Bug 856651

Summary: Update to 4.1.3-3.12.1 broken. Samba cannot write its PID file anymore
Product: [openSUSE] openSUSE 13.1 Reporter: Markus Koßmann <markus.kossmann>
Component: SambaAssignee: Christian Boltz <suse-beta>
Status: RESOLVED FIXED QA Contact: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Severity: Major    
Priority: P5 - None CC: fisiu, gorgoglione, jamesrome, paka, samba-maintainers, suse-beta, tomas.kloucek, wbauer
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 13.1   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Markus Koßmann 2013-12-21 19:48:09 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0

After the update to 4.1.3-3.12.1 samba starts anymore. systemctl status smb.service shows: 
smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)
   Active: failed (Result: resources) since Sat 2013-12-21 19:52:43 CET; 35min ago
  Process: 11085 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=0/SUCCESS)

Dec 21 19:52:43 linux-86i0.site systemd[1]: Starting Samba SMB Daemon...
Dec 21 19:52:43 linux-86i0.site smbd[11085]: [2013/12/21 19:52:43.548662,  0] ../source3/smbd/server.c:1278(main)
Dec 21 19:52:43 linux-86i0.site smbd[11086]: [2013/12/21 19:52:43.549848,  0] ../lib/util/pidfile.c:117(pidfile_create)
Dec 21 19:52:43 linux-86i0.site smbd[11086]: ERROR: can't open /var/run/samba/smbd.pid: Error was No such file or directory
Dec 21 19:52:43 linux-86i0.site systemd[1]: PID file /run/samba/smbd.pid not readable (yet?) after start.
Dec 21 19:52:43 linux-86i0.site systemd[1]: smb.service never wrote its PID file. Failing.
Dec 21 19:52:43 linux-86i0.site systemd[1]: Failed to start Samba SMB Daemon.
Dec 21 19:52:43 linux-86i0.site systemd[1]: Unit smb.service entered failed state.

/var/log/samba/log.nmbd shows: 

 started asyncdns process 6855
[2013/12/21 19:51:13,  0] ../lib/util/util.c:216(directory_create_or_exist)
  mkdir failed on directory /var/run/samba: Permission denied
[2013/12/21 19:51:13,  0] ../source3/nmbd/nmbd.c:977(main)
  Failed to create directory /var/run/samba for pid files - Permission denied

and  /var/log/samba/log.smbd :
  smbd version 4.1.3-3.12.1-3127-SUSE-oS13.1-x86_64 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2013/12/21 19:52:43.548662,  0] ../source3/smbd/server.c:1278(main)
  standard input is not a socket, assuming -D option
[2013/12/21 19:52:43.549848,  0] ../lib/util/pidfile.c:117(pidfile_create)
  ERROR: can't open /var/run/samba/smbd.pid: Error was No such file or directory

Indeed there is no /var/run/samba directory and if you create this manually and reszart the samba service things begin to work again ( until next reboot. Then /var/run is emptied again, because it is a tmpfs)

Reproducible: Always

Steps to Reproduce:
1.Activate samba with yast
2.
3.
Actual Results:  
samba doesn't start

Expected Results:  
samba should start
Comment 1 Wolfgang Bauer 2013-12-21 21:22:40 UTC 
I had the same issue after that update.

But adapting the Apparmor profile with "sudo logprof" (allowing smbd and nmbd to create /var/run/samba) solved it for me.
Comment 2 Christian Boltz 2013-12-22 01:24:22 UTC 
I love it when an update changes the behaviour in such (breaking) ways :-/

Just to be sure I can do the right fixes, can you please attach the changed profiles and/or (better) the relevant lines from /var/log/audit/audit.log or /var/log/messages (grep for "DENIED")?
Comment 3 Wolfgang Bauer 2013-12-22 02:07:31 UTC 
The output of "grep DENIED /var/log/messages":
2013-12-22T03:44:50.922082+01:00 linux-lf90 kernel: [  364.147923] type=1400 audit(1387680290.916:30): apparmor="DENIED" operation="mkdir" parent=1966 profile="/usr/sbin/nmbd" name="/var/run/samba/" pid=1967 comm="nmbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2013-12-22T03:44:51.506215+01:00 linux-lf90 kernel: [  364.734279] type=1400 audit(1387680291.503:31): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/run/samba/" pid=1977 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
-------------------------------------------------------------------------------

And the output of logprof if it helps:
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:  /usr/sbin/nmbd
Path:     /var/run/samba/
Mode:     w
Severity: unknown


 [1 - /var/run/samba/]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/run/samba/ w to profile.

