dperson / samba

Samba docker container
GNU Affero General Public License v3.0
1.54k stars 518 forks source link

NT_STATUS_INVALID_LOGON_HOURS and no date set in container #374

Open sbruhse opened 3 years ago

sbruhse commented 3 years ago

Hello! When I am sending a file via my printer (pretty old smb client) I am getting following error message:

usermod: no changes
usermod: no changes
addgroup: gid '1000' in use
No builtin backend found, trying to load plugin
smbd version 4.13.7 started.
Copyright Andrew Tridgell and the Samba Team 1992-2020
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Processing section "[mount]"
added interface eth0 ip=172.24.0.2 bcast=172.24.255.255 netmask=255.255.0.0
INFO: Profiling support unavailable in this build.
Registered MSG_REQ_POOL_USAGE
No builtin backend found, trying to load plugin
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_POOL_USAGE
daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
waiting for connections
Registered MSG_REQ_POOL_USAGE
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
logon_hours_ok: failed to get gmtime. Failing logon for user scanner
check_ntlm_password:  Authentication for user [scanner] -> [scanner] FAILED with error NT_STATUS_INVALID_LOGON_HOURS, authoritative=1
===============================================================
INTERNAL ERROR: Signal 11: Segmentation fault in pid 112 (4.13.7)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 112): Signal 11: Segmentation fault in 4.13.7
unable to produce a stack trace on this platform
dumping core in /var/log/samba/cores/smbd
Could not find child 87 -- ignoring
Registered MSG_REQ_POOL_USAGE
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
logon_hours_ok: failed to get gmtime. Failing logon for user scanner
check_ntlm_password:  Authentication for user [scanner] -> [scanner] FAILED with error NT_STATUS_INVALID_LOGON_HOURS, authoritative=1
===============================================================
INTERNAL ERROR: Signal 11: Segmentation fault in pid 113 (4.13.7)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 113): Signal 11: Segmentation fault in 4.13.7
unable to produce a stack trace on this platform
dumping core in /var/log/samba/cores/smbd

When I execute a "date" on the container I get back the following: Sun Jan 0 00:100:4174038 1900

The docker-compose.yml is the following:

  samba:
    image: dperson/samba
    restart: always
    ports:
     - "139:139"
     - "445:445"
    volumes:
     - ./incoming:/mount
    command: samba.sh -u "scanner;password;1000;user;1000" -s "mount;/mount;no;no;no;scanner" -w "mayan" -g "log level = 2" -S -p
    environment:
      USERID: 1000
      GLOBAL: 'client min protocol = NT1'
      GLOBAL2: 'ntlm auth = ntlmv1-permitted'

The installation was working once. Since I made a docker-compose pull I discovered that issue. I am running the container on an rpi, so the arm image is been taken.

I hope you can help me.

Greetings Simon

Gareon commented 3 years ago

Hi Simon,

I encountered the same problem today. I noticed that all my containers could not retrieve the time. After a little research, I came across https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.13.0#time64_requirements. There the problem is described, and also how to solve (or work around) it. The issue is actually not related to samba, but to running docker on arm (64 bit) itself.

Cite:

In order to run under old Docker or libseccomp versions, the moby default seccomp profile should be downloaded and on line 2, defaultAction changed to SCMP_ACT_TRACE, then --seccomp-profile=default.json can be passed to dockerd, or --security-opt=seccomp=default.json passed to docker create or docker run. This will cause the system calls to return ENOSYS instead of EPERM, allowing the container to fall back to 32-bit time system calls. In this case, the container will not be compatible with dates past 2038.

Alternatively, --security-opt=seccomp=unconfined can be passed with no default.json required, but note that this will reduce the security of the host against malicious code in the container.

Greetings, Gareon