[Bug 846586] New: smbd nt_printing_init error on starting smb
https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c0 Summary: smbd nt_printing_init error on starting smb Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: i386 OS/Version: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lynn@steve-ss.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1632.0 Safari/537.36 SUSE/31.0.1632.0 zypper duped now so it includes the apparmor patches (bnc#845867, bnc#846054) Oct 18 12:21:00 altea smbd[548]: [2013/10/18 12:21:00.247955, 0] ./source3/printing/nt_printing.c:164(nt_printing_init) Oct 18 12:21:00 altea smbd[548]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED No problem as our domain is working fine but I don't think those errors shuld be ter. Reproducible: Always Steps to Reproduce: 1.systemctl start smb 2.systemctl status smb 3. Actual Results: nt_printing-INIT ERROR Expected Results: Clean startup smb.conf [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab username map = /home/steve/smbmap log level = 3 [users] path = /home/users read only = No [profiles] path = /home/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = No guest ok = No printable = No profile acls = Yes csc policy = disable -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
Ye Yuan
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c1
David Disseldorp
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
David Disseldorp
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c2
--- Comment #2 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c3
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c4
--- Comment #4 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c5
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c6
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c7
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c8
--- Comment #8 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c9
--- Comment #9 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c10
--- Comment #10 from lynn wilson
Does the initial comment show the full smb.conf?
Yes. This file server is for the Linux home directories and the windows profiles only.
I did a fresh install from the 13.1 repositories. After joining a Microsoft domain driven by Windows 2008 server I had not been able to login.
With disabled AppArmor login against the Microsoft Domain Controller succeeded.
As the next step I turned AppArmor on again but switched the winbindd profile by calling
aa-complain /usr/sbin/winbindd
into complain mode and all worked.
After calling aa-enforce /usr/sbin/winbindd and restarting winbindd had no longer been able to authenticate against the Microsoft Windows 2008 server.
@Christian: Do you need anything further than the log files I'm going to attach in the next step?
Might this already be addressed with a later update to the apparmor-profiles package? I have apparmor-profiles-2.8.2-4.5.1.noarch installed.
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c11
--- Comment #11 from lynn wilson
(In reply to comment #7)
Does the initial comment show the full smb.conf?
Yes. This file server is for the Linux home directories and the windows profiles only.
I did a fresh install from the 13.1 repositories. After joining a Microsoft domain driven by Windows 2008 server I had not been able to login.
With disabled AppArmor login against the Microsoft Domain Controller succeeded.
As the next step I turned AppArmor on again but switched the winbindd profile by calling
aa-complain /usr/sbin/winbindd
into complain mode and all worked.
After calling aa-enforce /usr/sbin/winbindd and restarting winbindd had no longer been able to authenticate against the Microsoft Windows 2008 server.
@Christian: Do you need anything further than the log files I'm going to attach in the next step?
Might this already be addressed with a later update to the apparmor-profiles package? I have apparmor-profiles-2.8.2-4.5.1.noarch installed.
This is with: rpm -q apparmor-profiles apparmor-profiles-2.8.2-4.5.1.noarch The update you refer to enabled smbd to start when apparmor was enabled. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c12
Christian Boltz
From the logs, the winbindd profile needs the following additions:
deny capability block_suspend, /tmp/krb5cc_* rwk, /var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"? /var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections? /var/log/samba/log.winbindd-dc-connect a, # maybe w instead? As you can see from my comments, there are some detail questions. BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-) See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead. Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c13
--- Comment #13 from lynn wilson
From the logs, the winbindd profile needs the following additions:
deny capability block_suspend, /tmp/krb5cc_* rwk, /var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"? /var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections? /var/log/samba/log.winbindd-dc-connect a, # maybe w instead?
As you can see from my comments, there are some detail questions.
BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)
See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead.
Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards.
Hi. I think this is aimed at another issue. Maybe from comment #7. We cannot test this as we do not use winbind. We are joined to the domain via 'net ads join' with sssd taking responsibility for both krb5 and pam. 12.3 copes fine with sssd in this scenario. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c14
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c15
--- Comment #15 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c16
--- Comment #16 from Christian Boltz
The $KRB5.REALM is not a real enviromnent variable but can easily be obtained from sssd.conf or krb5.conf.
