Samba: root preexec gave 83 - failing connection

[phillxnet]

During the development of "(t) Samba shares not accessible - 5.0.6-0 & 5.0.7-0 #2794" #2797 a similarly located failure has been observed. A reproducer system has yet to be reported based on a rockstor install. Post the above fix we hope to investigate if this same issue exists in freshly created installers as we are now in release candidate testing phase.

Client

CLI openSUSE 15.5: hostname: philip-mg

smbclient --version
Version 4.17.12-git.455.b299ac1e60150500.3.20.1SUSE-oS15.0-x86_64

smbclient //192.168.2.160/test_share01 -U radmin --password=pass
tree connect failed: NT_STATUS_ACCESS_DENIED

This same client successfully connects to rockstor installer derived instances (15.3 & 15.4)

Server

JeOS/MinimalVM derived rockstor development instances openSUSE 15.5 & Tumbleweed

15.5

smbd --version
Version 4.17.12-git.455.b299ac1e60150500.3.20.1SUSE-oS15.0-x86_64

tail -f /var/log/samba/log.philip-mg

[2024/02/08 15:39:12.160224,  3] ../../lib/util/access.c:374(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/08 15:39:12.160366,  3] ../../source3/smbd/smb2_service.c:611(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/02/08 15:39:12.160459,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/08 15:39:12.160493,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/08 15:39:12.160735,  3] ../../source3/smbd/smb2_service.c:840(make_connection_snum)
  philip-mg (ipv4:192.168.2.172:50344) signed connect to service IPC$ initially as user radmin (uid=1001, gid=100) (pid 30576)
[2024/02/08 15:39:12.161231,  3] ../../source3/smbd/msdfs.c:1144(get_referred_path)
  get_referred_path: |test_share01| in dfs path \192.168.2.199\test_share01 is not a dfs root.
[2024/02/08 15:39:12.161284,  3] ../../source3/smbd/smb2_server.c:3963(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/02/08 15:39:12.161867,  3] ../../source3/smbd/smb2_service.c:937(close_cnum)
  philip-mg (ipv4:192.168.2.172:50344) closed connection to service IPC$
[2024/02/08 15:39:12.162461,  3] ../../lib/util/access.c:374(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/08 15:39:12.162551,  3] ../../source3/smbd/smb2_service.c:611(make_connection_snum)
  make_connection_snum: Connect path is '/mnt2/test_share01' for service [test_share01]
[2024/02/08 15:39:12.162621,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/08 15:39:12.162663,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/08 15:39:12.179161,  1] ../../source3/smbd/smb2_service.c:706(make_connection_snum)
  root preexec gave 83 - failing connection
[2024/02/08 15:39:12.179389,  3] ../../source3/smbd/smb2_server.c:3963(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:151
[2024/02/08 15:39:12.180075,  3] ../../source3/smbd/smb2_server.c:3963(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NETWORK_NAME_DELETED] || at ../../source3/smbd/smb2_server.c:3253
[2024/02/08 15:39:12.181053,  3] ../../source3/smbd/server_exit.c:230(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

[2024/02/08 15:39:12.179161, 1] ../../source3/smbd/smb2_service.c:706(make_connection_snum)
root preexec gave 83 - failing connection

Tumblweed

smbd --version
Version 4.19.4-git.339.acf1ccaa020SUSE-oS16.9-x86_64

tail -f /var/log/samba/log.philip-mg

[2024/02/08 15:27:24.735344,  3] ../../lib/util/access.c:372(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/08 15:27:24.735475,  3] ../../source3/smbd/smb2_service.c:584(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/02/08 15:27:24.735539,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/08 15:27:24.735574,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/08 15:27:24.736394,  3] ../../source3/smbd/msdfs.c:984(get_referred_path)
  get_referred_path: |test_share01| in dfs path \192.168.2.160\test_share01 is not a dfs root.
[2024/02/08 15:27:24.736444,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/02/08 15:27:24.737667,  3] ../../lib/util/access.c:372(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/08 15:27:24.737756,  3] ../../source3/smbd/smb2_service.c:584(make_connection_snum)
  make_connection_snum: Connect path is '/mnt2/test_share01' for service [test_share01]
[2024/02/08 15:27:24.737800,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/08 15:27:24.737819,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/08 15:27:24.742239,  1] ../../source3/smbd/smb2_service.c:679(make_connection_snum)
  make_connection_snum: root preexec gave 83 - failing connection
[2024/02/08 15:27:24.742376,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:151
[2024/02/08 15:27:24.742994,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NETWORK_NAME_DELETED] || at ../../source3/smbd/smb2_server.c:3322
[2024/02/08 15:27:24.743925,  3] ../../source3/smbd/server_exit.c:229(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

[2024/02/08 15:27:24.742239, 1] ../../source3/smbd/smb2_service.c:679(make_connection_snum)
make_connection_snum: root preexec gave 83 - failing connection

