Bug 1315422

Summary: Access denied if the share path is "/"
Product: Red Hat Enterprise Linux 7 Reporter: Stuart James <stuartjames>
Component: sambaAssignee: Michael Adam <madam>
Status: CLOSED ERRATA QA Contact: Robin Hack <rhack>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: asn, bugs, gdeschner, jarrpa, pgurusid, rhack, rjoseph, rkavunga, rtalur
Target Milestone: pre-dev-freezeKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: samba-4.4.4-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 06:59:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stuart James 2016-03-07 16:58:17 UTC 
Description of problem:


Version-Release number of selected component (if applicable):

Centos 7 latest
glusterfs-api-3.6.9-1.el7.x86_64
glusterfs-server-3.6.9-1.el7.x86_64
glusterfs-libs-3.6.9-1.el7.x86_64
glusterfs-3.6.9-1.el7.x86_64
glusterfs-cli-3.6.9-1.el7.x86_64
glusterfs-fuse-3.6.9-1.el7.x86_64

samba-vfs-glusterfs-4.2.3-11.el7_2.x86_64
samba-libs-4.2.3-11.el7_2.x86_64
samba-client-libs-4.2.3-11.el7_2.x86_64
samba-vfs-glusterfs-4.2.3-11.el7_2.x86_64
samba-common-tools-4.2.3-11.el7_2.x86_64
samba-common-libs-4.2.3-11.el7_2.x86_64
samba-4.2.3-11.el7_2.x86_64
samba-common-4.2.3-11.el7_2.noarch


How reproducible:
On demand 


Steps to Reproduce:
1.Setup GlusterFS / Samba configuration as per documentation provided for Gluster 3.0 / 3.1 https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3/html/Administration_Guide/sect-SMB.html
2. Attempt to mount samba share from client (mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1)


Actual results:
Samba share is not mountable due to error between samba and gluster

[root@glusterclient1 ~]# mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1/
mount error(13): Permission denied


Expected results:
Samba share is mounted


Additional info:

Error log
==> /var/log/samba/log.glusterclient1 <==
[2016/03/07 16:37:08.250984,  0] ../source3/modules/vfs_glusterfs.c:257(vfs_gluster_connect)
  mythinvol1: Initialized volume from server localhost
[2016/03/07 16:37:08.260580,  2] ../source3/smbd/service.c:862(make_connection_snum)
  glusterclient1 (ipv4:192.168.0.121:39139) connect to service gluster-mythinvol1 initially as user nobody (uid=99, gid=99) (pid 28656)
[2016/03/07 16:37:10.848514,  2] ../source3/smbd/vfs.c:1240(check_reduced_name)
  check_reduced_name: Bad access attempt: * is a symlink outside the share path
  conn_rootdir =/
  resolved_name=/./*
[2016/03/07 16:39:25.076492,  2] ../source3/smbd/service.c:1138(close_cnum)
  glusterclient1 (ipv4:192.168.0.121:39139) closed connection to service gluster-mythinvol1


To fix this error i added global configuration to /etc/samba/smb.conf and restarted smb

follow symlinks = yes
wide links = yes
unix extensions = no

After which following command works
[root@glusterclient1 ~]# mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1/

└─/mnt/samba/mythinvol1          //gluster2/gluster-mythinvol1
                                            cifs           rw,relatime,vers=1.0,cache=strict,domain=GLUSTER2,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.112,file_mode=0755,dir_mode=0755,nounix,serverino,rsi


Additionally i found an error information describing this from Samba https://attachments.samba.org/attachment.cgi?id=11744


Seems to me without these parameters either documented or defaults and according to documentation the functionality does not work.
Comment 1 Michael Adam 2016-03-08 12:51:07 UTC 
Attached patch above is indeed the fix for this issue.
The issue had been introduced as a side effect of a security update 4.2.7:

  https://www.samba.org/samba/history/samba-4.2.7.html

It was fixed in 4.2.8:

 https://www.samba.org/samba/history/samba-4.2.8.html

 https://bugzilla.samba.org/show_bug.cgi?id=11647

The packages used seem to be rhel samba packages.
I guess the bufix need to be ported to these.

It is not a glusterfs bug, afaict.
Comment 3 Michael Adam 2016-03-08 19:02:09 UTC 
This is actually the RHEL-7 clone of this RHEL-7 bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1305870
Comment 4 Michael Adam 2016-03-08 19:02:54 UTC 
(In reply to Michael Adam from comment #3)
> This is actually the RHEL-7 clone of this RHEL-7 bug:

... of this RHEL-6 bug ... :-)

> https://bugzilla.redhat.com/show_bug.cgi?id=1305870
Comment 5 Robin Hack 2016-06-08 11:41:20 UTC 
QA_ACK+
Comment 9 errata-xmlrpc 2016-11-04 06:59:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html