Re: Samba update today failed to restart if printer lines in smb.conf
On 2022-02-02 04:45, Larry Len Rainey wrote:
Samba broke in todays 15.3 update - is it apparmor or bug?
You do not write apparmor info to see if it can be an apparmor issue. Try "aa-logprof".
LLR1:~ # systemctl status smb
● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor prese> Active: failed (Result: exit-code) since Tue 2022-02-01 21:27:13 CST; 8s a> Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Process: 9455 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (> Process: 9460 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMB> Main PID: 9460 (code=exited, status=1/FAILURE) Status: "daemon failed to start: Samba failed to init printing subsystem" Error: 13 (Permission denied)
Feb 01 21:27:13 LLR1 systemd[1]: Starting Samba SMB Daemon... Feb 01 21:27:13 LLR1 smbd[9460]: [2022/02/01 21:27:13.529676, 0] ../../source3> Feb 01 21:27:13 LLR1 smbd[9460]: smbd version 4.15.4-git.324.8332acf1a6315030> Feb 01 21:27:13 LLR1 smbd[9460]: Copyright Andrew Tridgell and the Samba Team> Feb 01 21:27:13 LLR1 systemd[1]: Started Samba SMB Daemon. Feb 01 21:27:13 LLR1 smbd[9460]: [2022/02/01 21:27:13.548557, 0] ../../lib/uti> Feb 01 21:27:13 LLR1 smbd[9460]: exit_daemon: daemon failed to start: Samba f> Feb 01 21:27:13 LLR1 systemd[1]: smb.service: Main process exited, code=exited,> Feb 01 21:27:13 LLR1 systemd[1]: smb.service: Failed with result 'exit-code'.
I had to delete these lines to make it work. [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No printable = yes
[print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775
LLR1:/etc/samba # systemctl status smb ● smb.service - Samba SMB Daemon Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor prese> Active: active (running) since Tue 2022-02-01 21:33:13 CST; 10min ago Docs: man:smbd(8) man:samba(7) man:smb.conf(5) Process: 10353 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile > Main PID: 10365 (smbd) Status: "smbd: ready to serve connections..." Tasks: 13 (limit: 4915) CGroup: /system.slice/smb.service ├─10365 /usr/sbin/smbd --foreground --no-process-group ├─10367 /usr/sbin/smbd --foreground --no-process-group ├─10368 /usr/sbin/smbd --foreground --no-process-group ├─10369 /usr/lib64/samba/samba-bgqd --ready-signal-fd=47 --parent-> ├─10384 /usr/sbin/smbd --foreground --no-process-group ├─11235 /usr/sbin/smbd --foreground --no-process-group ├─12174 /usr/sbin/smbd --foreground --no-process-group ├─12175 /usr/sbin/smbd --foreground --no-process-group ├─12176 /usr/sbin/smbd --foreground --no-process-group ├─12177 /usr/sbin/smbd --foreground --no-process-group ├─12178 /usr/sbin/smbd --foreground --no-process-group ├─12179 /usr/sbin/smbd --foreground --no-process-group └─12181 /usr/sbin/smbd --foreground --no-process-group
Feb 01 21:33:12 LLR1 systemd[1]: Starting Samba SMB Daemon... Feb 01 21:33:12 LLR1 update-apparmor-samba-profile[10353]: Reloading updated Ap> Feb 01 21:33:13 LLR1 smbd[10365]: [2022/02/01 21:33:13.129861, 0] ../../source> Feb 01 21:33:13 LLR1 smbd[10365]: smbd version 4.15.4-git.324.8332acf1a631503> Feb 01 21:33:13 LLR1 smbd[10365]: Copyright Andrew Tridgell and the Samba Tea> Feb 01 21:33:13 LLR1 systemd[1]: Started Samba SMB Daemon. Feb 01 21:33:13 LLR1 systemd[1]: smb.service: Got notification message from PID> Feb 01 21:43:16 LLR1 smbd[12180]: [2022/02/01 21:43:16.567854, 0] ../../source> Feb 01 21:43:16 LLR1 smbd[12180]: Invalid SMB packet: first request: 0x0001
-- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
On Wed, Feb 2, 2022 at 9:28 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2022-02-02 04:45, Larry Len Rainey wrote:
Samba broke in todays 15.3 update - is it apparmor or bug? Status: "daemon failed to start: Samba failed to init printing subsystem"
same here with the smb.service giving this error after the latest samba patches from some hours ago. as I have not changed anything on the machine and suddenly samba dieing it took me while to figure out a work around. some several years old hits on the interwebs search wrote about simply disabling printing stuff in smb.conf they advised about adding the line in the global section: disable spoolss = yes to smb.conf. and i also disabled some other print stuff such as # printing = cups # printcap name = cups # printcap cache time = 750 # cups options = raw i dont use any kind of printer on or with the machine. these settings helped so far. dunno why samba patches need to bring down the whole samba :( ty.
