Bug 1315422 - Access denied if the share path is "/"
Access denied if the share path is "/"
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: samba (Show other bugs)
7.2
x86_64 Linux
unspecified Severity medium
: pre-dev-freeze
: ---
Assigned To: Michael Adam
Robin Hack
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-07 11:58 EST by Stuart James
Modified: 2016-11-04 02:59 EDT (History)
9 users (show)

See Also:
Fixed In Version: samba-4.4.4-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 02:59:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 11647 None None None 2016-03-07 11:58 EST

  None (edit)
Description Stuart James 2016-03-07 11:58:17 EST
Description of problem:


Version-Release number of selected component (if applicable):

Centos 7 latest
glusterfs-api-3.6.9-1.el7.x86_64
glusterfs-server-3.6.9-1.el7.x86_64
glusterfs-libs-3.6.9-1.el7.x86_64
glusterfs-3.6.9-1.el7.x86_64
glusterfs-cli-3.6.9-1.el7.x86_64
glusterfs-fuse-3.6.9-1.el7.x86_64

samba-vfs-glusterfs-4.2.3-11.el7_2.x86_64
samba-libs-4.2.3-11.el7_2.x86_64
samba-client-libs-4.2.3-11.el7_2.x86_64
samba-vfs-glusterfs-4.2.3-11.el7_2.x86_64
samba-common-tools-4.2.3-11.el7_2.x86_64
samba-common-libs-4.2.3-11.el7_2.x86_64
samba-4.2.3-11.el7_2.x86_64
samba-common-4.2.3-11.el7_2.noarch


How reproducible:
On demand 


Steps to Reproduce:
1.Setup GlusterFS / Samba configuration as per documentation provided for Gluster 3.0 / 3.1 https://access.redhat.com/documentation/en-US/Red_Hat_Storage/3/html/Administration_Guide/sect-SMB.html
2. Attempt to mount samba share from client (mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1)


Actual results:
Samba share is not mountable due to error between samba and gluster

[root@glusterclient1 ~]# mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1/
mount error(13): Permission denied


Expected results:
Samba share is mounted


Additional info:

Error log
==> /var/log/samba/log.glusterclient1 <==
[2016/03/07 16:37:08.250984,  0] ../source3/modules/vfs_glusterfs.c:257(vfs_gluster_connect)
  mythinvol1: Initialized volume from server localhost
[2016/03/07 16:37:08.260580,  2] ../source3/smbd/service.c:862(make_connection_snum)
  glusterclient1 (ipv4:192.168.0.121:39139) connect to service gluster-mythinvol1 initially as user nobody (uid=99, gid=99) (pid 28656)
[2016/03/07 16:37:10.848514,  2] ../source3/smbd/vfs.c:1240(check_reduced_name)
  check_reduced_name: Bad access attempt: * is a symlink outside the share path
  conn_rootdir =/
  resolved_name=/./*
[2016/03/07 16:39:25.076492,  2] ../source3/smbd/service.c:1138(close_cnum)
  glusterclient1 (ipv4:192.168.0.121:39139) closed connection to service gluster-mythinvol1


To fix this error i added global configuration to /etc/samba/smb.conf and restarted smb

follow symlinks = yes
wide links = yes
unix extensions = no

After which following command works
[root@glusterclient1 ~]# mount -t cifs -o guest,sec=none //gluster2/gluster-mythinvol1 /mnt/samba/mythinvol1/

└─/mnt/samba/mythinvol1          //gluster2/gluster-mythinvol1
                                            cifs           rw,relatime,vers=1.0,cache=strict,domain=GLUSTER2,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.0.112,file_mode=0755,dir_mode=0755,nounix,serverino,rsi


Additionally i found an error information describing this from Samba https://attachments.samba.org/attachment.cgi?id=11744


Seems to me without these parameters either documented or defaults and according to documentation the functionality does not work.
Comment 1 Michael Adam 2016-03-08 07:51:07 EST
Attached patch above is indeed the fix for this issue.
The issue had been introduced as a side effect of a security update 4.2.7:

  https://www.samba.org/samba/history/samba-4.2.7.html

It was fixed in 4.2.8:

 https://www.samba.org/samba/history/samba-4.2.8.html

 https://bugzilla.samba.org/show_bug.cgi?id=11647

The packages used seem to be rhel samba packages.
I guess the bufix need to be ported to these.

It is not a glusterfs bug, afaict.
Comment 3 Michael Adam 2016-03-08 14:02:09 EST
This is actually the RHEL-7 clone of this RHEL-7 bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1305870
Comment 4 Michael Adam 2016-03-08 14:02:54 EST
(In reply to Michael Adam from comment #3)
> This is actually the RHEL-7 clone of this RHEL-7 bug:

... of this RHEL-6 bug ... :-)

> https://bugzilla.redhat.com/show_bug.cgi?id=1305870
Comment 5 Robin Hack 2016-06-08 07:41:20 EDT
QA_ACK+
Comment 9 errata-xmlrpc 2016-11-04 02:59:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2468.html

Note You need to log in before you can comment on or make changes to this bug.