RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2152899 - Samba shares not accessible from MacOS Ventura after upgrade to Samba 4.16.4-2.el8
Summary: Samba shares not accessible from MacOS Ventura after upgrade to Samba 4.16.4-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba
Version: 8.7
Hardware: x86_64
OS: All
unspecified
medium
Target Milestone: rc
: ---
Assignee: Andreas Schneider
QA Contact: Denis Karpelevich
URL:
Whiteboard:
Depends On:
Blocks: 2156056 2170394
TreeView+ depends on / blocked
 
Reported: 2022-12-13 13:33 UTC by Bijesh Thekkepat
Modified: 2023-05-16 11:14 UTC (History)
7 users (show)

Fixed In Version: samba-4.17.5-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2156056 2170394 (view as bug list)
Environment:
Last Closed: 2023-05-16 09:08:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Share access error from macOS (104.59 KB, image/png)
2022-12-13 13:33 UTC, Bijesh Thekkepat 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-141994 0 None None None 2022-12-13 13:35:38 UTC
Red Hat Issue Tracker SSSD-5351 0 None None None 2022-12-23 15:35:24 UTC
Red Hat Product Errata RHSA-2023:2987 0 None None None 2023-05-16 09:09:23 UTC
Samba Project 15265 0 None None None 2022-12-23 15:30:13 UTC

Description Bijesh Thekkepat 2022-12-13 13:33:33 UTC 
Created attachment 1932365 [details]
Share access error from macOS

Description of problem:

Cannot connect to Samba shares anymore from MacOS Ventura after upgrade to Samba 4.16.4-2.el8 on RHEL 8.7. Shares are accessible locally using smbclient. No issues reported on Windows clients.
Shares are accessible if we do 'yum downgrade samba.x86_64', so that the version of samba is 4.15.5-10.el8_6

Error reported on MacOS is "There was a problem connecting to the server "" There are no shares available or you are not allowed to access them on the server. Please contact your system administrator to resolve the problem"

Attached "smb_connection_error_v2.png"

Version-Release number of selected component (if applicable):

RHEL 8.7
python3-samba-4.16.4-2.el8.x86_64                           Wed Nov 16 09:25:27 2022
samba-4.16.4-2.el8.x86_64                                   Wed Nov 16 09:25:28 2022
samba-client-4.16.4-2.el8.x86_64                            Wed Nov 16 09:25:28 2022
samba-client-libs-4.16.4-2.el8.x86_64                       Wed Nov 16 09:25:27 2022
samba-common-4.16.4-2.el8.noarch                            Wed Nov 16 09:25:26 2022
samba-common-libs-4.16.4-2.el8.x86_64                       Wed Nov 16 09:25:27 2022
samba-common-tools-4.16.4-2.el8.x86_64                      Wed Nov 16 09:25:27 2022
samba-libs-4.16.4-2.el8.x86_64                              Wed Nov 16 09:25:27 2022

How reproducible:

1] configure smb.conf as below


[global]
	workgroup = SAMBA
	security = user
	passdb backend = tdbsam
	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw
	access based share enum = yes
	log level = 10
	debug pid = true
	max log size = 0

~~~
[testshare]
comment = My Samba share
path = /testshare
read only = no
guest ok = no
valid users = username
write list = username
~~~

Restart smb service

# systemctl restart smb

# mkdir /testshare
# chown username /testshare
# chcon -R -t samba_share_t /testshare

# smbpasswd -a username

- Share can be accessed locally using smbclient
- Share can be accessed if samba downgraded to samba-4.15.5-10.el8_6 but not accessible from samba-4.16.4-2.el8 (RHEL 8.7)


Actual results:

~~~
[2022/11/16 09:31:41, 10, pid=35489, effective(1001, 100), real(1001, 0)] ../../source3/smbd/share_access.c:239(user_ok_token)
  user_ok_token: share IPC$ is ok for unix user username
[2022/11/16 09:31:41,  2, pid=35489, effective(1001, 100), real(1001, 0)] ../../lib/tdb_wrap/tdb_wrap.c:65(tdb_wrap_log)
  tdb(/var/lib/samba/share_info.tdb): tdb_open_ex: could not open file /var/lib/samba/share_info.tdb: Permission denied <---
[2022/11/16 09:31:41,  3, pid=35489, effective(1001, 100), real(1001, 0)] ../../lib/dbwrap/dbwrap_tdb.c:484(db_open_tdb)
  Could not open tdb: Permission denied
[2022/11/16 09:31:41,  0, pid=35489, effective(1001, 100), real(1001, 0)] ../../source3/lib/sharesec.c:162(share_info_db_init)
  Failed to open share info database /var/lib/samba/share_info.tdb (Permission denied)
[2022/11/16 09:31:41, 10, pid=35489, effective(1001, 100), real(1001, 0), class=rpc_srv] ../../source3/rpc_server/srvsvc/srv_srvsvc_nt.c:664(init_srv_share_info_ctr)
  NOT counting service IPC$
[2022/11/16 09:31:41,  3, pid=35489, effective(1001, 100), real(1001, 0)] ../../libcli/security/dom_sid.c:216(dom_sid_parse_endp)
  string_to_sid: SID username is not in a valid format
[2022/11/16 09:31:41, 10, pid=35489, effective(1001, 100), real(1001, 0)] ../../source3/passdb/lookup_sid.c:124(lookup_name)
  lookup_name: STAGING-FS1\username => domain=[STAGING-FS1], name=[username]
~~~

Tried removing the /var/lib/samba/*.tdb but did not help.


Expected results:

The share should be accessible from MacOS Ventura on Samba 4.16.4-2.el8 like it did when on  4.15.5-10.el8_6

Additional info:

# id username
uid=1001(username) gid=100(users) groups=100(users),1001(admin_users)

# pdbedit -L | grep username
username:1001:

# ls -ld /var/lib/samba/
drwxr-xr-x. 7 root root 216 Nov 14 15:40 /var/lib/samba/

# ls -laZ /var/lib/samba/share_info.tdb
-rw-------. 1 root root system_u:object_r:samba_var_t:s0 421888 Sep 26 16:07 /var/lib/samba/share_info.tdb

Attached error screenshot "smb_connection_error_v2.png"
Comment 3 Andreas Schneider 2022-12-19 14:37:39 UTC 
Could you please check if SELINUX prevents that smbd can open /var/lib/samba/share_info.tdb? What are the file permissions for this file?
Comment 5 Andreas Schneider 2022-12-21 16:02:23 UTC 
Then I would guess it is SELinux preventing access to the file.
Comment 7 Andreas Schneider 2022-12-23 15:08:49 UTC 
I think this is https://gitlab.com/samba-team/devel/samba/-/commit/9197bc430697a04fe6653882c96558af30aa611f
Comment 18 errata-xmlrpc 2023-05-16 09:08:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: samba security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2987
Note You need to log in before you can comment on or make changes to this bug.