Bug 1757071 - Deploy new samba DC cause "setup_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type"
Summary: Deploy new samba DC cause "setup_kerberos_keys: generation of a des-cbc-md5 k...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 31
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Isaac Boukris
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1778130
TreeView+ depends on / blocked
 
Reported: 2019-09-30 14:00 UTC by Dario Lesca
Modified: 2019-11-29 11:10 UTC (History)
19 users (show)

Fixed In Version: samba-4.11.2-1.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1778130 (view as bug list)
Environment:
Last Closed: 2019-11-14 01:12:37 UTC
Type: Bug


Attachments (Terms of Use)
List of package installed (21.70 KB, text/plain)
2019-09-30 14:00 UTC, Dario Lesca
no flags Details
Screen history of "5 minute and Samba DC is fully installed" (49.73 KB, text/plain)
2019-09-30 20:36 UTC, Dario Lesca
no flags Details

Description Dario Lesca 2019-09-30 14:00:53 UTC
Created attachment 1621152 [details]
List of package installed

Description of problem:

Deploy a new samba DC cause a "ERROR(ldb): uncaught exception - setup_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type"

Version-Release number of selected component (if applicable):

See rpm-qa.txt attached

# dnf -y install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python ldb-tools bind bind-utils samba-dc-bind-dlz
Last metadata expiration check: 1:32:22 ago on Mon Sep 30 14:10:59 2019.
Package samba-client-2:4.11.0-3.fc31.x86_64 is already installed.
Package samba-dc-2:4.11.0-3.fc31.x86_64 is already installed.
Package samba-winbind-2:4.11.0-3.fc31.x86_64 is already installed.
Package attr-2.4.48-7.fc31.x86_64 is already installed.
Package acl-2.2.53-4.fc31.x86_64 is already installed.
Package krb5-workstation-1.17-45.fc31.x86_64 is already installed.
Package tdb-tools-1.4.2-1.fc31.x86_64 is already installed.
Package samba-winbind-clients-2:4.11.0-3.fc31.x86_64 is already installed.
Package python-unversioned-command-3.7.4-5.fc31.noarch is already installed.
Package ldb-tools-2.0.7-1.fc31.x86_64 is already installed.
Package bind-32:9.11.10-1.fc31.x86_64 is already installed.
Package bind-utils-32:9.11.10-1.fc31.x86_64 is already installed.
Package samba-dc-bind-dlz-2:4.11.0-3.fc31.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!


# dnf list samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python ldb-tools bind bind-utils samba-dc-bind-dlz
Last metadata expiration check: 0:04:01 ago on Mon Sep 30 15:43:26 2019.
Installed Packages
acl.x86_64                                               2.2.53-4.fc31                                  @fedora         
attr.x86_64                                              2.4.48-7.fc31                                  @fedora         
bind.x86_64                                              32:9.11.10-1.fc31                              @updates-testing
bind-utils.x86_64                                        32:9.11.10-1.fc31                              @fedora         
krb5-workstation.x86_64                                  1.17-45.fc31                                   @updates-testing
ldb-tools.x86_64                                         2.0.7-1.fc31                                   @updates-testing
samba-client.x86_64                                      2:4.11.0-3.fc31                                @updates-testing
samba-dc.x86_64                                          2:4.11.0-3.fc31                                @updates-testing
samba-dc-bind-dlz.x86_64                                 2:4.11.0-3.fc31                                @updates-testing
samba-winbind.x86_64                                     2:4.11.0-3.fc31                                @updates-testing
samba-winbind-clients.x86_64                             2:4.11.0-3.fc31                                @updates-testing
tdb-tools.x86_64                                         1.4.2-1.fc31                                   @fedora        

How reproducible:

Steps to Reproduce:
1. setup a new fedora 31 server
2. dnf remove sssd\* (not use it)
3. install smaba & c. package
4. deploy a new DC

Actual results:

# test ! -e /etc/krb5.conf.orig && mv /etc/krb5.conf /etc/krb5.conf.orig
# test -e /etc/krb5.conf && mv /etc/krb5.conf /etc/krb5.conf.$(date +%s)

# test ! -e /etc/samba/smb.conf.orig && mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
# test -e /etc/samba/smb.conf && mv /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s)

