Bug 1198309 - After last updates samba did not work
After last updates samba did not work
Status: REOPENED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Samba
Current
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
The 'Opening Windows to a Wider World' guys
:
Depends on: 1198718
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-11 09:14 UTC by Igor Kuznetsov
Modified: 2022-05-12 14:40 UTC (History)
10 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Igor Kuznetsov 2022-04-11 09:14:33 UTC
After last updates samba did not work

Whyle starting got the error [2022/04/11 13:00:35.927769,  0] ../../source3/smbd/server.c:1741(main) but status is active


systemctl status smb
● smb.service - Samba SMB Daemon
     Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2022-04-11 13:00:36 +04; 9min ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 6290 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
   Main PID: 6294 (smbd)
     Status: "smbd: ready to serve connections..."
      Tasks: 4 (limit: 4915)
        CPU: 158ms
     CGroup: /system.slice/smb.service
             ├─6294 /usr/sbin/smbd --foreground --no-process-group
             ├─6296 /usr/sbin/smbd --foreground --no-process-group
             ├─6297 /usr/sbin/smbd --foreground --no-process-group
             └─6738 /usr/sbin/smbd --foreground --no-process-group

апр 11 13:00:35 lnxvrx53 systemd[1]: Starting Samba SMB Daemon...
апр 11 13:00:35 lnxvrx53 smbd[6294]: [2022/04/11 13:00:35.927769,  0] ../../source3/smbd/server.c:1741(main)
апр 11 13:00:35 lnxvrx53 smbd[6294]:   smbd version 4.16.0-git.224.70319beb8f8SUSE-oS15.9-x86_64 started.
апр 11 13:00:35 lnxvrx53 smbd[6294]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
апр 11 13:00:36 lnxvrx53 systemd[1]: Started Samba SMB Daemon.
Comment 1 Noel Power 2022-04-11 09:32:45 UTC
(In reply to Igor Kuznetsov from comment #0)
> After last updates samba did not work
> 
> Whyle starting got the error [2022/04/11 13:00:35.927769,  0]
> ../../source3/smbd/server.c:1741(main) but status is active

> 
> systemctl status smb
> ● smb.service - Samba SMB Daemon
>      Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor
> preset: disabled)
>      Active: active (running) since Mon 2022-04-11 13:00:36 +04; 9min ago
>        Docs: man:smbd(8)
>              man:samba(7)
>              man:smb.conf(5)
>     Process: 6290
> ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited,
> status=0/SUCCESS)
>    Main PID: 6294 (smbd)
>      Status: "smbd: ready to serve connections..."
>       Tasks: 4 (limit: 4915)
>         CPU: 158ms
>      CGroup: /system.slice/smb.service
>              ├─6294 /usr/sbin/smbd --foreground --no-process-group
>              ├─6296 /usr/sbin/smbd --foreground --no-process-group
>              ├─6297 /usr/sbin/smbd --foreground --no-process-group
>              └─6738 /usr/sbin/smbd --foreground --no-process-group
> 
> апр 11 13:00:35 lnxvrx53 systemd[1]: Starting Samba SMB Daemon...
> апр 11 13:00:35 lnxvrx53 smbd[6294]: [2022/04/11 13:00:35.927769,  0]
> ../../source3/smbd/server.c:1741(main)
> апр 11 13:00:35 lnxvrx53 smbd[6294]:   smbd version
> 4.16.0-git.224.70319beb8f8SUSE-oS15.9-x86_64 started.
> апр 11 13:00:35 lnxvrx53 smbd[6294]:   Copyright Andrew Tridgell and the
> Samba Team 1992-2022
> апр 11 13:00:36 lnxvrx53 systemd[1]: Started Samba SMB Daemon.

these messages and the status are showing that samba is running normally
Comment 2 Noel Power 2022-04-11 09:33:43 UTC
marking as invalid please reopen if necessary
Comment 3 Igor Kuznetsov 2022-04-11 10:15:09 UTC
Sorry, It is running but clients can not connect to samba
Comment 4 Noel Power 2022-04-11 11:34:12 UTC
(In reply to Igor Kuznetsov from comment #3)
> Sorry, It is running but clients can not connect to samba

you will need to provide some more detailed information, what kindof clients are attempting to connect?, how are they connecting?, are all users affected? what errors are reported to the client ? What kindof setup do you have?, is samba running on a machine that is a client in a windows domain or a standalone server etc.

