A couple of months ago after some Manjaro update, my Samba share stopped working. Finally I made it to diagnosing the problem, and it seems something might be broken with the AppArmor profile for samba.
I have a share located at var/lib/samba/usershare/videos
which is configured to be authentication-only (if I make it available without authentication, it works fine). Now that I tried connecting to it, I saw in systemctl status smb
the following:
May 18 12:52:09 agolovanov-laptop2 smbd[8799]: pam_unix(samba:account): helper binary execve failed: Permission denied
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: [2024/05/18 12:52:09.217034, 0] ../../source3/auth/pampass.c:592(smb_pam_account)
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: agolovanov
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: [2024/05/18 12:52:09.217230, 0] ../../source3/auth/pampass.c:800(smb_pam_accountcheck)
May 18 12:52:09 agolovanov-laptop2 smbd[8798]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User agolovanov!
I checked the system log journalctl -xe | grep DENIED
for AppArmor problems and saw
May 18 12:52:09 agolovanov-laptop2 kernel: audit: type=1400 audit(1716025929.213:248): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/bin/unix_chkpwd" pid=8799 comm="smbd[10.100.102" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
I already kinda fixed it with adding the following line to /etc/apparmor.d/usr.sbin.smbd
/usr/bin/unix_chkpwd Ux,
I seems to be working, but it still gives me several DENIED entries which don’t seem to be affecting at least the ability to access the files.
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.227:249): apparmor="DENIED" operation="open" class="file" profile="samba-dcerpcd" name="/etc/gnutls/config" pid=9105 comm="samba-dcerpcd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.263:250): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9110 comm="rpcd_fsrvp" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.263:251): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9109 comm="rpcd_epmapper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:252): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9114 comm="rpcd_winreg" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:253): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9111 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:254): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9112 comm="rpcd_mdssvc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:255): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-classic" name="/etc/gnutls/config" pid=9108 comm="rpcd_classic" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.267:256): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd-spoolss" name="/etc/gnutls/config" pid=9113 comm="rpcd_spoolss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:18 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026298.303:257): apparmor="DENIED" operation="open" class="file" profile="samba-rpcd" name="/etc/gnutls/config" pid=9115 comm="rpcd_lsad" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:58:59 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026339.238:259): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=9176 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:59:02 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026342.688:260): apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=9187 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 12:59:08 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026348.428:261): apparmor="DENIED" operation="exec" class="file" profile="smbd" name="/usr/bin/unix_chkpwd" pid=9192 comm="smbd[10.100.102" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
May 18 13:02:17 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026537.114:263): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/etc/gnutls/config" pid=9266 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:02:20 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026540.218:264): apparmor="DENIED" operation="open" class="file" profile="nmbd" name="/etc/gnutls/config" pid=9281 comm="nmbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:02:32 agolovanov-laptop2 kernel: audit: type=1400 audit(1716026552.278:265): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/9286/loginuid" pid=9286 comm="smbd[10.100.102" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 18 13:15:26 agolovanov-laptop2 kernel: audit: type=1400 audit(1716027326.329:266): apparmor="DENIED" operation="open" class="file" profile="smbd" name="/proc/9663/loginuid" pid=9663 comm="smbd[10.100.102" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
My question is: is it some problem with the default configuration of Samba and AppArmor shipped with in Manjaro? It used to work before out of the box with no additional manual configuration, just by adding the folder to samba shares through Dolphin. I’ve checked for pacnew
files, and I don’t remember ever modifying my samba and AppArmor configuration.
As a side note, I’m not sure how important it is to the topic, but the default samba share path I have in Manjaro is var/lib/samba/usershare/
, while many guides have var/lib/samba/usershares/
(with final s) instead. And the same path is there in /etc/apparmor.d/usr.sbin.smbd
/var/lib/samba/usershares/{,**} lrwk,
So maybe at some point there was (still is?) some inconsistency in using usershare
vs usershares
in Manjaro.