# samba-tool domain provision --realm=samba-dc.tld --domain=samba-dc \
    --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd
INFO 2019-09-30 15:36:19,283 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses
INFO 2019-09-30 15:36:19,284 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2019-09-30 15:36:19,285 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2152: No IPv6 address will be assigned
INFO 2019-09-30 15:36:19,847 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2019-09-30 15:36:20,106 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2019-09-30 15:36:20,293 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2019-09-30 15:36:21,077 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2019-09-30 15:36:21,477 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2019-09-30 15:36:21,741 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2019-09-30 15:36:21,813 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2019-09-30 15:36:21,815 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2019-09-30 15:36:21,879 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2019-09-30 15:36:22,011 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=samba-dc,DC=tld
INFO 2019-09-30 15:36:22,089 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2019-09-30 15:36:22,179 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2019-09-30 15:36:25,765 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2019-09-30 15:36:25,968 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2019-09-30 15:36:28,524 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2019-09-30 15:36:28,573 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2019-09-30 15:36:28,575 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2019-09-30 15:36:28,577 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2019-09-30 15:36:28,579 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2019-09-30 15:36:28,580 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2019-09-30 15:36:28,772 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2019-09-30 15:36:28,830 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - setup_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type
  File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.7/site-packages/samba/netcmd/domain.py", line 542, in run
    backend_store_size=backend_store_size)
  File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 2384, in provision
    backend_store_size=backend_store_size)
  File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 1968, in provision_fill
    backend_store_size=backend_store_size)
  File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 1607, in fill_samdb
    }, controls=["relax:0", "provision:0"])
  File "/usr/lib64/python3.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/lib64/python3.7/site-packages/samba/__init__.py", line 230, in add_ldif
    self.add(msg, controls)

Expected results:
Deploy end succesful

Additional info:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

NOTE:
I have remove all sssd packages, can samba need some of these packages?

Comment 1 Robbie Harwood 2019-09-30 15:35:59 UTC
Single-DES support has been removed from krb5 as per
https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization

I invite you to peruse https://tools.ietf.org/html/rfc6649 ; single-DES
is *NOT SECURE*.  You can find information on migrating at
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html

Comment 2 Alexander Bokovoy 2019-09-30 15:46:29 UTC
This bug is still needed for Samba to get rid of DES requirements.

Comment 3 Alexander Bokovoy 2019-09-30 15:47:44 UTC
Isaac has a work in progress here: https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

Comment 4 Dario Lesca 2019-09-30 15:51:14 UTC
Ok, thanks

but now, what I must to do for bypass this problem?

I must fill a bug to samba devel?

Or I can change the procedure to deploy a samba DC?

Or I must wait Isaac to release a solution? 

If so, at this point samba-dc on Fedora 31 is not usable.

Please, let me know

Many thanks
Dario

Comment 5 Alexander Bokovoy 2019-09-30 15:51:55 UTC
Don't use Fedora 31 right now if you want to deploy Samba DC.

Comment 6 Dario Lesca 2019-09-30 15:55:49 UTC
ok, of course

This is a test environment to help to test samba-dc for Fedora31

Thanks

Comment 7 Isaac Boukris 2019-09-30 16:28:55 UTC
Per my testing, it isn't only AD-DC that's non-functional, simpler ops such domain join also don't work.

@Dario if you can build this branch from source and give it a test it would be nice (I think the remaining failing tests are using DES, so they'll just need to be adjusted, but I need to take a closer look):
https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

Comment 8 Dario Lesca 2019-09-30 17:31:59 UTC
(In reply to Isaac Boukris from comment #7)
> Per my testing, it isn't only AD-DC that's non-functional, simpler ops such
> domain join also don't work.
> 
> @Dario if you can build this branch from source and give it a test it would
> be nice (I think the remaining failing tests are using DES, so they'll just
> need to be adjusted, but I need to take a closer look):
> https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118

Ok, help to test is fine for me, but I must know some things

You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from what url I get it?

I'm sorry but I need to know how to use your branch, I'm not a developer and I am not familiar with this things.

But if you give me a little push I can try

Comment 9 Alexander Bokovoy 2019-09-30 17:51:12 UTC
(In reply to Dario Lesca from comment #8)
> Ok, help to test is fine for me, but I must know some things
> 
> You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from
> what url I get it?
> 
> I'm sorry but I need to know how to use your branch, I'm not a developer and
> I am not familiar with this things.
> 
> But if you give me a little push I can try

I'm building a test package in COPR right now. Stay tuned (might fail) ;)

Comment 10 Alexander Bokovoy 2019-09-30 18:13:17 UTC
I generated a build which includes Isaac's patches in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/:

$ dnf copr enable abbra/samba-nodes-test 
$ dnf install samba-dc
..

Comment 11 Dario Lesca 2019-09-30 20:34:14 UTC
(In reply to Alexander Bokovoy from comment #10)
> I generated a build which includes Isaac's patches in
> https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/:
> 
> $ dnf copr enable abbra/samba-nodes-test 
> $ dnf install samba-dc
> ..

It works! ... thanks Isaac and Alexander!

In 5 minute I have setup with 0 problem a fully Samba DC (see the screen history)

Now go to test dhcp + win10 join to domain + a samba member server + access win to samba and win to win ... and let you know

NOTE: like you see into history, I have set into name startup daemon the KRB5RCACHETYPE="none".