For a start you should maybe upload your smb.conf in addition to explaining exactly what problems you are experiening
Comment 5 Michael Pujos 2022-04-11 22:34:35 UTC
I also have issues on a setup that worked perfectly using 4.15.5 just yesterday.
Something is definitely broken.

smbd is a simple server with just 2 shares.

First, it is impossible to list shares with 'smbclient -L localhost':


	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available


I can connect to a share with 'smbclient //localhost/SHARE_NAME' but that's all.

Any attempt to connect to a share from a Windows 11 PC does nothing: it asks for the l/p and does nothing.
Attempting to connect from dolphin (smb://localhost/SHARE_NAME) also does not work.

I've enabled logging in smbd but the output is a bit verbose and it's hard to tell what it's doing... If you know a better configuration for "log level", let me know.


Configuration below (with just 1 share, the other being similar):


[global]
        workgroup = WORKGROUP
        passdb backend = tdbsam
        administrative share = no 
        netbios name = foobar
        name resolve order = bcast wins lmhosts
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        wins support = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        show add printer wizard = no
        log level = 3
        logging = file

[D]
        inherit acls = Yes
        path = /mnt/d
        read only = No
Comment 6 Michael Pujos 2022-04-11 23:47:26 UTC
OK, I think I found the culprit:

- Update to 4.16.0
  * New samba-dcerpcd binary to provide DCERPC in the member server
    setup

Everything works fine again if i start samba-dcerpcd manually in a shell (with 'rpc start on demand helpers = false' in smb.conf):


sudo /usr/lib64/samba/samba-dcerpcd -i --libexec-rpcds


My guess is that there is a problem with smbd starting automatically samba-dcerpcd, which according to doc it should do by default.
Comment 7 Felix Niederwanger 2022-04-12 06:53:53 UTC
I can also confirm that this is an issue since updating from TW 20220406 to 20220409. In caja/nemo I can list samba shares of my home NAS but connecting to them always results in a "Invalid argument" error on the client side. Nothing shows up in the journal.

I could reproduce the issue now in a clean TW VM running Mate by creating a simple samba share in /etc/samba/smb.conf and trying to connect to it:

> [test]
>         path = "/srv/samba"
>         guest ok = true
>         readonly = true

caja refuses to connect with "Invalid argument".

@Michael Pujos - I tried your suggestion but without any luck. I added

> [global]
>        rpc start on demand helpers = false

After restarting the samba server, I run the following command as root but still cannot connect

> /usr/lib64/samba/samba-dcerpcd -i --libexec-rpcds

Am I missing something?
Comment 8 Noel Power 2022-04-12 07:58:41 UTC
yes, it appears that new dcerpc system is the culprit (indirectly) and apparmor is what is preventing samba from working. I was working on tweaking apparmor yesterday, please keep an eye on

https://build.opensuse.org/package/show/home:npower:branches:security:apparmor/apparmor

for a green build and try it (I'll try to update here when I see it green) it would be really really useful to get some testing of the apparmor profile changes

I'm afraid there isn't an easy patch to one or two apparmor profiles as quite a few new dcerpc related processes (and therefore profiles) need to be created
Comment 9 Michael Pujos 2022-04-12 09:18:02 UTC
@Felix Niederwanger

Maybe the firewall is blocking some ports ? samba-dcerpcd use ports 49153-49155 and port 135:

sudo netstat -anp | grep samba-dcerpcd
tcp        0      0 0.0.0.0:49154           0.0.0.0:*               LISTEN      3720/samba-dcerpcd  
tcp        0      0 0.0.0.0:49155           0.0.0.0:*               LISTEN      3720/samba-dcerpcd  
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN      3720/samba-dcerpcd  
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN      3720/samba-dcerpcd  


In any case, if dcerpc is working, you should be able to list shares on your local server  with 'smbclient -U user -L localhost'
Comment 10 Felix Niederwanger 2022-04-12 12:06:30 UTC
@Michael Pujos Ultimately in my VM I could connect to the VM by disabling apparmor. I think this issue is coming from the VM configuration, so consider my previous comment as unrelated.

