Created attachment 1621152 [details] List of package installed Description of problem: Deploy a new samba DC cause a "ERROR(ldb): uncaught exception - setup_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type" Version-Release number of selected component (if applicable): See rpm-qa.txt attached # dnf -y install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python ldb-tools bind bind-utils samba-dc-bind-dlz Last metadata expiration check: 1:32:22 ago on Mon Sep 30 14:10:59 2019. Package samba-client-2:4.11.0-3.fc31.x86_64 is already installed. Package samba-dc-2:4.11.0-3.fc31.x86_64 is already installed. Package samba-winbind-2:4.11.0-3.fc31.x86_64 is already installed. Package attr-2.4.48-7.fc31.x86_64 is already installed. Package acl-2.2.53-4.fc31.x86_64 is already installed. Package krb5-workstation-1.17-45.fc31.x86_64 is already installed. Package tdb-tools-1.4.2-1.fc31.x86_64 is already installed. Package samba-winbind-clients-2:4.11.0-3.fc31.x86_64 is already installed. Package python-unversioned-command-3.7.4-5.fc31.noarch is already installed. Package ldb-tools-2.0.7-1.fc31.x86_64 is already installed. Package bind-32:9.11.10-1.fc31.x86_64 is already installed. Package bind-utils-32:9.11.10-1.fc31.x86_64 is already installed. Package samba-dc-bind-dlz-2:4.11.0-3.fc31.x86_64 is already installed. Dependencies resolved. Nothing to do. Complete! # dnf list samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python ldb-tools bind bind-utils samba-dc-bind-dlz Last metadata expiration check: 0:04:01 ago on Mon Sep 30 15:43:26 2019. Installed Packages acl.x86_64 2.2.53-4.fc31 @fedora attr.x86_64 2.4.48-7.fc31 @fedora bind.x86_64 32:9.11.10-1.fc31 @updates-testing bind-utils.x86_64 32:9.11.10-1.fc31 @fedora krb5-workstation.x86_64 1.17-45.fc31 @updates-testing ldb-tools.x86_64 2.0.7-1.fc31 @updates-testing samba-client.x86_64 2:4.11.0-3.fc31 @updates-testing samba-dc.x86_64 2:4.11.0-3.fc31 @updates-testing samba-dc-bind-dlz.x86_64 2:4.11.0-3.fc31 @updates-testing samba-winbind.x86_64 2:4.11.0-3.fc31 @updates-testing samba-winbind-clients.x86_64 2:4.11.0-3.fc31 @updates-testing tdb-tools.x86_64 1.4.2-1.fc31 @fedora How reproducible: Steps to Reproduce: 1. setup a new fedora 31 server 2. dnf remove sssd\* (not use it) 3. install smaba & c. package 4. deploy a new DC Actual results: # test ! -e /etc/krb5.conf.orig && mv /etc/krb5.conf /etc/krb5.conf.orig # test -e /etc/krb5.conf && mv /etc/krb5.conf /etc/krb5.conf.$(date +%s) # test ! -e /etc/samba/smb.conf.orig && mv /etc/samba/smb.conf /etc/samba/smb.conf.orig # test -e /etc/samba/smb.conf && mv /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s) # samba-tool domain provision --realm=samba-dc.tld --domain=samba-dc \ --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd INFO 2019-09-30 15:36:19,283 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2128: Looking up IPv4 addresses INFO 2019-09-30 15:36:19,284 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses WARNING 2019-09-30 15:36:19,285 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2152: No IPv6 address will be assigned INFO 2019-09-30 15:36:19,847 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2319: Setting up share.ldb INFO 2019-09-30 15:36:20,106 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb INFO 2019-09-30 15:36:20,293 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2329: Setting up the registry INFO 2019-09-30 15:36:21,077 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2332: Setting up the privileges database INFO 2019-09-30 15:36:21,477 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2335: Setting up idmap db INFO 2019-09-30 15:36:21,741 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #2342: Setting up SAM db INFO 2019-09-30 15:36:21,813 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings INFO 2019-09-30 15:36:21,815 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE INFO 2019-09-30 15:36:21,879 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs INFO 2019-09-30 15:36:22,011 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=samba-dc,DC=tld INFO 2019-09-30 15:36:22,089 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1449: Adding configuration container INFO 2019-09-30 15:36:22,179 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema INFO 2019-09-30 15:36:25,765 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data INFO 2019-09-30 15:36:25,968 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1523: Setting up display specifiers INFO 2019-09-30 15:36:28,524 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights INFO 2019-09-30 15:36:28,573 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1538: Adding users container INFO 2019-09-30 15:36:28,575 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1544: Modifying users container INFO 2019-09-30 15:36:28,577 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1547: Adding computers container INFO 2019-09-30 15:36:28,579 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1553: Modifying computers container INFO 2019-09-30 15:36:28,580 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data INFO 2019-09-30 15:36:28,772 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1587: Setting up well known security principals INFO 2019-09-30 15:36:28,830 pid:987 /usr/lib64/python3.7/site-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups ERROR(ldb): uncaught exception - setup_kerberos_keys: generation of a des-cbc-md5 key failed: Bad encryption type File "/usr/lib64/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib64/python3.7/site-packages/samba/netcmd/domain.py", line 542, in run backend_store_size=backend_store_size) File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 2384, in provision backend_store_size=backend_store_size) File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 1968, in provision_fill backend_store_size=backend_store_size) File "/usr/lib64/python3.7/site-packages/samba/provision/__init__.py", line 1607, in fill_samdb }, controls=["relax:0", "provision:0"]) File "/usr/lib64/python3.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif ldb.add_ldif(data, controls) File "/usr/lib64/python3.7/site-packages/samba/__init__.py", line 230, in add_ldif self.add(msg, controls) Expected results: Deploy end succesful Additional info: # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 NOTE: I have remove all sssd packages, can samba need some of these packages?