This this comes from my old experience (https://lists.samba.org/archive/samba/2017-December/212583.html)

Now I try other things with this flag set, then I try to remove it and let you know. 
 
Many thanks!
Dario

Comment 12 Dario Lesca 2019-09-30 20:36:27 UTC
Created attachment 1621265 [details]
Screen history of "5 minute and Samba DC is fully installed"

Screen history of a Samba DC + time server + dhcp server installation

Comment 13 Dario Lesca 2019-09-30 22:42:28 UTC
I have setup a Centos8 samba member server and join to DC without problem (OK)

Then I have setup a win10a and a win10b in dhcp, join it to DC and access to \\centos8\public without problem (OK)

Now my network is so composed:

* addc1 (Samba Fedora31 DC)
* centos8 (Samba member server with shared data)
* win10a (MS client)
* win10b (MS client)

a) For all PC, DHCP and DNS update work (OK)

b) Browse from win10* the network do not show any PC/server (NOT-OK)

c) Access from win10* to centos8 (or addc1) with \\centos8\public work (OK)

d) Browse win10* from centos8 show win10* share (OK)
[root@centos8 ~]# smbclient -mSMB2 -L win10a -Uospite%Ospite@2019

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Amministrazione remota
        C$              Disk      Condivisione predefinita
        IPC$            IPC       IPC remoto
        public          Disk      


e) Access from centos8 to \\win10a\public (a shared win10a folder) work (OK)
[root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uospite%Ospite@2019 -c ls
  .                                   D        0  Mon Sep 30 18:33:48 2019
  ..                                  D        0  Mon Sep 30 18:33:48 2019
                28694783 blocks of size 4096. 24742374 blocks available

f) Browse win10a from win10b and vice versa do not work, I get "Access Denied" error (NOT-OK)

g) From addc1 and centos8, if I try nmblookup win10* I get this result (NOT OK)
[root@centos8 ~]# nmblookup win10a
name_query failed to find name win10a

Now let me know how I can help you in order to found and resolve the remaining problem (access win to win and nmblookup).

Many Thanks.

Comment 14 Alexander Bokovoy 2019-10-01 06:35:14 UTC
Dario,

thank you very much for the test. I believe (f) is known and will be fixed when https://github.com/krb5/krb5/pull/983 and https://gitlab.com/samba-team/samba/merge_requests/818 (and some more fixes) would be merged in both krb5 and samba.

(g) is somewhat different -- I think there were reports that Windows 10 build 1803 disabled use of NetBIOS over TCP/IP. You can follow recipes in https://support.microsoft.com/en-us/help/204279/direct-hosting-of-smb-over-tcp-ip to see what's the state of your configuration.

Comment 15 Alexander Bokovoy 2019-10-02 17:24:26 UTC
Hi,

I have built our current work in progress patches to make Samba AD DC working with MIT Kerberos in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/. This build is for Fedora 31 and includes fixes for https://bugzilla.redhat.com/show_bug.cgi?id=1748860 and https://bugzilla.redhat.com/show_bug.cgi?id=1757071

Please test it by following these instructions on Fedora 31 host:

$ dnf copr enable abbra/samba-nodes-test 
$ dnf install samba-dc
..

Once tested and also accepted to Samba upstream, we can do backports to Fedora 30/31.

Comment 16 Dario Lesca 2019-10-03 12:39:50 UTC
On my test fedora 31 system, for resolve the deploy samba-dc problem, already resolved with previous pathc, I have already enable abba's copr repo, then I have do a simple dnf update on addc1 and reboot all machine.

PC win10a share to all a c:\public folder

On PC win10b I have do "net use x: \\win10a\public /user:administrator"
and I get "System errore 5. Access Denied"

On PC centos8 same command work:

[root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uadministrator -c ls
Enter MOSCA\administrator's password: 
  .                                   D        0  Mon Sep 30 18:33:48 2019
  ..                                  D        0  Mon Sep 30 18:33:48 2019

                28694783 blocks of size 4096. 24330219 blocks available

I must do some other test?

Comment 17 Mikel Pérez 2019-10-11 13:45:16 UTC
I've had my DC set up with abba's copr for a week and everything is relatively smooth so far

Comment 18 Mikel Pérez 2019-10-11 13:46:37 UTC
how do we get the fixes integrated for f31's release? it shouldn't ship broken packages

Comment 19 Alexander Bokovoy 2019-10-13 09:27:08 UTC
I'd prefer to get the MR818 merged upstream first. There are also few more fixes we need to actually set up Samba AD DC properly on Fedora 31. I have merged a small part of it upstream already but not everything yet.

Since Fedora 31 is in freeze state already, we can get the fixes into updates-testing right now but not into the stable tree.

