Access to Samba shares fail with NT_STATUS_UNSUCCESSFUL

This document (7023574) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Enterprise Storage 5
AppArmor


Situation

After configuring a Samba export via CephFS, attempting to access the share using "smbclient" fails with:

tree connect failed: NT_STATUS_UNSUCCESSFUL

Resolution

Update the "usr.sbin.smbd" AppArmor profile to allow read access to the Ceph related files by taking the following steps:

Edit "/etc/apparmor.d/usr.sbin.smbd" and add the following two lines:

 /etc/ceph/ceph.conf r,
 /etc/ceph/<insert_relevant_ceph.client.samba.gw.keyring_name> r,

Save the file and then reload AppArmor with:

# systemctl reload apparmor

Cause

The default AppArmor profile does not allow read access to the required "/etc/ceph/ceph.conf" and "/etc/ceph/<generated_samba_keyring_file>" files.

Additional Information

Looking at "/var/log/messages" the following AppArmor related messages will be logged:

2018-12-10T18:30:17.176296+01:00 serverX kernel: [527457.907974] audit: type=1400 audit(1544463017.052:155): apparmor="DENIED" operation="open" profile="/usr/sbin/smbd" name="/etc/ceph/ceph.conf" pid=233702 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2018-12-10T18:32:38.320297+01:00 serverX kernel: [527599.048681] audit: type=1400 audit(1544463158.188:207): apparmor="DENIED" operation="open" profile="/usr/sbin/smbd" name="/etc/ceph/ceph.client<ins_samba_gw_keyring_name>" pid=233913 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Note that the mentioned additional entries are the minimum required, it may be needed to make additional adjustments to the AppArmor profile. For more information on AppArmor see the online SLES 12 Security Guide documentation.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7023574
  • Creation Date: 11-Dec-2018
  • Modified Date:03-Mar-2020
    • SUSE Enterprise Storage

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center