Thanks! The 'disable spoolss = yes' did the trick for me. I already had everything else related to printing disabled, but smb still wouldn't start. It might be related to the apparmor profile for samba, because I got a 'permission denied' error in my 'systemctl status smb' output... On Wed, Feb 2, 2022 at 11:04 AM cagsm <cumandgets0mem00f@gmail.com> wrote:
On Wed, Feb 2, 2022 at 9:28 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2022-02-02 04:45, Larry Len Rainey wrote:
Samba broke in todays 15.3 update - is it apparmor or bug? Status: "daemon failed to start: Samba failed to init printing subsystem"
same here with the smb.service giving this error after the latest samba patches from some hours ago. as I have not changed anything on the machine and suddenly samba dieing it took me while to figure out a work around. some several years old hits on the interwebs search wrote about simply disabling printing stuff in smb.conf
they advised about adding the line in the global section:
disable spoolss = yes
to smb.conf. and i also disabled some other print stuff such as
# printing = cups # printcap name = cups # printcap cache time = 750 # cups options = raw
i dont use any kind of printer on or with the machine.
these settings helped so far. dunno why samba patches need to bring down the whole samba :( ty.
-- Met vriendelijke groet / Best regards, Wilfred van Velzen
On 2022-02-02 11:17, Wilfred van Velzen wrote:
Thanks!
The 'disable spoolss = yes' did the trick for me. I already had everything else related to printing disabled, but smb still wouldn't start.
It might be related to the apparmor profile for samba, because I got a 'permission denied' error in my 'systemctl status smb' output...
To correct that, you must run "aa-logprof" as root in a terminal. -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
I don't really need it because I don't need printing through samba, but I'm curious, so I tried it: # aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Target profile exists: /etc/apparmor.d/samba-bgqd Profile: smbd Execute: /usr/lib64/samba/samba-bgqd Severity: unknown (I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish I have no clue what to choose here. And there seems to be a big discrepancy with 'man aa-logprof' because it only mentions and explains these options: (A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit ??? On Wed, Feb 2, 2022 at 11:22 AM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 2022-02-02 11:17, Wilfred van Velzen wrote:
Thanks!
The 'disable spoolss = yes' did the trick for me. I already had everything else related to printing disabled, but smb still wouldn't start.
It might be related to the apparmor profile for samba, because I got a 'permission denied' error in my 'systemctl status smb' output...
To correct that, you must run "aa-logprof" as root in a terminal.
-- Cheers / Saludos,
Carlos E. R. (from 15.3 x86_64 at Telcontar)
-- Met vriendelijke groet / Best regards, Wilfred van Velzen
On 2022-02-02 13:02, Wilfred van Velzen wrote:
I don't really need it because I don't need printing through samba, but I'm curious, so I tried it:
# aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Target profile exists: /etc/apparmor.d/samba-bgqd
Profile: smbd Execute: /usr/lib64/samba/samba-bgqd Severity: unknown
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
I have no clue what to choose here.
I think "inherit". It may ask you further questions. And you should create a bugzilla about the issue, with the changes you had to do, so that an update with those changes as appropriate is made.
And there seems to be a big discrepancy with 'man aa-logprof' because it only mentions and explains these options:
(A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit
???