Comment 20 Fedora Update System 2019-10-27 13:33:17 UTC
FEDORA-2019-60b6e9e11b has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-60b6e9e11b

Comment 21 Fedora Update System 2019-10-30 12:38:00 UTC
FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

Comment 22 Dario Lesca 2019-10-31 17:10:24 UTC
(In reply to Fedora Update System from comment #21)
> FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31.
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

I have install a fresh Fedora server 31 and update it.

For install new version of samba I have must enable updates-testing repo

yum update  samba --enablerepo updates-testing

Now samba-dc-4.11.1-1.fc31.x86_64 is installed

Then I have deploy my test domain and everything worked well

I must test also Win to Win access or this version do not yet contain the S4U fix?

Many thanks
Dario

Comment 23 Isaac Boukris 2019-10-31 17:22:15 UTC
Hi Dario, thanks for testing.
The fix in fedora 31 only contains minimal changes to allow functionality, it does not include S4U fixes, this will take a while.
Regards.

Comment 24 Fedora Update System 2019-11-01 17:21:12 UTC
samba-4.11.2-0.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7

Comment 25 dD.d 2019-11-01 23:01:50 UTC
Hi, I am taking my first stab at Fedora's native samba dc capabilities.

Not sure if this should be brought up here, but selinux inhibits or interferes with many of the samba-tool commands. Is this a known issue?

Most commonly, I see this:

type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155 comm="samba-tool" path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM.ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) 

But also this:

type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for pid=29202 comm="samba-tool" name="29202" scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0
type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2 ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null)
type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1"
type=PATH msg=audit(1572648174.501:18935): item=0 name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1572648174.501:18935): item=1 name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Comment 26 Alexander Bokovoy 2019-11-02 09:15:18 UTC
(In reply to dD.d from comment #25)
> Hi, I am taking my first stab at Fedora's native samba dc capabilities.
> 
> Not sure if this should be brought up here, but selinux inhibits or
> interferes with many of the samba-tool commands. Is this a known issue?
> 
> Most commonly, I see this:
> 
> type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155
> comm="samba-tool"
> path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM.
> ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023
> tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0
> type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9
> success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155
> auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
> ses=6 comm="samba-tool" exe="/usr/bin/python3.7"
> subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) 
> 
> But also this:
> 
> type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for
> pid=29202 comm="samba-tool" name="29202"
> scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023
> tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0
> type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49
> success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2
> ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7"
> subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null)
> type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1"
> type=PATH msg=audit(1572648174.501:18935): item=0
> name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700
> ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT
> cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(1572648174.501:18935): item=1
> name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0
> cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Please open a new bug against selinux policy with this. Right now we have foollowing rules:
# sesearch -A -s sysadm_t -t samba_var_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
allow nsswitch_domain samba_var_t:dir { getattr open search };
allow nsswitch_domain samba_var_t:file { getattr ioctl lock open read };
allow sysadm_t file_type:blk_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:chr_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow sysadm_t file_type:fifo_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:file { getattr relabelfrom relabelto };
allow sysadm_t file_type:filesystem getattr;
allow sysadm_t file_type:lnk_file { getattr relabelfrom relabelto };
allow sysadm_t file_type:sock_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:blk_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:chr_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:dir { add_name create getattr ioctl link lock open read relabelfrom relabelto remove_name rename reparent rmdir search setattr unlink write };
allow sysadm_t non_security_file_type:fifo_file { getattr relabelfrom relabelto };
allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write };
allow sysadm_t non_security_file_type:lnk_file { append create getattr ioctl link lock read relabelfrom relabelto rename setattr unlink write };
allow sysadm_t non_security_file_type:sock_file { getattr relabelfrom relabelto };
allow sysadm_t samba_var_t:dir { getattr open search };
allow sysadm_usertype file_type:filesystem getattr;
allow sysadm_usertype samba_var_t:dir { getattr open search };

'map' should be covered by the SELinux boolean 'domain_can_mmap_files' which is 'off' by default but the second AVC (create) needs a new rule, it seems.

Comment 27 dD.d 2019-11-04 18:52:07 UTC
After enabling domain_can_mmap_files I am unable to reproduce either error, thank you.

Comment 28 dD.d 2019-11-04 21:47:02 UTC
Spoke too soon. That second selinux error is the result of binding to an interface in smb.conf

Opened a ticket here: https://bugzilla.redhat.com/show_bug.cgi?id=1768656

Comment 29 Fedora Update System 2019-11-06 12:16:50 UTC
FEDORA-2019-57d43f3b58 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58

Comment 30 Fedora Update System 2019-11-07 01:44:33 UTC
samba-4.11.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58

Comment 31 Fedora Update System 2019-11-14 01:12:37 UTC
samba-4.11.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.