Hi Christian,
Thanks very much for your detailed response.
While waiting for a response I tried to debug further.
I know that after doing a zypper dup that an additional reeboot is also needed for the kernel purge / cleanup to run.
To be safe (in case something else post update needed to run that I was not aware of ) I rebooted the server several
times but the Linux and Windows clients still got the access denied when trying to access the shares.
Windows machines could successfully map the drive ( so smbpasswd working fine ) but then could not access anything on the mapped drive.
I also did a zypper verify which reported that everything was ok.
Google searches of apparmor breaking SMB come up with a fair amount of hits with some on other distros and with some hits
as recent as 08/2022 and 10/31/2022
This one talks about apparmor seems to break samba after every boot but they are running on Debian.
As I test I tried the following:
systemctl stop apparmor
systemctl stop smb
systemctl start apparmor
systemctl start smb
As soon as I did that shares and files started working and were accessible from Linux and Windows 10 clients.
NOTHING was changed and my smb.conf from the 20220908 before zypper dup snapshot matches what is being used
with the 20221101 updated snapshot.
I have rebooted the server several times now after stopping and restarting apparmor and smb and everything
continues to work now.
That makes no sense to me because all of those reboots would have also stopped and started the services but
they didn't work but when I manually did it things start working?
Could this be a timing related issue when systemd starts apparmor and smbd that caused the issue since
when I manually did it I wait for the other service to start before doing the second one?
Looking at /var/log/audit/audit.log I do find lots of DENIED lines so seems clear that the issue was apparmor causing the access denied.
Here are some examples:
type=AVC msg=audit(1667529133.916:625): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=15194 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667529133.916:626): apparmor="DENIED" operation="open" profile="smbd" name="/vol/g/joe/bin/profile.ps1" pid=15194 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1667529133.920:627): apparmor="DENIED" operation="open" profile="smbd" name="/vol/g/joe/bin/profile.ps1" pid=15194 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1667529133.920:628): apparmor="DENIED" operation="open" profile="smbd" name="/vol/g/joe/bin/profile.ps1" pid=15194 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1667529133.920:629): apparmor="DENIED" operation="open" profile="smbd" name="/vol/g/joe/bin/profile.ps1" pid=15194 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=AVC msg=audit(1667529213.802:773): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=15420 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667529413.904:188): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=2763 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667529869.462:188): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=3276 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667530832.375:203): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=4954 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667530875.162:205): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=4980 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667531170.438:208): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=3625 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667589085.097:353): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=2779 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=AVC msg=audit(1667589837.611:354): apparmor="DENIED" operation="file_receive" profile="smbd" name="/var/lib/nscd/netgroup" pid=4264 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I did NOT switch the profiles to complain mode because when I manually stopped and started apparmor and smbd then everything "magically"
started to work.
I have not submitted a bug report but will gladly do so if you want one but you have all the info from this message.
I also looked at the samba logs too and the only messages since the zupper dup are
[2022/11/03 18:34:40.283669, 0] ../../source3/smbd/server.c:1741(main)
smbd version 4.17.2-git.273.a55a83528b9SUSE-oS15.9-x86_64 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
WARNING: Unhandled message: interface=org.freedesktop.DBus, path=/org/freedesktop/DBus, member=ActivatableServicesChanged
but I also see that those messages have also occured back when the server was running 20220908.
Let me know if you want/need any more info.
Hello,
Am Freitag, 4. November 2022, 01:12:24 CET schrieb Joe Salmeri:
> Today I updated from TW 20220908 to 20221101 and SMB no longer works
[...]
> I believe the problem is related to apparmour changes for samba but I
> am unsure how to resolve the issue.
Check your /var/log/audit/audit.log for lines containing DENIED.
If AppArmor really denies something, you'll have such lines.
If you don't find any DENIED lines, the issue is most likely not related
to AppArmor.
If it turns out to be a problem with AppArmor, you can switch the
affected profiles to complain mode (allow everything, but log what would
be denied):
aa-complain /etc/apparmor.d/usr.sbin.smbd
(same for nmbd and winbindd)
Note: In complain mode, log lines will have ALLOWED instead of DENIED.
If your issue is really related to AppArmor, please open a bugreport and
attach your audit.log.
Oh, and don't even try Seife's idea to zypper rm apparmor - I can
guarantee you that this won't work (Seife, try yourself if you don't
believe me ;-)
BTW: Samba also logs to /var/log/samba/ - maybe you can find some hints
there.
> Here are the messages that are appearing for the smb service.
[...]
> Nov 03 19:59:44 update-apparmor-samba-profile[9984]: + silentexit
'smb.conf is older than the AppArmor profile sniplet'
> Nov 03 19:59:44 update-apparmor-samba-profile[9984]: + exit 0
[...]
> I suspect that the problem it is because it is complaining about
> smb.conf being different than what apparmour has but that config has
> not been changed since I originally set it up.
The messages you quoted just mean that the AppArmor profile sniplet is
newer than your smb.conf, and that means there's no need to update it.
Since the script is lazy, it just exits in this case.
Regards,
Christian Boltz
--
A Perl program is correct if it gets the job done
before your boss fires you. -- Larry Wall