Thanks for the info!
Comment 11 Noel Power 2022-04-13 11:29:00 UTC
please try the apparmor packages from https://download.opensuse.org/repositories/home:/npower:/branches:/security:/apparmor/openSUSE_Tumbleweed/

and report back
Comment 12 Noel Power 2022-04-13 11:30:35 UTC
(In reply to Noel Power from comment #11)

> and report back

especially any new smbd / winbindd / samba-dcerpcd / rpcd_* related deny messages in /var/log/audit/audit.log
Comment 13 Michael Pujos 2022-04-13 12:04:40 UTC
Working fine here brosing shares with Dolphin and Windows 11 Explorer.

There are few  seemingly benign denied entries in audit.log, but they do not cause any problem browsing shares.
/var/log/samba/yop.log is the temp log filename I have configured in smb.conf:

type=AVC msg=audit(1649850982.998:294): apparmor="DENIED" operation="rename_src" profile="smbd" name="/var/log/samba/yop.log" pid=6769 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

type=AVC msg=audit(1649851013.562:302): apparmor="DENIED" operation="rename_src" profile="samba-dcerpcd" name="/var/log/samba/yop.log" pid=6807 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" \
fsuid=0 ouid=0

type=AVC msg=audit(1649851172.930:312): apparmor="DENIED" operation="open" profile="smbd" name="/mnt/d/Perso/Photos/" pid=7568 comm="smbd" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Comment 14 Noel Power 2022-04-13 12:08:54 UTC
(In reply to Michael Pujos from comment #13)
> Working fine here brosing shares with Dolphin and Windows 11 Explorer.
> 
sounds good, thanks for testing
> 
> type=AVC msg=audit(1649851172.930:312): apparmor="DENIED" operation="open"
> profile="smbd" name="/mnt/d/Perso/Photos/" pid=7568 comm="smbd"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

hmm, that looks like a share entry maybe missing from the generated /etc/apparmor.d/local/usr.sbin.smbd-shares (but that is a different issue it that is the case)
Comment 15 Michael Pujos 2022-04-13 12:19:06 UTC
Forgot to mention that I have 2 shares:

[redacted]
	inherit acls = No
	path = /home/redacted
	read only = No

[D]
	inherit acls = Yes
	path = /mnt/d
	read only = No


The first one points to my home directory (that I changed to "redacted" above) and can browsed without issue.

However, the second share (D) points to a mounted NTFS partition. Since this new version of Samba, it cannot be read anymore:

redacted@p72:~> smbclient //localhost/D
Password for [WORKGROUP\redacted]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>


This worked in v5.15.5 and I have not investigated why it fails, but I doubt it is related to samba-dcerpcd, and is a different issue (probably solved with different smb.conf issues and/or permissions).

So that audit.log error about /mnt/d/Perso/Photos/ might be a consequence of failure above.
Comment 16 Noel Power 2022-04-13 13:29:14 UTC
(In reply to Michael Pujos from comment #15)
> Forgot to mention that I have 2 shares:
[...]
> 
> 
> This worked in v5.15.5 and I have not investigated why it fails, but I doubt
> it is related to samba-dcerpcd, and is a different issue (probably solved
> with different smb.conf issues and/or permissions).
> 
> So that audit.log error about /mnt/d/Perso/Photos/ might be a consequence of
> failure above.

please check the contents of /etc/apparmor.d/local/usr.sbin.smbd-shares

you should have entries like


"/srv/SHARE/"   rk,
"/srv/SHARE/**" rwkl,

for a share that has path = /srv/SHARE
Comment 17 Michael Pujos 2022-04-13 13:56:52 UTC
File is empty.

The reason seems to be a sed error in /usr/share/samba/update-apparmor-samba-profile (see below).
That sed error is not related to the output of the piped 'testparm -s', as it can be reproduced on the command-line:

p72:/home/bobbie # echo hello |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/"   rk,\n"\1/**" rwkl,§p'
sed: -e expression #1, char 42: delimiter character is not a single-byte character