Profile:  /usr/sbin/smbd
Path:     /var/run/samba/
Mode:     w
Severity: unknown


 [1 - /var/run/samba/]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/run/samba/ w to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /usr/sbin/nmbd]
  2 - /usr/sbin/smbd 

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/nmbd.
Writing updated profile for /usr/sbin/smbd.
-----------------------------------------------------------

This is from a freshly installed system, where I could reproduce this as well.
But AFAICR the output was the same on my other system (I won't be able to get the files from there until next year...)
Comment 4 Christian Boltz 2013-12-22 15:56:39 UTC 
Thanks for the details!

Instead of changing the profiles, the better fix is to change /etc/apparmor.d/abstractions/samba:

=== modified file 'profiles/apparmor.d/abstractions/samba'
--- profiles/apparmor.d/abstractions/samba      2013-11-20 00:11:01 +0000
+++ profiles/apparmor.d/abstractions/samba      2013-12-22 15:50:18 +0000
@@ -16,5 +16,6 @@
   /var/log/samba/cores/ rw,
   /var/log/samba/cores/** rw,
   /var/log/samba/log.* w,
+  /{,var/}run/samba/ w,
   /{,var/}run/samba/*.tdb rw,

I'll work on a fixed package and an update for 13.1. (If this bug also hits older releases, please add a comment!)
Comment 5 Wolfgang Bauer 2013-12-23 10:58:36 UTC 
I just noticed that, even after running logprof, samba still didn't work correctly on that fresh installation (although it started fine). Running "smbclient -L 127.0.0.1" just gave:
Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)

I found the following additional entries in /var/log/messages (a lot of them):
2013-12-22T04:17:09.055717+01:00 linux-lf90 kernel: [ 2302.283982] type=1400 audit(1387682229.052:133): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/nmbd" name="/var/cache/samba/" pid=2436 comm="nmbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
2013-12-22T04:17:09.274580+01:00 linux-lf90 kernel: [ 2302.503862] type=1400 audit(1387682229.272:134): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/cache/samba/" pid=2950 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
-----------------------------------------------------------------------------

Running logprof again:
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:

Profile:  /usr/sbin/nmbd
Path:     /var/cache/samba/
Mode:     w
Severity: unknown


 [1 - /var/cache/samba/]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/cache/samba/ w to profile.

Profile:  /usr/sbin/smbd
Path:     /var/cache/samba/
Mode:     w
Severity: unknown


 [1 - /var/cache/samba/]

(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish / (O)pts
Adding /var/cache/samba/ w to profile.

= Changed Local Profiles =

The following local profiles were changed.  Would you like to save them?

 [1 - /usr/sbin/nmbd]
  2 - /usr/sbin/smbd 

(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/nmbd.
Writing updated profile for /usr/sbin/smbd.
-----------------------------------------------------------

After that, "smbclient -L 127.0.0.1" works now. And creating a share and connecting to it works as well.

Regarding 12.3: AppArmor is not installed by default there. But even after installing and starting it, samba works fine AFAICT (haven't tried to create any shares though).
Comment 6 Christian Boltz 2013-12-23 12:28:04 UTC 
Thanks for the update, I'll also add
      /var/cache/samba/ w,
to abstractions/samba

(In reply to comment #5)
> Regarding 12.3: AppArmor is not installed by default there. But even after
> installing and starting it, samba works fine AFAICT (haven't tried to create
> any shares though).

Sounds good - or 12.3 just didn't receive the last samba update yet ;-)
Comment 7 Bernhard Wiedemann 2014-01-02 14:00:37 UTC 
This is an autogenerated message for OBS integration:
This bug (856651) was mentioned in
https://build.opensuse.org/request/show/212636 Factory / apparmor
Comment 8 Bernhard Wiedemann 2014-01-04 13:00:39 UTC 
This is an autogenerated message for OBS integration:
This bug (856651) was mentioned in
https://build.opensuse.org/request/show/212803 Factory / apparmor
Comment 9 Lars Müller 2014-01-06 13:41:52 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > Regarding 12.3: AppArmor is not installed by default there. But even after
> > installing and starting it, samba works fine AFAICT (haven't tried to create
> > any shares though).
> 
> Sounds good - or 12.3 just didn't receive the last samba update yet ;-)

Samba of openSUSE 12.3 is still at version 3.6.12 and therefore we're not hit by the same issue.
Comment 10 Lars Müller 2014-01-06 15:26:10 UTC 
*** Bug 856788 has been marked as a duplicate of this bug. ***
Comment 11 Mariusz Fik 2014-01-15 12:39:29 UTC 
What about pushing fix for openSUSE 13.1?
Comment 12 patrick shanahan 2014-01-16 19:04:37 UTC 
added   /{,var/}run/samba/ w,
to /etc/apparmor.d/abstractions/samba

issued   systemctl start smb
but failed:

wahoo: ~ # systemctl status smb
smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled)
   Active: failed (Result: resources) since Thu 2014-01-16 13:44:45 EST; 43s ago
  Process: 25687 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited, status=0/SUCCESS)