Single-DES support has been removed from krb5 as per https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization I invite you to peruse https://tools.ietf.org/html/rfc6649 ; single-DES is *NOT SECURE*. You can find information on migrating at https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html
This bug is still needed for Samba to get rid of DES requirements.
Isaac has a work in progress here: https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118
Ok, thanks but now, what I must to do for bypass this problem? I must fill a bug to samba devel? Or I can change the procedure to deploy a samba DC? Or I must wait Isaac to release a solution? If so, at this point samba-dc on Fedora 31 is not usable. Please, let me know Many thanks Dario
Don't use Fedora 31 right now if you want to deploy Samba DC.
ok, of course This is a test environment to help to test samba-dc for Fedora31 Thanks
Per my testing, it isn't only AD-DC that's non-functional, simpler ops such domain join also don't work. @Dario if you can build this branch from source and give it a test it would be nice (I think the remaining failing tests are using DES, so they'll just need to be adjusted, but I need to take a closer look): https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118
(In reply to Isaac Boukris from comment #7) > Per my testing, it isn't only AD-DC that's non-functional, simpler ops such > domain join also don't work. > > @Dario if you can build this branch from source and give it a test it would > be nice (I think the remaining failing tests are using DES, so they'll just > need to be adjusted, but I need to take a closer look): > https://gitlab.com/samba-team/devel/samba/commits/iboukris_no_des_mit_118 Ok, help to test is fine for me, but I must know some things You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from what url I get it? I'm sorry but I need to know how to use your branch, I'm not a developer and I am not familiar with this things. But if you give me a little push I can try
(In reply to Dario Lesca from comment #8) > Ok, help to test is fine for me, but I must know some things > > You means download samba.src.rpm, and rebuild with a new samba.tar.gz? from > what url I get it? > > I'm sorry but I need to know how to use your branch, I'm not a developer and > I am not familiar with this things. > > But if you give me a little push I can try I'm building a test package in COPR right now. Stay tuned (might fail) ;)
I generated a build which includes Isaac's patches in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/: $ dnf copr enable abbra/samba-nodes-test $ dnf install samba-dc ..