///////////

p72:/home/bobbie # touch /etc/samba/smb.conf
p72:/home/bobbie # bash -x /usr/share/samba/update-apparmor-samba-profile
+ versionstring='update-apparmor-samba-profile 1.2'
+ aastatus=/usr/sbin/aa-status
+ aaparser=/sbin/apparmor_parser
+ loadedprofiles=/sys/kernel/security/apparmor/profiles
+ smbconf=/etc/samba/smb.conf
+ smbd_profile=/etc/apparmor.d/usr.sbin.smbd
+ profilesniplet=/etc/apparmor.d/local/usr.sbin.smbd-shares
+ tmp_profilesniplet=/etc/apparmor.d/local/usr.sbin.smbd-shares.new
+ test -e /sys/kernel/security/apparmor/profiles
+ test -e /etc/apparmor.d/local/usr.sbin.smbd-shares
+ test -r /sys/kernel/security/apparmor/profiles
++ testparm -s --parameter-name 'wide links'
+ widelinks=No
+ test No == Yes
+ grep -q 'update-apparmor-samba-profile 1.2' /etc/apparmor.d/local/usr.sbin.smbd-shares
+ test /etc/samba/smb.conf -nt /etc/apparmor.d/local/usr.sbin.smbd-shares
+ echo '# autogenerated by update-apparmor-samba-profile 1.2 at samba start - do not edit!'
+ echo ''
+ testparm -s
+ sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/"   rk,\n"\1/**" rwkl,§p'
sed: -e expression #1, char 42: delimiter character is not a single-byte character
+ diff /etc/apparmor.d/local/usr.sbin.smbd-shares /etc/apparmor.d/local/usr.sbin.smbd-shares.new
+ rm -f /etc/apparmor.d/local/usr.sbin.smbd-shares.new
+ touch /etc/apparmor.d/local/usr.sbin.smbd-shares
+ silentexit 'profile sniplet unchanged'
+ exit 0
Comment 18 Noel Power 2022-04-13 13:59:14 UTC
(In reply to Michael Pujos from comment #17)
> File is empty.
> 
> The reason seems to be a sed error in
> /usr/share/samba/update-apparmor-samba-profile (see below).
> That sed error is not related to the output of the piped 'testparm -s', as
> it can be reproduced on the command-line:
> 
> p72:/home/bobbie # echo hello |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^%
> \t]\{2,\}/ s§^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$§"\1/"   rk,\n"\1/**" rwkl,§p'
> sed: -e expression #1, char 42: delimiter character is not a single-byte
> character
> 
> 
> 
> ///////////
> 
> p72:/home/bobbie # touch /etc/samba/smb.conf
> p72:/home/bobbie # bash -x /usr/share/samba/update-apparmor-samba-profile
> + versionstring='update-apparmor-samba-profile 1.2'
> + aastatus=/usr/sbin/aa-status
> + aaparser=/sbin/apparmor_parser
> + loadedprofiles=/sys/kernel/security/apparmor/profiles
> + smbconf=/etc/samba/smb.conf
> + smbd_profile=/etc/apparmor.d/usr.sbin.smbd
> + profilesniplet=/etc/apparmor.d/local/usr.sbin.smbd-shares
> + tmp_profilesniplet=/etc/apparmor.d/local/usr.sbin.smbd-shares.new
> + test -e /sys/kernel/security/apparmor/profiles
> + test -e /etc/apparmor.d/local/usr.sbin.smbd-shares
> + test -r /sys/kernel/security/apparmor/profiles
> ++ testparm -s --parameter-name 'wide links'
> + widelinks=No
> + test No == Yes
> + grep -q 'update-apparmor-samba-profile 1.2'
> /etc/apparmor.d/local/usr.sbin.smbd-shares
> + test /etc/samba/smb.conf -nt /etc/apparmor.d/local/usr.sbin.smbd-shares
> + echo '# autogenerated by update-apparmor-samba-profile 1.2 at samba start
> - do not edit!'
> + echo ''
> + testparm -s
> + sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s§^[ \t]*path[ \t]*=[
> \t]*\([^%]*\)$§"\1/"   rk,\n"\1/**" rwkl,§p'
> sed: -e expression #1, char 42: delimiter character is not a single-byte
> character
> + diff /etc/apparmor.d/local/usr.sbin.smbd-shares
> /etc/apparmor.d/local/usr.sbin.smbd-shares.new
> + rm -f /etc/apparmor.d/local/usr.sbin.smbd-shares.new
> + touch /etc/apparmor.d/local/usr.sbin.smbd-shares
> + silentexit 'profile sniplet unchanged'
> + exit 0
yep have seen the same thing here, try

testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s&^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$&"\1/"   rk,\n"\1/**" rwkl,&p'

