Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: henfri on July 16, 2013, 08:48:20 pm
-
Hello,
I changed the settings of the file-sharing (samba). Since I did that, I cannot access the web-interface any longer.
Thus, I rebooted. No improvement.
I also noted, that I can only log in as root via ssh. Even su to my username does not work:
su henfri
Cannot execute /bin/sh: Permission denied
su: User not known to the underlying authentication module
What has gone wrong here?
Note: I added "/" to the shared folders (I know I should not, but /var/www was not allowed, and I DO have good reasons to share this (I want to edit the web-pages from windows).
Greetings,
Hendrik
-
That was a bold thing to try. From what I understand, when you make a share, the folder you share gets special permissions so that LDAP users can access that folder and I think all sub-folder then inherit those same permissions.
So, if you somehow set your root folder as a share I wonder if Samba had the authority to change permissions on your root folder and make all sub folders inherit those permissions. Probably a far fetched idea, but when you ssh in I'd be sure to check the file permissions on your root folder:
cd /
ls -lha
Find out where the web interface files are and see their permissions too. If you can no longer access the web interface, it seems likely that you have a permissions issue at some level.
-
Hello,
Thanks for your reply.
The output is:
total 168K
drwx------ 25 root root 4,0K Jul 10 20:44 .
drwx------ 25 root root 4,0K Jul 10 20:44 ..
-rw------- 1 root root 14K Feb 24 13:51 aquota.group
-rw------- 1 root root 14K Feb 24 13:51 aquota.user
drwxr-xr-x 2 root root 4,0K Jul 10 20:41 bin
drwxr-xr-x 3 root root 4,0K Jul 10 20:46 boot
drwxr-xr-x 3 root root 4,0K Jul 1 18:44 build
drwxr-xr-x 2 root root 4,0K Apr 13 22:32 .config
drwxr-xr-x 19 root root 4,4K Jul 16 20:29 dev
drwxr-xr-x 158 root root 12K Jul 16 20:29 etc
drwxr-xr-x 14 root root 4,0K Jul 6 22:45 home
lrwxrwxrwx 1 root root 33 Jul 10 20:44 initrd.img -> /boot/initrd.img-3.2.0-49-generic
lrwxrwxrwx 1 root root 33 Mai 18 11:27 initrd.img.old -> /boot/initrd.img-3.2.0-43-generic
-rw-r--r-- 1 root root 351 Mär 9 20:09 iostat-ios.state
drwxr-xr-x 20 root root 4,0K Jul 10 20:41 lib
drwxr-xr-x 2 root root 4,0K Mai 18 11:24 lib64
drwx------ 2 root root 16K Nov 27 2012 lost+found
drwxr-xr-x 4 root root 4,0K Jun 29 20:59 media
drwxrwxrwx 10 root root 4,0K Apr 19 20:47 mnt
drwxr-xr-x 4 root root 4,0K Feb 24 11:30 opt
dr-xr-xr-x 182 root root 0 Jul 16 20:28 proc
drwx------ 64 root root 4,0K Jul 13 23:12 root
drwxr-xr-x 28 root root 1,2K Jul 17 19:32 run
drwxr-xr-x 2 root root 12K Jul 10 20:41 sbin
drwxr-xr-x 2 root root 4,0K Mär 5 2012 selinux
drwxr-xr-x 8 root root 4,0K Jun 13 21:11 srv
dr-xr-xr-x 13 root root 0 Jul 16 20:28 sys
drwxrwxrwt 7 root root 4,0K Jul 17 19:30 tmp
-rw-r--r-- 1 root root 1,1K Nov 27 2012 ubuntu
-rw-r--r-- 1 root root 1,1K Dez 26 2012 ubuntu.1
drwxr-xr-x 11 root root 4,0K Jun 30 20:40 usr
drwxr-xr-x 15 root root 4,0K Jul 16 20:28 var
lrwxrwxrwx 1 root root 29 Jul 10 20:44 vmlinuz -> boot/vmlinuz-3.2.0-49-generic
lrwxrwxrwx 1 root root 29 Mai 18 11:27 vmlinuz.old -> boot/vmlinuz-3.2.0-43-generic
-rw-r--r-- 1 root root 8,2K Dez 26 2012 webmin-setup.out
At least it does not look as if all folders got the same permissions (which I would assume if what you discribed happened).
e.g. /home/henfri has the rights 755 and is owned by henfri and the group is users, so that looks right.