(In reply to Alexander Bokovoy from comment #10) > I generated a build which includes Isaac's patches in > https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/: > > $ dnf copr enable abbra/samba-nodes-test > $ dnf install samba-dc > .. It works! ... thanks Isaac and Alexander! In 5 minute I have setup with 0 problem a fully Samba DC (see the screen history) Now go to test dhcp + win10 join to domain + a samba member server + access win to samba and win to win ... and let you know NOTE: like you see into history, I have set into name startup daemon the KRB5RCACHETYPE="none". This this comes from my old experience (https://lists.samba.org/archive/samba/2017-December/212583.html) Now I try other things with this flag set, then I try to remove it and let you know. Many thanks! Dario
Created attachment 1621265 [details] Screen history of "5 minute and Samba DC is fully installed" Screen history of a Samba DC + time server + dhcp server installation
I have setup a Centos8 samba member server and join to DC without problem (OK) Then I have setup a win10a and a win10b in dhcp, join it to DC and access to \\centos8\public without problem (OK) Now my network is so composed: * addc1 (Samba Fedora31 DC) * centos8 (Samba member server with shared data) * win10a (MS client) * win10b (MS client) a) For all PC, DHCP and DNS update work (OK) b) Browse from win10* the network do not show any PC/server (NOT-OK) c) Access from win10* to centos8 (or addc1) with \\centos8\public work (OK) d) Browse win10* from centos8 show win10* share (OK) [root@centos8 ~]# smbclient -mSMB2 -L win10a -Uospite%Ospite@2019 Sharename Type Comment --------- ---- ------- ADMIN$ Disk Amministrazione remota C$ Disk Condivisione predefinita IPC$ IPC IPC remoto public Disk e) Access from centos8 to \\win10a\public (a shared win10a folder) work (OK) [root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uospite%Ospite@2019 -c ls . D 0 Mon Sep 30 18:33:48 2019 .. D 0 Mon Sep 30 18:33:48 2019 28694783 blocks of size 4096. 24742374 blocks available f) Browse win10a from win10b and vice versa do not work, I get "Access Denied" error (NOT-OK) g) From addc1 and centos8, if I try nmblookup win10* I get this result (NOT OK) [root@centos8 ~]# nmblookup win10a name_query failed to find name win10a Now let me know how I can help you in order to found and resolve the remaining problem (access win to win and nmblookup). Many Thanks.
Dario, thank you very much for the test. I believe (f) is known and will be fixed when https://github.com/krb5/krb5/pull/983 and https://gitlab.com/samba-team/samba/merge_requests/818 (and some more fixes) would be merged in both krb5 and samba. (g) is somewhat different -- I think there were reports that Windows 10 build 1803 disabled use of NetBIOS over TCP/IP. You can follow recipes in https://support.microsoft.com/en-us/help/204279/direct-hosting-of-smb-over-tcp-ip to see what's the state of your configuration.
Hi, I have built our current work in progress patches to make Samba AD DC working with MIT Kerberos in https://copr.fedorainfracloud.org/coprs/abbra/samba-nodes-test/. This build is for Fedora 31 and includes fixes for https://bugzilla.redhat.com/show_bug.cgi?id=1748860 and https://bugzilla.redhat.com/show_bug.cgi?id=1757071 Please test it by following these instructions on Fedora 31 host: $ dnf copr enable abbra/samba-nodes-test $ dnf install samba-dc .. Once tested and also accepted to Samba upstream, we can do backports to Fedora 30/31.
On my test fedora 31 system, for resolve the deploy samba-dc problem, already resolved with previous pathc, I have already enable abba's copr repo, then I have do a simple dnf update on addc1 and reboot all machine. PC win10a share to all a c:\public folder On PC win10b I have do "net use x: \\win10a\public /user:administrator" and I get "System errore 5. Access Denied" On PC centos8 same command work: [root@centos8 ~]# smbclient -mSMB2 //win10a/public -Uadministrator -c ls Enter MOSCA\administrator's password: . D 0 Mon Sep 30 18:33:48 2019 .. D 0 Mon Sep 30 18:33:48 2019 28694783 blocks of size 4096. 24330219 blocks available I must do some other test?
I've had my DC set up with abba's copr for a week and everything is relatively smooth so far
how do we get the fixes integrated for f31's release? it shouldn't ship broken packages
I'd prefer to get the MR818 merged upstream first. There are also few more fixes we need to actually set up Samba AD DC properly on Fedora 31. I have merged a small part of it upstream already but not everything yet. Since Fedora 31 is in freeze state already, we can get the fixes into updates-testing right now but not into the stable tree.
FEDORA-2019-60b6e9e11b has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-60b6e9e11b
FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7
(In reply to Fedora Update System from comment #21) > FEDORA-2019-534b7929b7 has been submitted as an update to Fedora 31. > https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7 I have install a fresh Fedora server 31 and update it. For install new version of samba I have must enable updates-testing repo yum update samba --enablerepo updates-testing Now samba-dc-4.11.1-1.fc31.x86_64 is installed Then I have deploy my test domain and everything worked well I must test also Win to Win access or this version do not yet contain the S4U fix? Many thanks Dario
Hi Dario, thanks for testing. The fix in fedora 31 only contains minimal changes to allow functionality, it does not include S4U fixes, this will take a while. Regards.
