Bug 923201

Summary: nmb.service failed
Product: [openSUSE] openSUSE Tumbleweed Reporter: Giuseppe Gorgoglione <gorgoglione>
Component: SambaAssignee: Christian Boltz <suse-beta>
Status: RESOLVED FIXED QA Contact: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Severity: Normal    
Priority: P5 - None CC: ddiss, gorgoglione, mpluskal, suse-beta
Version: 201502*   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Audit file

Description Giuseppe Gorgoglione 2015-03-19 14:41:33 UTC 
Starting from Tumbleweed version 20150316:

> systemctl status nmb.service

reports:

nmb.service - Samba NMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled)
   Active: failed (Result: exit-code) since Thu 2015-03-19 15:20:30 CET; 10min ago
  Process: 5811 ExecStart=/usr/sbin/nmbd $NMBDOPTIONS (code=exited, status=1/FAILURE)
 Main PID: 5811 (code=exited, status=1/FAILURE)

and:

> systemctl restart nmb.service

ends with:

Job for nmb.service failed. See "systemctl status nmb.service" and "journalctl -xn" for details.

but system logs don't show any message related to the failed service.

Side effects:  it's no more possible to access Linux samba-shared folders from a Windows box using the \\hostname\folder URI, while \\ipaddress\folder URI still works.
Comment 1 Lars Müller 2015-03-19 21:28:36 UTC 
Thanks for the report.  Please first check if AppArmor is enabled.

If that's the case set the profile for nmbd into complain mode

  aa-complain /etc/apparmor.d/usr.sbin.nmbd

and check if the nmb service is now able to start up.
Comment 2 Giuseppe Gorgoglione 2015-03-19 22:04:38 UTC 
(In reply to Lars Mueller from comment #1)
> Thanks for the report.  Please first check if AppArmor is enabled.
> 
> If that's the case set the profile for nmbd into complain mode
> 
>   aa-complain /etc/apparmor.d/usr.sbin.nmbd
> 
> and check if the nmb service is now able to start up.

Yes, you are right: AppArmor is enabled and putting nmbd in complain mode completely fixes the problem.

Thanks a lot!
Comment 3 David Disseldorp 2015-03-19 22:31:06 UTC 
Thanks for confirming. Marking duplicate.

*** This bug has been marked as a duplicate of bug 921098 ***
Comment 4 Christian Boltz 2015-03-31 17:38:22 UTC 
Actually this is not an exact duplicate - you have problems with nmbd, while bug 921098 is about winbindd ;-)

Assuming you are still running the nmbd profile in complain mode, can you please attach the relevant log entries? This means
- grep nmb /var/log/audit/audit.log   if you use auditd
- grep nmb /var/log/messages   if you use a syslog daemon
- journalctl -b | grep nmb   if you only have journald logging
Comment 5 Giuseppe Gorgoglione 2015-03-31 18:52:56 UTC 
(In reply to Christian Boltz from comment #4)
> Actually this is not an exact duplicate - you have problems with nmbd, while
> bug 921098 is about winbindd ;-)
> 
> Assuming you are still running the nmbd profile in complain mode, can you
> please attach the relevant log entries? This means
> - grep nmb /var/log/audit/audit.log   if you use auditd
> - grep nmb /var/log/messages   if you use a syslog daemon
> - journalctl -b | grep nmb   if you only have journald logging

Sure. Here you are:

nausicaa:/home/giuseppe # journalctl -b | grep nmb
Mar 31 20:49:35 nausicaa nmbd[1692]: [2015/03/31 20:49:35.301660,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 31 20:49:35 nausicaa nmbd[1692]: STATUS=daemon 'nmbd' finished starting up and ready to serve connections
Mar 31 20:49:35 nausicaa unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=nmb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 31 20:49:58 nausicaa nmbd[1692]: [2015/03/31 20:49:58.394604,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
Mar 31 20:49:58 nausicaa nmbd[1692]: *****
Mar 31 20:49:58 nausicaa nmbd[1692]: 
Mar 31 20:49:58 nausicaa nmbd[1692]: Samba name server NAUSICAA is now a local master browser for workgroup WORKGROUP on subnet 192.168.199.128
Mar 31 20:49:58 nausicaa nmbd[1692]: 
Mar 31 20:49:58 nausicaa nmbd[1692]: *****
Comment 6 Christian Boltz 2015-03-31 19:32:20 UTC 
hmm, that log doesn't contain anything AppArmor-related.

Can you please check your older logs (ideally from the time when you reported this bug)? You can filter them with   grep -i apparmor   to find the relevant lines - I'd expect some lines containing DENIED or ALLOWED.
Comment 7 Giuseppe Gorgoglione 2015-03-31 20:12:08 UTC 
(In reply to Christian Boltz from comment #6)
> hmm, that log doesn't contain anything AppArmor-related.
> 
> Can you please check your older logs (ideally from the time when you
> reported this bug)? You can filter them with   grep -i apparmor   to find
> the relevant lines - I'd expect some lines containing DENIED or ALLOWED.

