You are not logged in.

Pages: 1

#1 2022-09-03 04:32:55

SumanM
Member
Registered: 2022-09-03
Posts: 2

SAMBA: Failed to retrieve share list from server

I'm using Linux more than two years. I have started Arch about 8 months ago. Likewise, I fall in love with it. I have learned so much from Arch Wiki and Forums. But, I am still unable to solve one problem.

I'm using samba share for sharing between pc and android mobile, and I love it. It has problem with Apparmor. My samba version is 4.16.4. I need to teardown Apparmor for the usage of SAMBA. How will I solve it.
My testparm result:------------------------------------------------------------------------------------------

Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
    dns proxy = No
    log file = /var/log/samba/log.%m
    max log size = 50
    server role = standalone server
    server string = Samba Server
    workgroup = MYGROUP
    idmap config * : backend = tdb


[homes]
    comment = Home Directories
    read only = No


[printers]
    browseable = No
    comment = All Printers
    path = /usr/spool/samba
    printable = Yes

Apparmor status:------------------------------------------------------------------------------------------------------------

apparmor module is loaded.
60 profiles are loaded.
60 profiles are in enforce mode.
   /usr/lib/apache2/mpm-prefork/apache2
   /usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
   /usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
   /usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
   apache2
   apache2//DEFAULT_URI
   apache2//HANDLING_UNTRUSTED_INPUT
   apache2//phpsysinfo
   avahi-daemon
   dnsmasq
   dnsmasq//libvirt_leaseshelper
   dovecot
   dovecot-anvil
   dovecot-auth
   dovecot-config
   dovecot-deliver
   dovecot-dict
   dovecot-director
   dovecot-doveadm-server
   dovecot-dovecot-auth
   dovecot-dovecot-lda
   dovecot-dovecot-lda//sendmail
   dovecot-imap
   dovecot-imap-login
   dovecot-lmtp
   dovecot-log
   dovecot-managesieve
   dovecot-managesieve-login
   dovecot-pop3
   dovecot-pop3-login
   dovecot-replicator
   dovecot-script-login
   dovecot-ssl-params
   dovecot-stats
   identd
   klogd
   lsb_release
   mdnsd
   nmbd
   nscd
   ntpd
   nvidia_modprobe
   nvidia_modprobe//kmod
   php-fpm
   ping
   samba-bgqd
   samba-dcerpcd
   samba-rpcd
   samba-rpcd-classic
   samba-rpcd-spoolss
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   syslog-ng
   syslogd
   traceroute
   winbindd
   zgrep
   zgrep//helper
   zgrep//sed
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
5 processes have profiles defined.
5 processes are in enforce mode.
   /usr/bin/avahi-daemon (537) avahi-daemon
   /usr/bin/avahi-daemon (545) avahi-daemon
   /usr/bin/smbd (1293) smbd
   /usr/bin/smbd (1296) smbd
   /usr/bin/smbd (1297) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.

Audit log:---------------------------------------------------------------------------------------------------------

type=AVC msg=audit(1662175595.240:251): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=13491 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0FSUID="root" OUID="root"

SAMBA client result when Apparmor is in enforce mode:------------------------------------------------------------------------------------------

smbclient -L localhost
Password for [MYGROUP\suman]:

    Sharename       Type      Comment
    ---------       ----      -------
SMB1 disabled -- no workgroup available

SAMBA client result after Apparmor teardown:------------------------------------------------------------------------------------------

smbclient -L localhost
Password for [MYGROUP\suman]:

    Sharename       Type      Comment
    ---------       ----      -------
    homes           Disk      Home Directories
    IPC$            IPC       IPC Service (Samba Server)
    suman           Disk      Home Directories
SMB1 disabled -- no workgroup available

Last edited by SumanM (2022-09-03 14:30:35)

Offline

#2 2022-09-04 21:12:31

tolga9009
Member
From: Germany
Registered: 2010-01-08
Posts: 62

Re: SAMBA: Failed to retrieve share list from server

Ever since Samba 4.16 got released, it doesn't play nicely with AppArmor under Arch. Haven't found a proper fix, but setting samba to complain mode instead of enforce works as a temporary workaround. This way, you don't have to completely disable AppArmor system-wide, but only for these specific components. Please note, I didn't dive deep into this, so use it at your own risk.

sudo aa-complain samba-dcerpcd
sudo aa-complain samba-rpcd
sudo aa-complain samba-rpcd-classic

Last edited by tolga9009 (2022-09-04 21:13:13)

Offline

#3 2022-09-05 09:01:46

SumanM
Member
Registered: 2022-09-03
Posts: 2

Re: SAMBA: Failed to retrieve share list from server

Thanks for your reply.

Offline

#4 2023-01-03 06:53:19

UrbenLegend
Member
Registered: 2021-03-26
Posts: 18

Re: SAMBA: Failed to retrieve share list from server

I just ran into this same issue today. The apparmor profiles for Samba are indeed a bit off and no longer work with 4.16. If you don't want to completely disable protections for Samba, you can add exceptions for the things apparmor is complaining about. I've filed a bug here with some workarounds to get it working: https://bugs.archlinux.org/task/76992

Offline

Pages: 1

Board footer

Powered by FluxBB