I had the impression, that the authentication module was not working (the indication was that the su henfri didn't work).
su: User not known to the underlying authentication module
So, what is the underlying auth module? LDAP? how can I check it?
Regarding the web-if:
I get some entries of apache looking at ps:
root 3067 0.0 0.1 301120 12624 ? Ss Jul16 0:02 /usr/sbin/apache2 -k start
www-data 3264 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3265 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3270 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3271 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3272 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3777 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 3975 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 9795 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 9796 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
www-data 9797 0.0 0.1 314956 8768 ? S Jul16 0:00 /usr/sbin/apache2 -k start
But usually there was something like ...apache-2 /...zentyal, right?
Greetings,
Hendrik
-
Hello again,
I searched for files that changed in the last 24h and filtered them for obvious stuff (/run, /var/log, /proc, /dev etc).
I found some files that might be related, but I am not sure:
/etc/samba/smb.conf
/etc/ldap.conf
/etc/mtab
/var/lib/ldap/__db.002
/var/lib/ldap/__db.003
/var/lib/ldap/__db.004
/var/lib/ldap/__db.005
/var/lib/ldap/__db.006
/var/lib/libnss-ldap
/var/lib/libnss-ldap/ldap.conf.20130716202741.diff
/opt/samba4/private
/opt/samba4/private/ldap_priv
/opt/samba4/private/ldap_priv/ldapi
/opt/samba4/private/secrets.tdb
/opt/samba4/private/ldapi
/opt/samba4/private/schannel_store.tdb
/opt/samba4/private/smbd.tmp/msg
/opt/samba4/private/smbd.tmp/msg/names.tdb
/opt/samba4/private/smbd.tmp/msg/msg.25592.1
/opt/samba4/private/smbd.tmp/msg/msg.9201
/opt/samba4/private/smbd.tmp/msg/msg.9208
/opt/samba4/private/smbd.tmp/msg/msg.9203.30
/opt/samba4/private/smbd.tmp/msg/msg.9210
/opt/samba4/private/smbd.tmp/msg/msg.9196
/opt/samba4/private/smbd.tmp/msg/msg.0
/opt/samba4/private/smbd.tmp/msg/msg.9200
/opt/samba4/private/smbd.tmp/msg/msg.9203
/opt/samba4/private/smbd.tmp/msg/msg.9209
/opt/samba4/private/smbd.tmp/msg/msg.9202
/opt/samba4/private/smbd.tmp/msg/msg.9195
/opt/samba4/private/smbd.tmp/msg/msg.9198
/opt/samba4/private/smbd.tmp/msg/msg.9199
/
Any hints?
Greetings,
Hendrik
-
Hello,
it seems, noone has an Idea how to fix this. My last Idea: Can someone say, what is actually done, when storing the samba configuration?
Is there a way to re-initialize everything, i.e. re-running the post-install wizard without re-installing the whole system?
Greetings,
Hendrik
-
Hi there:
I would have a look at /etc/pam.d dir and probably compare with a running system o you can check what the differences are. In this way you might be able to solve this su issue, and probably the sudo one, which on its side could allow you to access the web interface.
Nevertheless, if this is in production I would advise you to reinstall as this would leave you a clean system (there are more thing that might be wrong after this wrong configuration you have done) If it was in development environment, I cannot see the reason to no reinstall as this would ensure that in the case you got another error, this was not due to this first misconfig
-
Hello,
I have replaced the pam.d directory by one out of an (very old) backup.
No change.
The Server is a Production one, but it is "only" at my home. I would really dislike re-installing, as the set-up of (non-zentyal programs) was lots of work.
