Bug#886897: samba: samba cannot export LUKs encrypted disks mounted manually after systemd boot

2018-01-20 Thread Michael Biebl 
On Thu, 11 Jan 2018 13:58:56 +1100 David Maslen  wrote:
> Package: samba
> Version: 2:4.7.3+dfsg-1
> Severity: important
> 
> Dear Maintainer,
> 
> I recently added a LUKS encrypted data disk to my system working system.
> I have samba configured to share some of the directories from that disk,
> mounted at /mnt/crypt.
> 
> By default, when my system boots I am prompted to enter my LUKs
> password. When I do, the systemd boots and samba serves the /mnt/crypt
> directories. My encrypted disks is mounted via the fstab, via the cryptab.
> 
> However the server is generally headless, so it suited me better to boot
> the machine remotely, then ssh in and mount the encypted data disk
> manually.
> 
> To achieve this I added "noauto" to the relevant line in /etc/crypttab
> and /etc/fstab.
> 
> Once logged in I could run
> # cryptdisks_start mydisk
> 
> followed by
> 
> # mount /mnt/crypt

This is most likely a duplicate of #885325

Please make sure that systemd is updated to 236-3 and test again.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#886897: samba: samba cannot export LUKs encrypted disks mounted manually after systemd boot

2018-01-10 Thread David Maslen 
Package: samba
Version: 2:4.7.3+dfsg-1
Severity: important

Dear Maintainer,

I recently added a LUKS encrypted data disk to my system working system.
I have samba configured to share some of the directories from that disk,
mounted at /mnt/crypt.

By default, when my system boots I am prompted to enter my LUKs
password. When I do, the systemd boots and samba serves the /mnt/crypt
directories. My encrypted disks is mounted via the fstab, via the cryptab.

However the server is generally headless, so it suited me better to boot
the machine remotely, then ssh in and mount the encypted data disk
manually.

To achieve this I added "noauto" to the relevant line in /etc/crypttab
and /etc/fstab.

Once logged in I could run
# cryptdisks_start mydisk

followed by

# mount /mnt/crypt

While this appear to work, I noticed that I got errors when attempting
to mount the samba directories on my macbook. The connection would time
out with an error about files not not found.

Samba logs showed this error
[2018/01/11 11:14:10.716971,  0] 
../source3/smbd/service.c:774(make_connection_snum)
  canonicalize_connect_path failed for service multimedia, path 
/mnt/crypt/multimedia
[2018/01/11 11:14:14.121656,  0] 
../source3/param/loadparm.c:3066(check_usershare_stat)
  check_usershare_stat: file /var/lib/samba/usershares/ owned by uid 0 is not a 
regular file

Reverting back to unlocking the LUKS disk during the init everything
works again.

I think the difference in the two startup methods is that this
mnt-crypt.mount service is only created when I enter the LUKs password
at boot, and for some reason the Samba service depends on it having been
mounted by systemd rather than manually, post boot.

# systemctl |grep mnt-crypt
systemctl |grep mnt-crypt
  mnt-crypt.mount   
 loaded active mounted   
/mnt/crypt   


This is an inconvenience to me as it causes samba to fail without a
useful error message.

I have classified the bug as important, because it may simply appear
that samba wont export shares with underlying encryption to others.

I can reproduce this bug.

-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /etc/samba/dhcp.conf present, but not attached

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (150, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages samba depends on:
ii  adduser   3.116
ii  dpkg  1.19.0.4
ii  libattr1  1:2.4.47-2+b2
ii  libbsd0   0.8.6-3
ii  libc6 2.26-2
ii  libldb1   2:1.2.2-2
ii  libpam-modules1.1.8-3.6
ii  libpam-runtime1.1.8-3.6
ii  libpopt0  1.16-10+b2
ii  libpython2.7  2.7.14-4
ii  libtalloc22.1.10-2
ii  libtdb1   1.3.15-2
ii  libtevent00.9.34-1
ii  lsb-base  9.20170808
ii  procps2:3.3.12-3
ii  python2.7.14-4
ii  python-dnspython  1.15.0-1
ii  python-samba  2:4.7.3+dfsg-1
ii  python2.7 2.7.14-4
ii  samba-common  2:4.7.3+dfsg-1
ii  samba-common-bin  2:4.7.3+dfsg-1
ii  samba-libs2:4.7.3+dfsg-1
ii  tdb-tools 1.3.15-2

Versions of packages samba recommends:
ii  attr1:2.4.47-2+b2
ii  logrotate   3.11.0-0.1
ii  samba-dsdb-modules  2:4.7.3+dfsg-1
ii  samba-vfs-modules   2:4.7.3+dfsg-1

Versions of packages samba suggests:
ii  bind9  1:9.11.2+dfsg-5
ii  bind9utils 1:9.11.2+dfsg-5
ii  ctdb   2:4.7.3+dfsg-1
ii  ldb-tools  2:1.2.2-2
ii  ntp1:4.2.8p10+dfsg-5
ii  smbldap-tools  0.9.9-1
pn  ufw
ii  winbind2:4.7.3+dfsg-1

-- debconf information:
  samba/run_mode: daemons
  samba-common/title: