --- *** Bug 666451 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=666451 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c2 Lars Müller <lmuelle@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Joachim.Reichelt@helmholtz- | |hzi.de --- Comment #2 from Lars Müller <lmuelle@novell.com> 2011-01-24 18:19:13 CET --- Are you using apparmor? If yes, please disable it and try again to ensure your (or the current default) apparmor configuration doesn't cause this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c3 Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Joachim.Reichelt@helmholtz- | |hzi.de | --- Comment #3 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-01-25 18:17:10 UTC --- It seems to be appamor. # rcappamor stop # rcsmb start # ps -ef | grep mbd root 3487 1 0 19:11 ? 00:00:00 /usr/sbin/nmbd -D -s /etc/samba/smb.conf root 4401 1 0 19:11 ? 00:00:00 /usr/sbin/smbd -D -s /etc/samba/smb.conf root 4403 4401 0 19:11 ? 00:00:00 /usr/sbin/smbd -D -s /etc/samba/smb.conf root 5614 5517 0 19:15 pts/0 00:00:00 grep mbd ====== I did not change anything in appamor after upgrade to 11.4m* So this is the default (or some leftover) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c4 --- Comment #4 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-01-25 18:48:55 UTC --- O.K. I checked the appamor install. There are TWO trees under /etc: /etc/appamor /etc/appamor.d /etc# grep -r secrets. apparmor* apparmor/profiles/extras/usr.sbin.smbd: /etc/samba/secrets.tdb rw, apparmor/severity.db:/etc/ppp/*secrets 8 6 0 So I added the /etc-lines from apparmor/profiles... to the apparmor.d/... file and started apparmor. Now smbd stops with: [2011/01/25 19:40:35.627021, 1] lib/util_tdb.c:521(tdb_wrap_log) tdb(unnamed): tdb_open_ex: failed to get global lock on /etc/samba/secrets.tdb: Keine Berechtigung [2011/01/25 19:40:35.627267, 0] passdb/secrets.c:73(secrets_init) Failed to open /etc/samba/secrets.tdb [2011/01/25 19:40:35.627618, 0] smbd/server.c:1235(main) So it is a misconfiguration off apparmor. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c5 Lars Müller <lmuelle@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |samba-maintainers@SuSE.de AssignedTo|samba-maintainers@SuSE.de |jeffm@novell.com --- Comment #5 from Lars Müller <lmuelle@novell.com> 2011-01-26 11:05:46 CET --- IIRC this is a known apparmor issue. But Jeff will know this for sure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c6 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Joachim.Reichelt@helmholtz- | |hzi.de --- Comment #6 from Jeff Mahoney <jeffm@novell.com> 2011-01-26 14:24:29 UTC --- Please attach your /var/log/audit/audit.log. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c7 Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Joachim.Reichelt@helmholtz- | |hzi.de | --- Comment #7 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-01-26 22:38:20 UTC --- Created an attachment (id=410615) --> (http://bugzilla.novell.com/attachment.cgi?id=410615) bzip2 audit.log ... Full log. This problem is related to: # uname -a Linux Joachim-PC 2.6.37-20-desktop #1 SMP PREEMPT 2011-01-22 00:41:44 +0100 x86_64 x86_64 x86_64 GNU/Linux Look at the lines starting about line 1500. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c8 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Joachim.Reichelt@helmholtz- | |hzi.de --- Comment #8 from Jeff Mahoney <jeffm@novell.com> 2011-01-26 23:01:02 UTC --- Ok. Sure looks like an apparmor bug. Can you make sure you have the latest security:apparmor:factory apparmor package set[1] installed and use logprof to add the missing components to the profile? It may take a few cycles of starting smbd, having it fail, and running logprof again. Then post your versions of /etc/apparmor.d/usr.sbin.[sn]mbd [1] http://download.opensuse.org/repositories/security:/apparmor:/factory/openSU... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c9 Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Joachim.Reichelt@helmholtz- | |hzi.de | --- Comment #9 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-01-27 21:02:13 UTC --- There was a minor problem with nmbd: The right to access mode w to /var/log/samba/cores/ was missing. But: As smbd did not start at all, I added to /etc/apparmor.d/usr.sbin/smbd one line: /etc/samba/secrets.tdb rwk, Now smbd is up, but: /var/log/samba/log.smbd: # tail -20 /var/log/samba/log.smbd tdb(unnamed): tdb_open_ex: failed to get global lock on /etc/samba/secrets.tdb: Keine Berechtigung [2011/01/27 21:30:10.645532, 0] passdb/secrets.c:73(secrets_init) Failed to open /etc/samba/secrets.tdb [2011/01/27 21:30:10.645638, 0] smbd/server.c:1235(main) ERROR: smbd can not open secrets.tdb [2011/01/27 21:31:51, 0] lib/fault.c:250(dump_core_setup) Unable to setup corepath for smbd: Permission denied [2011/01/27 21:31:51, 0] smbd/server.c:1135(main) smbd version 3.5.6-2486-SUSE-SL11.4-x86_64 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 [2011/01/27 21:31:51.714608, 0] passdb/pdb_tdb.c:420(tdbsam_open) tdbsam_open: Failed to open/create TDB passwd [/etc/samba/passdb.tdb] [2011/01/27 21:31:51.714710, 0] passdb/pdb_tdb.c:549(tdbsam_getsampwnam) tdbsam_getsampwnam: failed to open /etc/samba/passdb.tdb! [2011/01/27 21:31:51.721156, 0] smbd/server.c:500(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Die Adresse wird bereits verwendet [2011/01/27 21:31:51.721317, 0] smbd/server.c:500(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Die Adresse wird bereits verwendet [2011/01/27 21:34:51.908167, 0] smbd/server.c:281(remove_child_pid) Could not find child 7084 -- ignoring == /etc/apparmor.d/usr/sbin/nmbd read now: # Last Modified: Thu Jan 27 21:27:07 2011 #include <tunables/global> /usr/sbin/nmbd { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/samba> capability net_bind_service, /usr/sbin/nmbd mr, /var/cache/samba/browse.dat* rw, /var/lib/samba/wins.dat* rw, /var/log/samba/cores/ w, /var/log/samba/cores/nmbd/ rw, /var/log/samba/cores/nmbd/** rw, /var/run/samba/** rk, /var/run/samba/nmbd.pid rw, } This is apparmor as in openSUSE 11.4-factory just now. Now trying from security:... zypper se -si apparmor Daten des Repositorys laden ... Installierte Pakete lesen ... S | Name | Typ | Version | Arch | Repository --+--------------------------------+-------+------------------+--------+------------------ i | apparmor-docs | Paket | 2.5.1-45.1 | x86_64 | (Systempakete) i | apparmor-parser | Paket | 2.5.1.r1445-64.1 | x86_64 | Security-Apparmor i | apparmor-profiles | Paket | 2.5.1.r1445-64.1 | x86_64 | Security-Apparmor i | apparmor-utils | Paket | 2.5.1.r1445-64.1 | noarch | Security-Apparmor i | libapparmor1 | Paket | 2.5.1.r1445-64.1 | x86_64 | Security-Apparmor i | libapparmor1-32bit | Paket | 2.5.1-45.1 | x86_64 | (Systempakete) i | pam_apparmor-32bit | Paket | 2.5.1-45.1 | x86_64 | (Systempakete) i | patterns-openSUSE-apparmor_opt | Paket | 11.3-42.1 | x86_64 | Factory-OSS i | perl-apparmor | Paket | 2.5.1.r1445-64.1 | x86_64 | Security-Apparmor i | yast2-apparmor | Paket | 2.20.0-1.2 | noarch | Factory-OSS but the problem is the same. nmbd is fixed the same way as before, smbd cannot read/write /etc/samba/passdb.tdb -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c10 --- Comment #10 from Jeff Mahoney <jeffm@novell.com> 2011-01-27 21:10:01 UTC --- Well, yeah. What you're running into is what I meant by "It may take a few cycles of starting smbd, having it fail, and running logprof again." Another way to do it is to put the profile in complain mode by adding the flag to the profile like this: /usr/sbin/smbd (flags=complain) { .. } . that will essentially run smbd unprotected but will still generate the events so you can update the profile. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c11 Chuck Taylor <chucktr@trcompu.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chucktr@trcompu.com --- Comment #11 from Chuck Taylor <chucktr@trcompu.com> 2011-02-06 00:22:03 UTC --- Well, let me throw in a monkey wrench. I do NOT have apparmor running at all and I still can not get smb or nmb to run. The complaint is ... cannot read the files in /etc/samba. What has changed on the permissions since 11.3 and are we now making it a requirement to run apparmor??? By the way, what is this secrets.tbd file. There is not one on my system. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c12 --- Comment #12 from Chuck Taylor <chucktr@trcompu.com> 2011-02-06 03:01:01 UTC --- This is an Update. I was wrong. I did have apparmor running. I had tried to check it with a ps-ef | grep apparmor and also with the rcapparmor command. Neither worked so I thought it wasn't running. After checking System Services Runlevels I found that aaeventd and boot.apparmor wee running. I stopped them both and was able to finally get smb and nmb running. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c13 --- Comment #13 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-02-20 20:29:50 UTC --- Created an attachment (id=415186) --> (http://bugzilla.novell.com/attachment.cgi?id=415186) /etc/apparmor.d/usr.sbin.*mbd as tar Working files for samba: /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.nmbd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c14 Li Bin <bili@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bili@novell.com --- Comment #14 from Li Bin <bili@novell.com> 2011-03-02 05:49:23 UTC --- (In reply to comment #13)
Created an attachment (id=415186) --> (http://bugzilla.novell.com/attachment.cgi?id=415186) [details] /etc/apparmor.d/usr.sbin.*mbd as tar
Working files for samba: /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/usr.sbin.nmbd
With this file the rcsmb start successfully, but the rcnmb start failed. Mar 2 13:47:50 ATong nmbd[17259]: [2011/03/02 13:47:50.869205, 0] nmbd/nmbd.c:861(main) Mar 2 13:47:50 ATong nmbd[17259]: error opening config file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c15 --- Comment #15 from Joachim Reichelt <Joachim.Reichelt@helmholtz-hzi.de> 2011-03-08 21:37:18 UTC --- Created an attachment (id=418197) --> (http://bugzilla.novell.com/attachment.cgi?id=418197) /etc/apparmor.d/usr.sbin.nmbd There is one line to change! /var/lib/samba/browse.dat. rw, I had only "w" as the file was empty that time. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c16 --- Comment #16 from Eberhard Harbrink <harbrink@bluewin.ch> 2011-03-12 19:56:44 UTC --- I don't see it mentioned above, but for me it was also necessary to insert /etc/samba/passdb.tdb rwk, into /etc/apparmor.d/usr.sbin.smbd . Otherwise I would see the server when browsing, but I couldn't log in. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c17 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Joachim.Reichelt@helmholtz- | |hzi.de --- Comment #17 from Jeff Mahoney <jeffm@novell.com> 2011-03-14 19:00:48 UTC --- I've added the files and dirs to the profiles. Test packages should appear at http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... shortly. Please test and report back. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c18 Eberhard Harbrink <harbrink@bluewin.ch> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|Joachim.Reichelt@helmholtz- | |hzi.de | --- Comment #18 from Eberhard Harbrink <harbrink@bluewin.ch> 2011-03-14 19:33:35 UTC --- Seems to work for me now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c19 James McDonough <jmcdonough@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |squealernet@googlemail.com --- Comment #19 from James McDonough <jmcdonough@novell.com> 2011-03-15 15:34:26 UTC --- *** Bug 679501 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=679501 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c20 Davide Vernè <davide.verne@fastwebnet.it> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |davide.verne@fastwebnet.it --- Comment #20 from Davide Vernè <davide.verne@fastwebnet.it> 2011-03-15 22:30:58 UTC --- It works for me, too 2.6.37.1-1.2-desktop #1 SMP PREEMPT 2011-02-21 10:34:10 +0100 (i586) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c21 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maintenance@opensuse.org, | |meissner@novell.com --- Comment #21 from Marcus Meissner <meissner@novell.com> 2011-03-16 12:25:11 UTC --- needinfo maintenance@opensuse.org for an update when done -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c22 --- Comment #22 from Heidi Lahtinen <chrysantine@hotmail.com> 2011-03-17 19:00:48 UTC --- I upgraded an old server and tested with Jeff's packages (latest) and ran into at least one file that is not covered by the AppArmor profile there and will cause issues issues; [2011/03/17 20:48:32.485909, 1] lib/server_mutex.c:64(grab_named_mutex) Could not open mutex.tdb: Permission denied /var/lib/samba/mutex.tdb -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c23 --- Comment #23 from Marcus Meissner <meissner@novell.com> 2011-03-17 20:35:49 UTC --- you can run "logprof" to check for apparmor denied events and allow them or the YAST AppArmor -> Update ? Prfoiles? wizard -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c24 John Harmon <joharmon@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joharmon@novell.com --- Comment #24 from John Harmon <joharmon@novell.com> 2011-03-18 12:23:07 UTC --- Interestingly enough, my apparmor already was disabled according to the runlevel services (and chkconfig), but apparmor was really running in the background. Thanks for the logprof command as it confirmed to me that smb was definitely being blocked. It didn't work when I "Allowed" the service, but at least I found that apparmor was running (ps -ef never showed any apparmor processes either). rcapparmor stop did the trick..... Now I just need to find out why it is loading in the first place, when I have it disabled . . . . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c25 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |chrysantine@hotmail.com --- Comment #25 from Jeff Mahoney <jeffm@novell.com> 2011-03-21 15:24:34 UTC --- (In reply to comment #22)
I upgraded an old server and tested with Jeff's packages (latest) and ran into at least one file that is not covered by the AppArmor profile there and will cause issues issues;
[2011/03/17 20:48:32.485909, 1] lib/server_mutex.c:64(grab_named_mutex) Could not open mutex.tdb: Permission denied
/var/lib/samba/mutex.tdb
Can you attach your /var/log/audit/audit.log? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c26 Heidi Lahtinen <chrysantine@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chrysantine@hotmail.com --- Comment #26 from Heidi Lahtinen <chrysantine@hotmail.com> 2011-03-23 10:28:20 UTC --- (In reply to comment #25)
Can you attach your /var/log/audit/audit.log?
Sorry Jeff, we ran into other issues on the server (not related to the upgrade or AppArmor) and lazed the entire system, including logs. However I did not run into any other files other than that mutex.tdb that it complained about. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c27 P Linnell <mrdocs@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |mrdocs@opensuse.org InfoProvider|chrysantine@hotmail.com | --- Comment #27 from P Linnell <mrdocs@opensuse.org> 2011-04-01 19:45:41 UTC --- I installed the rpms from Jeff's repos and then switched apparmor to enforce mode, then restarted all the samba daemons and all is well. However, when I tried to start the event logger I get this error: rcaaeventd start Starting AppArmor Event daemon done 1server:/home # Can't locate File/Tail.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi /usr/lib/perl5/site_perl/5.12.3 /usr/lib/perl5/vendor_perl/5.12.3/i586-linux-thread-multi /usr/lib/perl5/vendor_perl/5.12.3 /usr/lib/perl5/5.12.3/i586-linux-thread-multi /usr/lib/perl5/5.12.3 .) at /usr/sbin/aa-eventd line 33. BEGIN failed--compilation aborted at /usr/sbin/aa-eventd line 33. zypper in perl-File-Tail added the missing module and now aaeventd starts, samba is working and apparmor seems to be working fine in enforce mode. So, there is a missing Build:Requires or Requires somewhere. After reporting this, I will look in OBS and if possible send an SR for the fix. That said, I think this should be a priority maintenance fix. Samba not working out of the box on a default install is not good. Let me know if you need more info or testing. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c28 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |Joachim.Reichelt@helmholtz- | |hzi.de --- Comment #28 from Jeff Mahoney <jeffm@novell.com> 2011-04-11 19:56:28 UTC --- I've updated the profile to allow /var/lib/samba/** rwk. I've updated apparmor-utils to depend on perl-File-Tail. SR 66522 Test packages again at: http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c29 --- Comment #29 from Heidi Lahtinen <chrysantine@hotmail.com> 2011-04-15 09:25:44 UTC --- (In reply to comment #28)
Test packages again at:
Works like coffee in the morning - push 'em out? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c30 Dmitri Kolobov <kolobov@iszf.irk.ru> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kolobov@iszf.irk.ru --- Comment #30 from Dmitri Kolobov <kolobov@iszf.irk.ru> 2011-04-16 04:34:27 UTC --- I updated apparmor from http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... smbd and nmbd are started, but smbd cannot access the shared dir: type=AVC msg=audit(1302928001.423:3198): apparmor="DENIED" operation="open" parent=2686 profile="/usr/sbin/smbd" name="/mnt/d04/pub/" pid=10299 comm="smbd" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c31 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |suse-beta@cboltz.de InfoProvider|Joachim.Reichelt@helmholtz- | |hzi.de | --- Comment #31 from Christian Boltz <suse-beta@cboltz.de> 2011-04-17 13:52:27 CEST --- (Resetting needinfo to Joachim - IMHO there was enough feedback from other people. Joachim, you may still add your comment of course ;-) (In reply to comment #30)
...parent=2686 profile="/usr/sbin/smbd" name="/mnt/d04/pub/" pid=10299 ...
You are opening a can of worms ;-) because samba shares can basically be every directory on your system depending on the samba config. The profile has @{HOMEDIRS}/** lrwk, which means read and write permissions for home directories (/home/*). There are two options to solve this in a clean way: a) edit /etc/apparmor.d/tunables/home or (better) /etc/apparmor.d/tunables/home.d/site.local and add your /mnt/d04/pub directory to @{HOMEDIRS} b) have a separate tunable for samba shares, maybe /etc/apparmor.d/tunables/samba. It could contain: @{SMBSHARE}=@{HOMEDIRS} /mnt/d04/pub (default value should be @{HOMEDIRS}) Jeff, what do you think about having a separate @{SMBSHARE} tunable? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c32 --- Comment #32 from P Linnell <mrdocs@opensuse.org> 2011-04-17 15:13:10 UTC --- The profile issues perhaps handled in a different bug, but I would ask that this get pushed out now as a maintenance fix. Obviously more than a few folks are affected by this. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c33 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #33 from Jeff Mahoney <jeffm@novell.com> 2011-04-17 15:39:59 UTC --- Ah. I didn't update the status on this one. The package has already been pushed to the update process. @cboltz: Yeah, that's definitely the right idea, and what AppArmor 2.6 already does. I wouldn't be opposed to adding tunable profiles like that, so long as they match what's upstream already. Dmitri, can you open a separate report for that? This one should be closed as the original issue has been fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c34 --- Comment #34 from Dmitri Kolobov <kolobov@iszf.irk.ru> 2011-04-18 00:04:49 UTC --- (In reply to comment #33) I created new report, bug #688040. https://bugzilla.novell.com/show_bug.cgi?id=688040 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c35 --- Comment #35 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 13:51:46 CEST --- This is an autogenerated message for OBS integration: This bug (666450) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c36 David Disseldorp <ddiss@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |silviu_marin-caea@otpbank.r | |o --- Comment #36 from David Disseldorp <ddiss@novell.com> 2011-05-15 16:05:23 UTC --- *** Bug 693900 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=693900 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c37 --- Comment #37 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-23 21:00:22 CEST --- This is an autogenerated message for OBS integration: This bug (666450) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c38 --- Comment #38 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-24 17:00:20 CEST --- This is an autogenerated message for OBS integration: This bug (666450) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c39 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #39 from Swamp Workflow Management <swamp@suse.com> 2011-06-25 19:57:59 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c40 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #40 from Swamp Workflow Management <swamp@suse.de> 2011-07-07 13:17:25 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=666450 https://bugzilla.novell.com/show_bug.cgi?id=666450#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com