search

samba-in-kubernetes / sit-environment

SIT (Samba Integration Testing) Framework
GNU General Public License v3.0
1 stars 7 forks source link

Unable to list shares from client using smbclient -L <server> #108

Closed Shwetha-Acharya closed 1 month ago

Shwetha-Acharya commented 2 months ago

smbclient -L <server> always fails with Could not connect to srvsvc pipe: NT_STATUS_CONNECTION_DISCONNECTED even on a properly working sit environment setup.

anoopcs9 commented 2 months ago

Can you also paste the testparm -s output?

Shwetha-Acharya commented 2 months ago

Can you also paste the testparm -s output?

[root@storage2 ~]# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)

Server role: ROLE_STANDALONE

Global parameters [global] clustering = Yes disable spoolss = Yes kernel change notify = No load printers = No log file = /var/log/samba/log.%m max log size = 0 netbios name = SIT-CEPHFS-TEST printcap name = /dev/null security = USER server string = Samba server version %v show add printer wizard = No workgroup = MYGROUP smbd:fsctl_smbtorture = yes idmap config * : backend = tdb include = /etc/samba/smb.shares/share.conf map archive = No posix locking = No printing = bsd

[share-cephfs-default] comment = Volume 'share' from cephfs(default) path = /mnt/share read only = No vfs objects = acl_xattr acl_xattr:ignore system acls = yes [root@storage2 ~]#

anoopcs9 commented 2 months ago

Following AVC denial entries suggest SELinux involvement when we try to list the services available from a particular server via smbclient:

smbclient -N -L 192.168.123.12
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    share-cephfs-vfs Disk      Volume 'share' from cephfs(vfs)
    share-cephfs-default Disk      Volume 'share' from cephfs
    share-xfs-default Disk      Volume 'share' from xfs
    IPC$            IPC       IPC Service (Samba server version 4.21.0pre1-GIT-5b40cdf6e88)
SMB1 disabled -- no workgroup available

type=AVC msg=audit(1719320611.316:194102): avc: denied { write } for pid=2811143 comm="samba-dcerpcd" name="ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1

type=AVC msg=audit(1719320611.316:194102): avc: denied { connectto } for pid=2811143 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1719320611.316:194102): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffdb72d1718 a2=6e a3=556b3d35dad0 items=0 ppid=2811142 pid=2811143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

type=AVC msg=audit(1719320611.330:194103): avc: denied { getattr } for pid=2811144 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1719320611.330:194103): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7fe986cb8000 a2=7ffdb72d1580 a3=0 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

type=AVC msg=audit(1719320611.332:194104): avc: denied { map } for pid=2811144 comm="samba-dcerpcd" path="/var/lib/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=202466688 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1719320611.332:194104): arch=c000003e syscall=9 success=yes exit=140640883048448 a0=0 a1=20c000 a2=3 a3=1 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.

anoopcs9 commented 2 months ago

This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.

https://github.com/fedora-selinux/selinux-policy/issues/2196 created to discuss the situation.

anoopcs9 commented 1 month ago

This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.

fedora-selinux/selinux-policy#2196 created to discuss the situation.

Necessary policy changes got merged upstream via https://github.com/fedora-selinux/selinux-policy/pull/2302.