Jan 16 13:44:45 wahoo systemd[1]: PID file /run/samba/smbd.pid not readable (yet?) after start.
Jan 16 13:44:45 wahoo systemd[1]: smb.service never wrote its PID file. Failing.
Jan 16 13:44:45 wahoo systemd[1]: Failed to start Samba SMB Daemon.
Jan 16 13:44:45 wahoo systemd[1]: Unit smb.service entered failed state.


wahoo: ~ # journalctl -xn
-- Logs begin at Thu 2014-01-09 21:30:20 EST, end at Thu 2014-01-16 13:50:13 EST. --
Jan 16 13:50:13 wahoo systemd[1]: Starting Samba SMB Daemon...
-- Subject: Unit smb.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit smb.service has begun starting up.
Jan 16 13:50:13 wahoo smbd[25795]: [2014/01/16 13:50:13.425986,  0] ../source3/smbd/server.c:1278(main)
Jan 16 13:50:13 wahoo smbd[25795]: standard input is not a socket, assuming -D option
Jan 16 13:50:13 wahoo smbd[25796]: [2014/01/16 13:50:13.429260,  0] ../lib/util/pidfile.c:117(pidfile_create)
Jan 16 13:50:13 wahoo smbd[25796]: ERROR: can't open /var/run/samba/smbd.pid: Error was No such file or directory
Jan 16 13:50:13 wahoo systemd[1]: PID file /run/samba/smbd.pid not readable (yet?) after start.
Jan 16 13:50:13 wahoo kernel: type=1400 audit(1389898213.428:46): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" 
Jan 16 13:50:13 wahoo systemd[1]: smb.service never wrote its PID file. Failing.
Jan 16 13:50:13 wahoo systemd[1]: Failed to start Samba SMB Daemon.
-- Subject: Unit smb.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/be02cf6855d2428ba40df7e9d022f03d
-- 
-- Unit smb.service has failed.
-- 
-- The result is failed.
Comment 13 patrick shanahan 2014-01-16 19:06:54 UTC 
and after reading another comment on opensuse mail list, issued:

logprof
systemctl restart apparmor
systemctl restart smb

and it works for me

tks,
Comment 14 James Rome 2014-01-16 20:57:05 UTC 
This should still be fixed in some sort of update. Many users have this problem and do not read the lists.
Comment 15 Lars Müller 2014-01-16 21:32:59 UTC 
Samba of openSUSE 13.1 will get an update in the next weeks.

At the moment you're able to use the packages we offer at network:samba:STABLE openSUSE Build Service repository available from http://download.opensuse.org/repositories/network:/samba:/STABLE/openSUSE_13.1/

After installing these package you'll find in the package change log:

- Create /var/run/samba with systemd-tmpfiles on post-12.2 systems;
  (bnc#856759).

Feedback of any kind is appreciated!
Comment 16 Christian Boltz 2014-01-16 21:46:08 UTC 
There will be an update - but please give me some days to integrate some other profile updates that are nearly finished ;-)

In the meantime, feel free to install the packages from security:apparmor - they have the samba issues fixed.
Comment 17 Christian Boltz 2014-01-19 15:18:59 UTC 
SR 214402 sent to openSUSE:13.1:Update
Comment 18 Bernhard Wiedemann 2014-01-19 16:04:01 UTC 
This is an autogenerated message for OBS integration:
This bug (856651) was mentioned in
https://build.opensuse.org/request/show/214402 13.1 / apparmor
Comment 19 Swamp Workflow Management 2014-02-03 15:17:52 UTC 
openSUSE-RU-2014:0182-1: An update that has 6 recommended fixes can now be installed.

Category: recommended (important)
Bug References: 850374,851131,851984,852018,853019,856651
CVE References: 
Sources used:
openSUSE 13.1 (src):    apparmor-2.8.2-4.13.1
Comment 20 Swamp Workflow Management 2014-11-24 13:08:35 UTC 
openSUSE-RU-2014:1481-1: An update that has 19 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 846586,848215,850374,851131,852018,853019,856651,857122,863226,869787,870607,885317,886225,889650,889651,889652,892374,899746,904620
CVE References: 
Sources used:
openSUSE 12.3 (src):    apparmor-2.8.4-3.8.1