to generate your entries (this just substitutes '&' as the delimiter instead of the multibyte char) This is a separate issue so lets not get bogged down with it in this bug
Comment 19 Michael Pujos 2022-04-13 14:06:19 UTC
    Confirming that adding the missing rules in /etc/apparmor.d/local/usr.sbin.smbd-shares fixes the permission issue I had accessing the D share (/mnt/d).
Comment 20 Noel Power 2022-04-13 15:32:54 UTC
bug #1198463 has been created to track the update-apparmor-profile script error
Comment 21 Rebecca Brown 2022-04-14 15:23:02 UTC
Not sure if this is related to the sambaclient bug --> https://gitlab.gnome.org/GNOME/gvfs/-/issues/611 

Seems like it's a regression bug on Samba / client 4.16 .
Comment 22 OBSbugzilla Bot 2022-04-14 20:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1198309) was mentioned in
https://build.opensuse.org/request/show/970238 Factory / apparmor
Comment 23 Igor Kuznetsov 2022-04-19 04:19:34 UTC
After updates at 18.04.2022 samba clients can see the shares, but can not open them.
Comment 24 Igor Kuznetsov 2022-04-19 07:49:43 UTC
With this settings it is start to work fine!

	client ipc max protocol = SMB2_02
	client ipc min protocol = SMB2_02
	client max protocol = SMB2_02
	client min protocol = SMB2_02
	server max protocol = SMB2_02
	server min protocol = SMB2_02
Comment 25 Felix Niederwanger 2022-04-20 09:27:57 UTC
I think we talk here about two separate issues. Currently on Tumbleweed I cannot mount any samba shares from caja or nautilus. This issue is unrelated to AppArmor because I can reproduce it on a TW VM where I completely disabled apparmor.

To reproduce this issue one can simply install a local samba server, start it and try to mount any of the local shares from within nautilus/nemo/caja using the "smb://127.0.0.1" location. For completeness here is the /etc/samba/smb.conf file I used on my test VM: https://paste.opensuse.org/13544456. Samba runs fine and apparmor is disabled here:

> tw-mate:/home/phoenix # systemctl status smb
> \u25cf smb.service - Samba SMB Daemon
>      Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
>      Active: active (running) since Wed 2022-04-20 11:16:02 CEST; 5min ago
>        Docs: man:smbd(8)
>              man:samba(7)
>              man:smb.conf(5)
> ...
> 
> Apr 20 11:16:01 tw-mate.local systemd[1]: Starting Samba SMB Daemon...
> Apr 20 11:16:02 tw-mate.local smbd[1221]: [2022/04/20 11:16:02.261643,  0] ../../source3/smbd/server.c:1741(main)
> Apr 20 11:16:02 tw-mate.local smbd[1221]:   smbd version 4.16.0-git.227.931848a12abSUSE-oS15.9-x86_64 started.
> Apr 20 11:16:02 tw-mate.local smbd[1221]:   Copyright Andrew Tridgell and the Samba Team 1992-2022
> Apr 20 11:16:02 tw-mate.local systemd[1]: Started Samba SMB Daemon.
> tw-mate:/home/phoenix # systemctl status apparmor
> \u25cb apparmor.service - Load AppArmor profiles
>      Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled)
>      Active: inactive (dead)

Also: smbclient works fine. From the terminal I can list shares, login and browse a specific share:

> phoenix@tw-mate:~> smbclient -L 127.0.0.1
> Password for [WORKGROUP\phoenix]:
> 
> 	Sharename       Type      Comment
> 	---------       ----      -------
> 	profiles        Disk      Network Profiles Service
> 	users           Disk      All users
> 	groups          Disk      All groups
> 	print$          Disk      Printer Drivers
> 	repo            Disk      repository
> 	IPC$            IPC       IPC Service (Samba 4.16.0-git.227.931848a12abSUSE-oS15.9-x86_64)
> SMB1 disabled -- no workgroup available
> 
> phoenix@tw-mate:~> smbclient  '\\127.0.0.1\repo'
> Password for [WORKGROUP\phoenix]:
> Try "help" to get a list of possible commands.
> smb: \> ls
>   .                                   D        0  Wed Apr 20 11:11:47 2022
>   ..                                  D        0  Wed Apr 20 11:11:38 2022
>   README                              N       10  Wed Apr 20 11:11:47 2022
> 
> 		29349888 blocks of size 1024. 14283348 blocks available
> smb: \> ^C

However, if I try to mount the same share ("smb://127.0.0.1/repo") in nautilus or in caja, I get the error message: "Failed to mount Windows share: Invalid argument".