Yeah, well... -- Cheers / Saludos, Carlos E. R. (from 15.3 x86_64 at Telcontar)
Hello, Am Mittwoch, 2. Februar 2022, 13:02:09 CET schrieb Wilfred van Velzen:
I don't really need it because I don't need printing through samba, but I'm curious, so I tried it:
# aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Target profile exists: /etc/apparmor.d/samba-bgqd
Profile: smbd Execute: /usr/lib64/samba/samba-bgqd Severity: unknown
That looks like you don't have the latest AppArmor packages installed. Please make sure to have AppArmor 2.13.6 - the update was released only 21 hours ago. See https://bugzilla.opensuse.org/show_bug.cgi?id=1195412 for some more details.
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
That's the prompt you get when AppArmor hits an "exec" event (a program executed another program, without having a rule for it yet). The options listed let you choose if the program gets executed under the same AppArmor profile (inherit), or with a separate profile. <shameless plug> If you want to learn what these options mean, have a look at my "AppArmor Crash Course". You can find the slides on blog.cboltz.de, and a recording on media.ccc.de: https://media.ccc.de/v/786-apparmor-crash-course (Note: The recording is from 2016, but it only misses a few feature additions. There's also a newer german recording on media.ccc.de) </shameless plug> The security guide on doc.opensuse.org should also get you started.
I have no clue what to choose here. And there seems to be a big discrepancy with 'man aa-logprof' because it only mentions and explains these options:
(A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit
That's the prompt you get when a program tries to access (read, write, lock etc.) a file. Regards, Christian Boltz -- * pfak cries in a corner <pfak> You think I'm joking. But my desk at work is in a corner. <sarnold> that's just smart planning <sarnold> put the guy who knows how everything works in the corner, so when he wants to cry in a corner, *bam*, synergies and efficiencies! [from #apparmor]
Hi, I did a full update this morning, so the apparmor update was installed at the same time as the smb update. # zypper if apparmor-profiles ... Information for package apparmor-profiles: ------------------------------------------ Repository : SLE-Module-Basesystem15-SP3-Updates Name : apparmor-profiles Version : 2.13.6-150300.3.11.2 Arch : noarch Vendor : SUSE LLC <https://www.suse.com/> Support Level : Level 3 Installed Size : 1.5 MiB Installed : Yes (automatically) Status : up-to-date On Wed, Feb 2, 2022 at 2:09 PM Christian Boltz <opensuse@cboltz.de> wrote:
Hello,
Am Mittwoch, 2. Februar 2022, 13:02:09 CET schrieb Wilfred van Velzen:
I don't really need it because I don't need printing through samba, but I'm curious, so I tried it:
# aa-logprof Reading log entries from /var/log/audit/audit.log. Updating AppArmor profiles in /etc/apparmor.d. Target profile exists: /etc/apparmor.d/samba-bgqd
Profile: smbd Execute: /usr/lib64/samba/samba-bgqd Severity: unknown
That looks like you don't have the latest AppArmor packages installed. Please make sure to have AppArmor 2.13.6 - the update was released only 21 hours ago.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1195412 for some more details.
(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On / (D)eny / Abo(r)t / (F)inish
That's the prompt you get when AppArmor hits an "exec" event (a program executed another program, without having a rule for it yet).
The options listed let you choose if the program gets executed under the same AppArmor profile (inherit), or with a separate profile.
<shameless plug> If you want to learn what these options mean, have a look at my "AppArmor Crash Course". You can find the slides on blog.cboltz.de, and a recording on media.ccc.de: https://media.ccc.de/v/786-apparmor-crash-course (Note: The recording is from 2016, but it only misses a few feature additions. There's also a newer german recording on media.ccc.de) </shameless plug>
The security guide on doc.opensuse.org should also get you started.
I have no clue what to choose here. And there seems to be a big discrepancy with 'man aa-logprof' because it only mentions and explains these options:
(A)llow, (D)eny, (I)gnore, (N)ew, (G)lob last piece, (Q)uit
That's the prompt you get when a program tries to access (read, write, lock etc.) a file.
Regards,
Christian Boltz -- * pfak cries in a corner <pfak> You think I'm joking. But my desk at work is in a corner. <sarnold> that's just smart planning <sarnold> put the guy who knows how everything works in the corner, so when he wants to cry in a corner, *bam*, synergies and efficiencies! [from #apparmor]
-- Met vriendelijke groet / Best regards, Wilfred van Velzen
participants (4)
-
cagsm -
Carlos E. R. -
Christian Boltz -
Wilfred van Velzen