Samba AppArmor permissions

agolovanov · 18 May 2024 10:25

A couple of months ago after some Manjaro update, my Samba share stopped working. Finally I made it to diagnosing the problem, and it seems something might be broken with the AppArmor profile for samba.

I have a share located at var/lib/samba/usershare/videos which is configured to be authentication-only (if I make it available without authentication, it works fine). Now that I tried connecting to it, I saw in systemctl status smb the following:

May 18 12:52:09 agolovanov-laptop2 smbd[8799]: pam_unix(samba:account): helper binary execve failed: Permission denied
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: [2024/05/18 12:52:09.217034,  0] ../../source3/auth/pampass.c:592(smb_pam_account)
May 18 12:52:09 agolovanov-laptop2 smbd[8798]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: agolovanov
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: [2024/05/18 12:52:09.217230,  0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
May 18 12:52:09 agolovanov-laptop2 smbd[8798]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User agolovanov!

I checked the system log journalctl -xe | grep DENIED for AppArmor problems and saw

May 18 12:52:09 agolovanov-laptop2 kernel: audit: type=1400 audit(1716025929.213:248): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/bin/unix_chkpwd" pid=8799 comm="smbd[10.100.102" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

I already kinda fixed it with adding the following line to /etc/apparmor.d/usr.sbin.smbd

  /usr/bin/unix_chkpwd Ux,

I seems to be working, but it still gives me several DENIED entries which don’t seem to be affecting at least the ability to access the files.

May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.227:249): apparmor="DENIED" operation="open" class="file" profile="samba-dcerpcd" name="/etc/gnutls/config" pid=9105 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.263:250): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9110 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.263:251): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9109 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:252): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9114 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:253): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9111 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:254): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9112 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:255): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=9108 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:256): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=9113 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.303:257): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9115 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:59 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026339.238:259): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=9176 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:59:02 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026342.688:260): apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=9187 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:59:08 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026348.428:261): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/bin/unix_chkpwd" pid=9192 comm="smbd[10.100.102" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
May 18 13:02:17 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026537.114:263): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=9266 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:02:20 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026540.218:264): apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=9281 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:02:32 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026552.278:265): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/9286/loginuid" pid=9286 comm="smbd[10.100.102" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:15:26 agolovanov-laptop2 kernel: audit: type=1400 audit(1716027326.329:266): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/9663/loginuid" pid=9663 comm="smbd[10.100.102" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

My question is: is it some problem with the default configuration of Samba and AppArmor shipped with in Manjaro? It used to work before out of the box with no additional manual configuration, just by adding the folder to samba shares through Dolphin. I’ve checked for pacnew files, and I don’t remember ever modifying my samba and AppArmor configuration.

As a side note, I’m not sure how important it is to the topic, but the default samba share path I have in Manjaro is var/lib/samba/usershare/, while many guides have var/lib/samba/usershares/ (with final s) instead. And the same path is there in /etc/apparmor.d/usr.sbin.smbd

  /var/lib/samba/usershares/{,**} lrwk,

So maybe at some point there was (still is?) some inconsistency in using usershare vs usershares in Manjaro.

linux-aarhus · 18 May 2024 11:34

There is no default configuration for samba. One always configure Samba per system.

This causes a huge pile of resources everywhere on the internet which suggestions to configure your samba service. This pile of … causes all kinds of issues when one keeps adding stuf to smb.conf just because it solved an issue 5 years ago for one system - ohh - it must be that …

[root tip] [How To] Basic Samba Setup and Troubleshooting

Back in time - when - by mulitple requests - snap support was added, apparmor became a default part of the kernel command line as snap requires this.

Remember this: The SMB (Server Message Broadcast) protocol initially created by IBM and improved upon over the years - What is SMB? - yet it appears that Microsoft employees are strictly forbidden to contribute to samba - thus indicating the entire software has been largely created by reverse engineering network traffic - see Samba Development.

I have long believed the Samba project is reverse engineered from Microsoft but I may completely wrong.

When the schema used to communicate shares over the network changes - samba is updated - fixes, loopholes closed, protocol variants deprecated too to massive abuse by ransomware - this causes ripples everywhere and the end user needs to adapt.

There is various ways of hardening a Linux workstation where SELinux and AppArmor is widely known and when apparmor is enabled on the kernel commandline it affects samba.

So if you are not usting snap - it is safe to remove apparmor from the kernel commandline and disable the apparmor related services.

Manjaro does not provide any preconfgured network shares of any kind. That is why there is no default smb.conf - there is a template but one should really only configure the bare necessities.

Besides the above linked topic - I have written a couple of guides on the topic of samba and filesharing - they are all in the Tutorials section.

agolovanov · 18 May 2024 13:10

Wow, when I saw this tutorial somehow I missed that it mentioned AppArmor, my bad.

Thanks for pointing this out! Then I guess in my case this configuration could’ve been generated by Dolphin when I first enabled sharing.