I just used /var/lib/sss/pubconf/kdcinfo.* (assuming there are no other similar files that samba should not be able to read).
There's another problem here since sssd does not need /etc/krb5.conf to be present so apparmor looks for it and will never find it.
That's not a problem. AppArmor will allow access to the file (but doesn't actively look for the file to be present) - if it isn't there, there's just a superfluous permission around. So what? ;-)
Do we have any dev who works with Samba in a domain?
I'd guess Lars does, but I'm not sure.
Thanks so much for your help.
You are welcome ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c17
--- Comment #17 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c18
--- Comment #18 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c19
Lars Müller
From the logs, the winbindd profile needs the following additions:
deny capability block_suspend, /tmp/krb5cc_* rwk,
And with the current package in openSUSE Factory we use: Environment=KRB5CCNAME=/run/samba/krb5cc_samba in the systemd service files for nmbd, smbd, and winbindd.
/var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"?
Correct, as the joined domain name gets added at the end of the file name.
/var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections?
No, as these files are created by the Samba daemons.
/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?
Yes. Why should we allow only append?
As you can see from my comments, there are some detail questions.
BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)
Winbindd creates it.
See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead.
Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards.
All answers are untested. But the update is out anyhow meanwhile. Therefore I'm closing this report. We have bnc#852326 for further fun. ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c20
Christian Boltz
And with the current package in openSUSE Factory we use:
Environment=KRB5CCNAME=/run/samba/krb5cc_samba
in the systemd service files for nmbd, smbd, and winbindd.
-> needs profile updates
/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?
Yes. Why should we allow only append?
Counter-question: why should we allow more than append? ;-) It's a log file, so append should be enough, and ensures winbindd can't modify the log after writing it. (I'd guess there are more log files where "a" would be enough - they probably got their "w" permissions due to a bug I found in aa-logprof some months ago (it mapped "create file" to "w", but "a" is enough ;-)
BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)
Winbindd creates it.
Then the profile also needs to allow it ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c21
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c22
Lars Müller
Reopening - some of the things you mentioned need profile additions.
(In reply to comment #19)
And with the current package in openSUSE Factory we use:
Environment=KRB5CCNAME=/run/samba/krb5cc_samba
in the systemd service files for nmbd, smbd, and winbindd.
-> needs profile updates
/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?
Yes. Why should we allow only append?
Counter-question: why should we allow more than append? ;-) It's a log file, so append should be enough, and ensures winbindd can't modify the log after writing it. (I'd guess there are more log files where "a" would be enough - they probably got their "w" permissions due to a bug I found in aa-logprof some months ago (it mapped "create file" to "w", but "a" is enough ;-)
It's a log file and append should be enough. We'll see. (In reply to comment #21)
The log from bnc851984 comment 13 contains:
type=1400 audit(1385505724.059:38): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/cache/samba/" pid=2129 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Lars, does smbd need to create the /var/cache/samba/ directory on first startup? (at least rpm -qf says "not owned by any package" on my system)
That's a packaging bug. I've added %dir /var/cache/samba to the client package as we have /var/lib/samba in it too. It might be time to add a subpackage named common. This change will first go into the network:samba:STABLE/samba package and soon after into openSUSE Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c23
--- Comment #23 from lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c24
--- Comment #24 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c25
lynn wilson
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c26
Christian Boltz
Can we reopen a bug that was never closed?
You don't need to do that ;-) All issues mentioned in this bug are solved in the packages in security:apparmor, and I just submitted SR 214402 to openSUSE:13.1:Update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c27
--- Comment #27 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c28
--- Comment #28 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c29
--- Comment #29 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c30
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c31
--- Comment #31 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c32
--- Comment #32 from Christian Boltz
We need to configure --with-cachedir and use the same location as for the lockdir.
Please make sure this cachedir and its content is covered by the AppArmor profile. (Open a bugreport if you need some additions.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c33
--- Comment #33 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c34
--- Comment #34 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c36
--- Comment #36 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c37
--- Comment #37 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c38
--- Comment #38 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
--- Comment #39 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=846586
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com