All of this was working fine before snapshot 20220409. This means that any graphical file manager is currently unable to mount any Windows shares, and also deja-dup is unable to create backups.

Once again: I did all of this on a Tumbleweed test VM with apparmor disabled. I tested it in the Mate Desktop using caja and in the default Gnome desktop (x11) with nautilus. Both times the same error: "Invalid argument".
Comment 27 Johannes Weberhofer 2022-04-20 10:31:18 UTC
I see the same mount-issue trying to mount smb shares on a Synology disc station via Gnome desktop.
It the server definitely can be used with other clients but not with the updated tumbleweed client. Turning Apparmor on(off makes no difference.
Comment 29 Samuel Cabrero 2022-04-21 10:08:05 UTC
(In reply to Felix Niederwanger from comment #25)
> I think we talk here about two separate issues. Currently on Tumbleweed I
> cannot mount any samba shares from caja or nautilus. This issue is unrelated
> to AppArmor because I can reproduce it on a TW VM where I completely
> disabled apparmor.
> 

Hi Felix, you are right, there are two different problems. I created bsc#1198718 for the gvfs bug.
Comment 31 Felix Niederwanger 2022-04-21 11:01:53 UTC
(In reply to Samuel Cabrero from comment #29)
> 
> Hi Felix, you are right, there are two different problems. I created
> bsc#1198718 for the gvfs bug.

Thank you!
Comment 32 Noel Power 2022-04-25 15:13:39 UTC
this was released to tw, the other mentioned issue was gvfs related so closing. Thanks everyone who gave f/b and testing
Comment 33 openQA Review 2022-05-10 01:58:57 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: extra_tests_filesystem
https://openqa.opensuse.org/tests/2335470#step/cifs/1

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Comment 34 Felix Niederwanger 2022-05-11 07:38:22 UTC
The apparmor part of this issue is still present on Tumbleweed aarch64, as the openQA test runs show: https://openqa.opensuse.org/tests/2338306#step/cifs/51

The issue there is, that with active apparmor the listing of shares using `smbclient` returns only an empty list:

> tw-aarch64:~ # systemctl is-active apparmor
> active
> tw-aarch64:~ # smbclient -m SMB2 -L currywurst -I 127.0.0.1 -U guest -N
> 
> 	Sharename       Type      Comment
> 	---------       ----      -------
> SMB1 disabled -- no workgroup available

Here we expect at least two shares to pop up, as they are configured in `/etc/samba/smb.conf`:

> [currywurst]
> path = /srv/samba/currywurst
> read only = yes
> browseable = yes
> guest ok = yes
> 
> [filedrop]
> path = /srv/samba/filedrop
> browseable = no
> write list = geekotest
> create mask = 0644
> directory mask = 0755

The issue is only present on Tumbleweed aarch64 and only with enabled apparmor. I could not reproduce the issue on Tumbleweed x86_64 using the exact same procedure. On aarch64 disabling apparmor and rebooting resolves the issue and `smbclient` then lists all existing shares nicely:

> tw-x86_64:~ # systemctl is-active apparmor
> active
> tw-x86_64:~ # smbclient -m SMB2 -L currywurst -I 127.0.0.1 -U guest -N
> 
> 	Sharename       Type      Comment
> 	---------       ----      -------
> 	profiles        Disk      Network Profiles Service
> 	users           Disk      All users
> 	groups          Disk      All groups
> 	print$          Disk      Printer Drivers
> 	currywurst      Disk      
> 	IPC$            IPC       IPC Service (Samba 4.16.1-git.235.f435da606f71.1-SUSE-oS15.9-aarch64)
> SMB1 disabled -- no workgroup available

> tw-aarch64:~ # systemctl is-active apparmor
> inactive
> tw-aarch64:~ # smbclient -m SMB2 -L currywurst -I 127.0.0.1 -U guest -N
> 
> 	Sharename       Type      Comment
> 	---------       ----      -------
> 	profiles        Disk      Network Profiles Service
> 	users           Disk      All users
>	groups          Disk      All groups
> 	print$          Disk      Printer Drivers
> 	currywurst      Disk      
> 	IPC$            IPC       IPC Service (Samba 4.16.1-git.235.f435da606f71.1-SUSE-oS15.9-aarch64)
> SMB1 disabled -- no workgroup available