Can you tell me please, what is done/executed when adding a Samba-Share?
And one more thing:
I had the impression, that you felt my doing quite unreasonable. I don't really see, why that is (and I think there is no need discussing this), but if this can break the system in such a way, this *must* be prevented (similarly sharing /var/www is prevented, where I don't see the reason (a handy way to update the web-sites)). I have opened a ticket for that in the bug-tracker.
Greetings,
Hendrik
-
Hello creating a share cannot be prevented to do under / as it would prevent any share to be created.
About your question, when a share is created this is what is done:
- Create the folder if it does not exist
- Clear POSIX ACLs
- Modify Path and user, and set NTACL's if guest access is allowed
- Build POSIX and NT ACL's
You can get that looking at this https://github.com/Zentyal/zentyal/blob/3.0/main/samba/src/EBox/Samba/Model/SambaShares.pm
-
Hello creating a share cannot be prevented to do under / as it would prevent any share to be created.
That depends how it is implemented.
I am sure, you can check for "/" rather than "/*". I still think, that this really should be prevented. no matter how unlikely this appears. If it can destroy the whole system. Risk=likelyhood*consequence. So the risk is high her.
About your question, when a share is created this is what is done:
- Create the folder if it does not exist
- Clear POSIX ACLs
- Modify Path and user, and set NTACL's if guest access is allowed[/li
The system should run without ACLs, if I understand correctly, right?
So if I clear all ACLs, I can rule out that wrong ACLs are the problem?!
Would wrong ACLs explain, why the "user cannot be found by the underlying authentication service"?
You can get that looking at this https://github.com/Zentyal/zentyal/blob/3.0/main/samba/src/EBox/Samba/Model/SambaShares.pm
Thanks. I am not too familiar with perl, so I fear that this will not be so helpful. But I'll try.
Greetings -I appreciate your help,
Hendrik
-
HI:
You are very welcome to propose any feature you might consider helpful under Feature Requests in this forum ;)
The system removes any previous ACL and set new ones based on what has been defined in the share
According to http://pubs.opengroup.org/onlinepubs/8329799/pam_authenticate.htm you should definitely check PAM...(permissions on config files as well)
-
You are very welcome to propose any feature you might consider helpful under Feature Requests in this forum ;)
I am not sure, weather you are being serious.
In my view it is a serious bug.
The system removes any previous ACL and set new ones based on what has been defined in the share
According to http://pubs.opengroup.org/onlinepubs/8329799/pam_authenticate.htm you should definitely check PAM...(permissions on config files as well)
What in that link are you refering to? I really don't see it. Sorry.
Greetings,
Hendrik
-
If, in your view, this is a bug, you should add it on trac. Nevertheless any thing that is provoked by user interaction is for me more like a missing feature, that's why I suggested you to add a check like the one we are discussing.
IN the webpage I had mentioned you you can see the particular error you are receiving:
[PAM_AUTHINFO_UNAVAIL]
The underlying authentication service cannot retrieve the authentication information.
That's why I suggest to deeply revise PAM
-
Hello,
I see. Of course I already have added something in the tracker:
http://trac.zentyal.org/ticket/7008
Regarding PAM:
By re-installing (apt-get install --reinstall libnss-ldap libpam-ldap nscd) pam, I fixed the "...not known by the underlying..." Problem.
Still:
su henfri
/bin/sh cannot be executed
by chmod 755 / this is fixed.
Unfortunately, this reverted after reboot.
Any ideas? How can I see the access-rights of /?
Greetings,
Hendrik
-
Have you deleted the / share?
Permissions are set on any samba reboot / start
-
Hello,
no, I could not (as the web-if is still not working). But I was suspecting that...
I will check if I can find where they are stored.
Greetings,
Hendrik
-
Hello again :
You will need to fix the GUI access first and then delete it there, if not, you are likely to break something...
-
Ok.
Do you have a hint, where to start fixing the gui?