Unfortunately after the upgrade of systemd to version 219 there is another bug on-going (# 924830) which prevents AppArmor to start at boot. In fact

> systemctl status apparmor

shows:

● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/boot.apparmor)
   Active: inactive (dead)
     Docs: man:systemd-sysv-generator(8)

Mar 31 21:55:48 nausicaa systemd[1]: Job apparmor.service/start deleted to break ordering cycle starting with sysinit.target/start

Anyway, after running:

> systemctl restart apparmor.service

I get:

● apparmor.service - LSB: AppArmor initialization
   Loaded: loaded (/etc/init.d/boot.apparmor)
   Active: active (exited) since Tue 2015-03-31 22:01:49 CEST; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 2189 ExecStart=/etc/init.d/boot.apparmor start (code=exited, status=0/SUCCESS)

Mar 31 22:01:48 nausicaa systemd[1]: Starting LSB: AppArmor initialization...
Mar 31 22:01:49 nausicaa boot.apparmor[2189]: Starting AppArmor ..done
Mar 31 22:01:49 nausicaa systemd[1]: Started LSB: AppArmor initialization.

Then I run:

> aa-enforce /etc/apparmor.d/usr.sbin.nmbd

After that, typing \\nausicaa in my host Windows box I get the view of the Linux virtual machine shared folders, while the expected behaviour was to see my search to fail. And typing:

> journalctl -b | grep nmb

I get:

Mar 31 21:56:35 nausicaa systemd[1]: nmb.service: Supervising process 1671 which is not our child. We'll most likely not notice when it exits.
Mar 31 21:56:36 nausicaa nmbd[1671]: [2015/03/31 21:56:36.048194,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Mar 31 21:56:36 nausicaa nmbd[1671]: STATUS=daemon 'nmbd' finished starting up and ready to serve connections
Mar 31 21:56:36 nausicaa unknown[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=nmb comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Mar 31 21:56:59 nausicaa nmbd[1671]: [2015/03/31 21:56:59.564554,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
Mar 31 21:56:59 nausicaa nmbd[1671]: *****
Mar 31 21:56:59 nausicaa nmbd[1671]: 
Mar 31 21:56:59 nausicaa nmbd[1671]: Samba name server NAUSICAA is now a local master browser for workgroup WORKGROUP on subnet 192.168.199.128
Mar 31 21:56:59 nausicaa nmbd[1671]: 
Mar 31 21:56:59 nausicaa nmbd[1671]: *****
Mar 31 22:01:49 nausicaa apparmor_parser[2322]: <audit-1400> apparmor="STATUS" operation="profile_load" name="/usr/sbin/nmbd" pid=2322 comm="apparmor_parser"
Mar 31 22:03:31 nausicaa apparmor_parser[2391]: <audit-1400> apparmor="STATUS" operation="profile_replace" name="/usr/sbin/nmbd" pid=2391 comm="apparmor_parser"

So, I cannot reproduce the original failure I reported, maybe because of bug # 924830.
Comment 8 Giuseppe Gorgoglione 2015-03-31 20:47:39 UTC 
> So, I cannot reproduce the original failure I reported, maybe because of bug
> # 924830.

I need to add to my conclusion that:

> grep nmb /var/log/audit/audit.log

shows a lot of DENIED and ALLOWED. Log file sent in attachment.
Comment 9 Giuseppe Gorgoglione 2015-03-31 20:49:02 UTC 
Created attachment 629485 [details]
Audit file
Comment 10 Christian Boltz 2015-04-17 19:35:17 UTC 
Thanks for the log!

The summary is that nmbd needs rwk permissions for /var/lib/samba/lck/ and /var/lib/samba/msg/ (including files inside those directories).

I'll fix this by adding "/var/lib/samba/** rwk," to abstractions/samba and commit the updated package to Factory in some minutes.
Comment 11 Bernhard Wiedemann 2015-04-17 20:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (923201) was mentioned in
https://build.opensuse.org/request/show/297856 Factory / apparmor
Comment 12 Bernhard Wiedemann 2016-04-17 00:01:30 UTC 
This is an autogenerated message for OBS integration:
This bug (923201) was mentioned in
https://build.opensuse.org/request/show/390301 13.2 / apparmor
Comment 13 Swamp Workflow Management 2016-04-17 13:09:21 UTC 
openSUSE-RU-2016:1063-1: An update that has 18 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 853019,906858,911001,917577,918787,921098,923201,931792,939568,940749,945592,948584,948753,954104,954958,954959,964971,971790
CVE References: 
Sources used:
openSUSE 13.2 (src):    apparmor-2.9.3-7.1
Comment 14 Bernhard Wiedemann 2016-04-23 18:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (923201) was mentioned in
https://build.opensuse.org/request/show/391406 Factory / apparmor
https://build.opensuse.org/request/show/391409 42.1 / apparmor
Comment 15 Swamp Workflow Management 2016-05-03 12:08:45 UTC 
openSUSE-RU-2016:1201-1: An update that has 10 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 921098,923201,948584,948753,954104,954958,954959,964971,971790,971917
CVE References: 
Sources used:
openSUSE Leap 42.1 (src):    apparmor-2.10.1-5.1