## Reproducer

This issue is only present on aarch64 but not on x86_64. I could reproduce it in a fresh Tumbleweed VM there using the following:

> zypper in samba
> useradd geekotest
> mkdir -p /srv/samba/{currywurst,filedrop}
> echo -e '[currywurst]\npath = /srv/samba/currywurst\nread only = yes\nbrowseable = yes\nguest ok = yes\n\n' >> /etc/samba/smb.conf
> echo -e '[filedrop]\npath = /srv/samba/filedrop\nbrowseable = no\nwrite list = geekotest\ncreate mask = 0644\ndirectory mask = 0755\n' >> /etc/samba/smb.conf
> chown -R geekotest /srv/samba/{currywurst,filedrop}
> chmod -R 0755 /srv/samba/currywurst
> chmod -R 0750 /srv/samba/filedrop
> systemctl start smb
> echo -ne 'nots3cr3t\nnots3cr3t' | smbpasswd -a -s geekotest
> smbclient -m SMB2 -L currywurst -I 127.0.0.1 -U guest -N

The expected output is to show at least the "currywurst" share here.
Comment 35 Noel Power 2022-05-11 09:27:14 UTC
(In reply to Felix Niederwanger from comment #34)
> The apparmor part of this issue is still present on Tumbleweed aarch64, as
> the openQA test runs show:
> https://openqa.opensuse.org/tests/2338306#step/cifs/51

there must be aarch64 specific rules needed :-( so at least from looking at the log it appears

   /usr/lib*/samba/samba-dcerpcd m,

needs to be added to /etc/apparmor.d/samba-dcerpcd

but most likely similar rules will need to be applied elsewhere for the other rpcd_xyz services :-(

I need to get a hold of a aarch64 machine or vm to check
Comment 36 Felix Niederwanger 2022-05-11 09:31:52 UTC
At least for testing of this bug a qemu-emulated aarch64 VM was working fine on my x86_64 laptop. The install is a bit slow but otherwise it's okayish.
Comment 37 Noel Power 2022-05-11 16:06:04 UTC
https://gitlab.com/apparmor/apparmor/-/merge_requests/880

also check https://build.opensuse.org/package/show/home:npower:branches:security:apparmor/apparmor (currently building)

@Christian could you have a look
Comment 38 Christian Boltz 2022-05-11 19:57:42 UTC
Your branch looks good, with a small exception:
Please prefix the added comment (about MR 880) in the spec file with 
    merged upstream 2022-05-11 3.0+master
;-)
Comment 39 Noel Power 2022-05-12 08:13:07 UTC
(In reply to Felix Niederwanger from comment #36)
> At least for testing of this bug a qemu-emulated aarch64 VM was working fine
> on my x86_64 laptop. The install is a bit slow but otherwise it's okayish.

a bit slow ?? you weren't joking, I have a pretty hefty desktop machine and it still took ~ 2.5h from install (not counting time taken booting the install media and going through the installer choices) :-)
Comment 40 Noel Power 2022-05-12 08:13:38 UTC
(In reply to Christian Boltz from comment #38)
> Your branch looks good, with a small exception:
> Please prefix the added comment (about MR 880) in the spec file with 
>     merged upstream 2022-05-11 3.0+master
> ;-)

thanks Christian, I'll submit this
Comment 41 Felix Niederwanger 2022-05-12 11:13:40 UTC
(In reply to Noel Power from comment #39)
> a bit slow ?? you weren't joking, I have a pretty hefty desktop machine and
> it still took ~ 2.5h from install (not counting time taken booting the
> install media and going through the installer choices) :-)

Lucky you, my poor laptop was playing hoovercraft for almost an afternoon but somehow magically survived. And I'm amazed that it works actually reasonably well (performance aside). Cross-platform emulation still feels like something very magical, almost forbidden. ;-)

Thnx for the fix!
Comment 42 OBSbugzilla Bot 2022-05-12 14:40:04 UTC
This is an autogenerated message for OBS integration:
This bug (1198309) was mentioned in
https://build.opensuse.org/request/show/976602 Factory / apparmor