Closed Shwetha-Acharya closed 1 month ago
Can you also paste the testparm -s
output?
Can you also paste the
testparm -s
output?
[root@storage2 ~]# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
Global parameters [global] clustering = Yes disable spoolss = Yes kernel change notify = No load printers = No log file = /var/log/samba/log.%m max log size = 0 netbios name = SIT-CEPHFS-TEST printcap name = /dev/null security = USER server string = Samba server version %v show add printer wizard = No workgroup = MYGROUP smbd:fsctl_smbtorture = yes idmap config * : backend = tdb include = /etc/samba/smb.shares/share.conf map archive = No posix locking = No printing = bsd
[share-cephfs-default] comment = Volume 'share' from cephfs(default) path = /mnt/share read only = No vfs objects = acl_xattr acl_xattr:ignore system acls = yes [root@storage2 ~]#
Following AVC denial entries suggest SELinux involvement when we try to list the services available from a particular server via smbclient:
smbclient -N -L 192.168.123.12
Anonymous login successful
Sharename Type Comment
--------- ---- -------
share-cephfs-vfs Disk Volume 'share' from cephfs(vfs)
share-cephfs-default Disk Volume 'share' from cephfs
share-xfs-default Disk Volume 'share' from xfs
IPC$ IPC IPC Service (Samba server version 4.21.0pre1-GIT-5b40cdf6e88)
SMB1 disabled -- no workgroup available
type=AVC msg=audit(1719320611.316:194102): avc: denied { write } for pid=2811143 comm="samba-dcerpcd" name="ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1719320611.316:194102): avc: denied { connectto } for pid=2811143 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:ctdbd_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1719320611.316:194102): arch=c000003e syscall=42 success=yes exit=0 a0=7 a1=7ffdb72d1718 a2=6e a3=556b3d35dad0 items=0 ppid=2811142 pid=2811143 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=connect AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1719320611.330:194103): avc: denied { getattr } for pid=2811144 comm="samba-dcerpcd" path="/run/ctdb/ctdbd.socket" dev="tmpfs" ino=20734 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_run_t:s0 tclass=sock_file permissive=1 type=SYSCALL msg=audit(1719320611.330:194103): arch=c000003e syscall=262 success=yes exit=0 a0=ffffff9c a1=7fe986cb8000 a2=7ffdb72d1580 a3=0 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=newfstatat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1719320611.332:194104): avc: denied { map } for pid=2811144 comm="samba-dcerpcd" path="/var/lib/ctdb/persistent/secrets.tdb.0" dev="dm-0" ino=202466688 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:ctdbd_var_lib_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1719320611.332:194104): arch=c000003e syscall=9 success=yes exit=140640883048448 a0=0 a1=20c000 a2=3 a3=1 items=0 ppid=1 pid=2811144 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="samba-dcerpcd" exe="/usr/libexec/samba/samba-dcerpcd" subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)^]ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.
This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.
https://github.com/fedora-selinux/selinux-policy/issues/2196 created to discuss the situation.
This happened due to specific SELinux context(_winbind_rpcd_exect) defined for /usr/libexec/samba/samba-dcerpcd which doesn't have enough rules to deal with ctdb in a clustered Samba setup.
fedora-selinux/selinux-policy#2196 created to discuss the situation.
Necessary policy changes got merged upstream via https://github.com/fedora-selinux/selinux-policy/pull/2302.
smbclient -L <server>
always fails withCould not connect to srvsvc pipe: NT_STATUS_CONNECTION_DISCONNECTED
even on a properly working sit environment setup.