I think, the apache instance for the web-if does not work, does it?
root 3687 0.0 0.1 297748 12008 ? Ss 08:48 0:00 /usr/sbin/apache2 -k start
www-data 3802 0.0 0.2 307168 21216 ? S 08:48 0:00 /usr/sbin/apache2 -k start
www-data 3803 0.0 0.2 305404 19244 ? S 08:48 0:00 /usr/sbin/apache2 -k start
www-data 3804 0.0 0.2 304640 18652 ? S 08:48 0:00 /usr/sbin/apache2 -k start
www-data 3805 0.0 0.0 297940 7816 ? S 08:48 0:00 /usr/sbin/apache2 -k start
www-data 3806 0.0 0.0 297796 6804 ? S 08:48 0:00 /usr/sbin/apache2 -k start
www-data 16622 0.0 0.0 297796 6804 ? S 08:53 0:00 /usr/sbin/apache2 -k start
www-data 19687 0.0 0.0 297780 6552 ? S 08:54 0:00 /usr/sbin/apache2 -k start
www-data 19688 0.0 0.0 297780 6552 ? S 08:54 0:00 /usr/sbin/apache2 -k start
www-data 19689 0.0 0.0 297780 6552 ? S 08:54 0:00 /usr/sbin/apache2 -k start
www-data 19690 0.0 0.0 297780 6552 ? S 08:54 0:00 /usr/sbin/apache2 -k start
I have in my mind a line in the output of ps, that included .../zentyal/.... behind apache2..
What script (init) starts the web-if?
Greetings,
Hendrik
-
With the Pam and the permissions fixed, try accessing the gui
If not, look at zentyal.log in order to look for the reason under /var/log/zentyal
-
Hello,
the web-if does not work (chrome reports: server not found).
The reason for this might be:
[Sun Jul 21 07:41:52 2013] [warn] Useless use of AllowOverride in line 13 of /var/lib/zentyal/conf/remoteservices/soap-loc.conf.
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
[Sun Jul 21 07:41:56 2013] [notice] SIGHUP received. Attempting to restart
[Sun Jul 21 07:41:56 2013] [warn] Useless use of AllowOverride in line 13 of /var/lib/zentyal/conf/remoteservices/soap-loc.conf.
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
[Sun Jul 21 08:46:18 2013] [notice] caught SIGTERM, shutting down
I suspect, that after boot, the permissions are set (wrongly) by zentyal. Then the Web-If tries to start and it fails.
I fix the permissions, but I need to re-start the web-if, as it failed starting.
So: What init-script starts the web-if?
Greetings,
Hendrik
-
Service zentyal apache restart. You can look at /etc/init as well
-
Hello,
I suspected /etc/init/zentyal.
But doesn't this then also "fix" (read break) my permissions?
Well, I tried, and it did not bring up the Web-IF. The files in /var/log/zentyal are all unchanged.
Is there a way I can temporarily deactivate the permissions-routine?
What would you recommend?
Regards,
Hendrik
-
Check /etc/zentyal/samba.conf
Look for unmanaged acls, then restart apache and samba modules
-
Hello,
that looked good, but still I get no web-interface :-(
I would like to trace down where it fails.
I understand that /etc/init.d/zentyal is responsible for starting the Web-IF. But it does not do it directly.
Can I somewhere see where it fails, e.g. starting the script that launches the web-if manually on the commandline?
Regards,
Hendrik
-
What I have noticed with the "unmanaged acls" option is that if there are a lot of files in the share, after a reboot it will take awhile before the gui is available. after a reboot, ssh in, run top, and look for permission process (I forget the name) running at the beginning of the list.
-
Hello,
I don't see such a permissions process.
I still do not get the Web-Interface :(
I fear I will have no alternative to re-installing, do I?
What I would really would like to try at last is to start the Web-IF on the commandline to see the possible error message. Is that somehow possible?
Greetings,
Hendrik
-
Hello,
i have given up and installed Ubuntu 12.04 -now without zentyal.
Nevertheless, I appreciate your help.
Greetings,
Hendrik