[phillxnet]

A potentially useful pointer / additional-info on the above indicated failure:

• We/samba appears to have inadequate privileges in these reproducer systems:

Tumbleweed server example "Uses openSUSE Tumbleweed: 20240206"

tail -f /var/log/audit/audit.log

type=AVC msg=audit(1707409214.047:291): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/bin/bash" pid=12631 comm="smbd[192.168.2." requested_mask="x" denied_mask="x" fsuid=0 ouid=0

[2024/02/08 16:20:14.053529,  1] ../../source3/smbd/smb2_service.c:679(make_connection_snum)
  make_connection_snum: root preexec gave 83 - failing connection
[2024/02/08 16:20:14.053704,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:151
[2024/02/08 16:20:14.054605,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NETWORK_NAME_DELETED] || at ../../source3/smbd/smb2_server.c:3322
[2024/02/08 16:20:14.055807,  3] ../../source3/smbd/server_exit.c:229(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

So this may be relevant to a future goal as indicated in:
Adopt dedicated 'rockstor' user for systemd services #2700

[Hooverdan96]

I did read some old posts about apparmor interfering with Samba because of how the profiles are set up. But I thought at this point we have apparmor disabled?

[phillxnet]

@Hooverdan96 Re:

But I thought at this point we have apparmor disabled?

Yes, that was my understanding also. But the reproducers here were not from rockstor installs. However we still disable the service in initrock I think. Hence the anomaly of this issue. It's a show stopper of sorts - hence moving to next testing release rpm and trialling a new installer build to get more info on this. Pretty sure it's a 'root' not allowed execution type thing which makes sense. Hence the referenced issue.

[phillxnet]

To confirm that this issue does NOT exist on a freshly built (today) installer, profile "Tumbleweed.x86_64" using the 5.0.8-0 testing rpm. See: https://github.com/rockstor/rockstor-installer

Client

smbclient //192.168.2.105/test_share01 -U radmin --password=pass
Try "help" to get a list of possible commands.
smb: \> mkdir issue2798
smb: \> ls
  .                                   D        0  Thu Feb 15 17:48:53 2024
  ..                                  D        0  Thu Feb 15 17:48:53 2024
  issue2798                           D        0  Thu Feb 15 17:48:53 2024

                7864320 blocks of size 1024. 5233152 blocks available
smb: \> q

server log

[2024/02/15 17:44:22.934908,  3] ../../lib/util/access.c:372(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/15 17:44:22.934990,  3] ../../source3/smbd/smb2_service.c:584(make_connection_snum)
  make_connection_snum: Connect path is '/tmp' for service [IPC$]
[2024/02/15 17:44:22.935037,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/15 17:44:22.935056,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/15 17:44:22.935803,  3] ../../source3/smbd/msdfs.c:984(get_referred_path)
  get_referred_path: |test_share01| in dfs path \192.168.2.105\test_share01 is not a dfs root.
[2024/02/15 17:44:22.935832,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/02/15 17:44:22.937246,  3] ../../lib/util/access.c:372(allow_access)
  Allowed connection from 192.168.2.172 (192.168.2.172)
[2024/02/15 17:44:22.937323,  3] ../../source3/smbd/smb2_service.c:584(make_connection_snum)
  make_connection_snum: Connect path is '/mnt2/test_share01' for service [test_share01]
[2024/02/15 17:44:22.937365,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/02/15 17:44:22.937383,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/02/15 17:44:24.625010,  3] ../../source3/smbd/smb2_service.c:814(make_connection_snum)
  philip-mg (ipv4:192.168.2.172:48678) signed connect to service test_share01 initially as user radmin (uid=1000, gid=1000) (pid 12310)
[2024/02/15 17:49:08.026607,  3] ../../source3/smbd/dir.c:798(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry: mask=[*] found . fname=. (.)
[2024/02/15 17:49:08.026730,  3] ../../source3/smbd/dir.c:798(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry: mask=[*] found . fname=.. (..)
[2024/02/15 17:49:08.026874,  3] ../../source3/smbd/dir.c:798(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry: mask=[*] found issue2798 fname=issue2798 (issue2798)
[2024/02/15 17:49:08.027814,  3] ../../source3/smbd/smb2_server.c:4031(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[STATUS_NO_MORE_FILES] || at ../../source3/smbd/smb2_query_directory.c:160
[2024/02/15 17:49:08.030339,  3] ../../source3/smbd/smb2_trans2.c:2035(smbd_do_qfsinfo)
  smbd_do_qfsinfo: level = 1003
[2024/02/15 17:49:11.712909,  3] ../../source3/smbd/smb2_service.c:907(close_cnum)
  philip-mg (ipv4:192.168.2.172:48678) closed connection to service test_share01
[2024/02/15 17:49:11.714624,  3] ../../source3/smbd/server_exit.c:229(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)