samba-4.11.2-0.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-534b7929b7
Hi, I am taking my first stab at Fedora's native samba dc capabilities. Not sure if this should be brought up here, but selinux inhibits or interferes with many of the samba-tool commands. Is this a known issue? Most commonly, I see this: type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155 comm="samba-tool" path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM.ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) But also this: type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for pid=29202 comm="samba-tool" name="29202" scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2 ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1" type=PATH msg=audit(1572648174.501:18935): item=0 name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1572648174.501:18935): item=1 name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
(In reply to dD.d from comment #25) > Hi, I am taking my first stab at Fedora's native samba dc capabilities. > > Not sure if this should be brought up here, but selinux inhibits or > interferes with many of the samba-tool commands. Is this a known issue? > > Most commonly, I see this: > > type=AVC msg=audit(1572648105.123:18897): avc: denied { map } for pid=29155 > comm="samba-tool" > path="/var/lib/samba/private/sam.ldb.d/DC=FORESTDNSZONES,DC=AD,DC=DOM,DC=COM. > ldb" dev="dm-2" ino=788569 scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 > tcontext=staff_u:object_r:samba_var_t:s0 tclass=file permissive=0 > type=SYSCALL msg=audit(1572648105.123:18897): arch=c000003e syscall=9 > success=no exit=-13 a0=0 a1=47a000 a2=3 a3=1 items=0 ppid=29153 pid=29155 > auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 > ses=6 comm="samba-tool" exe="/usr/bin/python3.7" > subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) > > But also this: > > type=AVC msg=audit(1572648174.501:18935): avc: denied { create } for > pid=29202 comm="samba-tool" name="29202" > scontext=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 > tcontext=staff_u:object_r:samba_var_t:s0 tclass=sock_file permissive=0 > type=SYSCALL msg=audit(1572648174.501:18935): arch=c000003e syscall=49 > success=no exit=-13 a0=6 a1=7fff3b2a8560 a2=6e a3=7fff3b2a8246 items=2 > ppid=29200 pid=29202 auid=5000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts0 ses=6 comm="samba-tool" exe="/usr/bin/python3.7" > subj=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 key=(null) > type=CWD msg=audit(1572648174.501:18935): cwd="/home/dc1" > type=PATH msg=audit(1572648174.501:18935): item=0 > name="/var/lib/samba/private/msg.sock/" inode=788573 dev=fd:02 mode=040700 > ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:samba_var_t:s0 nametype=PARENT > cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > type=PATH msg=audit(1572648174.501:18935): item=1 > name="/var/lib/samba/private/msg.sock/29202" nametype=CREATE cap_fp=0 > cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Please open a new bug against selinux policy with this. Right now we have foollowing rules: # sesearch -A -s sysadm_t -t samba_var_t allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True allow domain file_type:file map; [ domain_can_mmap_files ]:True allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True allow nsswitch_domain samba_var_t:dir { getattr open search }; allow nsswitch_domain samba_var_t:file { getattr ioctl lock open read }; allow sysadm_t file_type:blk_file { getattr relabelfrom relabelto }; allow sysadm_t file_type:chr_file { getattr relabelfrom relabelto }; allow sysadm_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search }; allow sysadm_t file_type:fifo_file { getattr relabelfrom relabelto }; allow sysadm_t file_type:file { getattr relabelfrom relabelto }; allow sysadm_t file_type:filesystem getattr; allow sysadm_t file_type:lnk_file { getattr relabelfrom relabelto }; allow sysadm_t file_type:sock_file { getattr relabelfrom relabelto }; allow sysadm_t non_security_file_type:blk_file { getattr relabelfrom relabelto }; allow sysadm_t non_security_file_type:chr_file { getattr relabelfrom relabelto }; allow sysadm_t non_security_file_type:dir { add_name create getattr ioctl link lock open read relabelfrom relabelto remove_name rename reparent rmdir search setattr unlink write }; allow sysadm_t non_security_file_type:fifo_file { getattr relabelfrom relabelto }; allow sysadm_t non_security_file_type:file { append create getattr ioctl link lock open read relabelfrom relabelto rename setattr unlink write }; allow sysadm_t non_security_file_type:lnk_file { append create getattr ioctl link lock read relabelfrom relabelto rename setattr unlink write }; allow sysadm_t non_security_file_type:sock_file { getattr relabelfrom relabelto }; allow sysadm_t samba_var_t:dir { getattr open search }; allow sysadm_usertype file_type:filesystem getattr; allow sysadm_usertype samba_var_t:dir { getattr open search }; 'map' should be covered by the SELinux boolean 'domain_can_mmap_files' which is 'off' by default but the second AVC (create) needs a new rule, it seems.
After enabling domain_can_mmap_files I am unable to reproduce either error, thank you.
Spoke too soon. That second selinux error is the result of binding to an interface in smb.conf Opened a ticket here: https://bugzilla.redhat.com/show_bug.cgi?id=1768656
FEDORA-2019-57d43f3b58 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58
samba-4.11.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-57d43f3b58
samba-4.11.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.