smbd with "obey pam restrictions" enabled unmounts my interactive users' ecryptfs home directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ecryptfs-utils (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
samba (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I am using KDE (kde-plasma-
I have configured my desktop so that within my LAN certain shares can be accessed without user/password restrictions. For convenience I have mapped the guest account to my interactive user. This means files/directories created on the shares in question will automatically be owned by myself.
Alas, every now and then, the ecryptfs home folder gets simply unmounted under my nose, WHILE I am _interactively logged on_ (i.e. in KDE). This happened several times and without a real pattern emerging which would give me clues.
So I set out to track it down and found entries pertaining to smbd which tell me about a session being closed for my interactive user (redacted by substituting johndoe):
=======
Sep 08 21:47:20 machine smbd[144802]: pam_unix(
=======
Upon a closer look it turned out that this was the exact point when the ecryptfs home folder got unmounted (the above is merely exemplary of the issue, but that's already the reproduced occurrence, read on).
Alright, so I saw that pam_unix is involved and smbd is involved. First I suspected that systemd was doing Its Thing™ and killing my processes (I had encountered this with Tmux before to my dismay) but even after setting "KillExcludeUse
Notably there was no message about pam_unix opening a session for my interactive user for smbd. All research I did on how best to log what was going on w.r.t. the session management of smbd/PAM didn't get me any further.
So I entered the trial&error phase of hunting down the root cause.
Basically what I did was in Tmux to edit smb.conf while in another Tmux window having three things running (1 and 3 as root):
1.: while mountpoint /home/johndoe; do service smbd restart; date; sleep 2s ; done
2.: watch 'mount|grep ecryptfs'
3.: tail -F /var/log/
Fortunately this almost immediately yielded the desired result. The third time the loop body from 1. ran, the home folder was no longer mounted and the loop quit.
Simultaneously I could see that mount no longer listed the home folder either and the auth.log received that "pam_unix(
In journalctl output (also lightly redacted) it looks like this:
=======
Sep 08 21:47:20 machine smbd[144802]: pam_unix(
Sep 08 21:47:20 machine systemd[1601]: home-johndoe.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://
--
-- The unit UNIT has successfully entered the 'dead' state.
Sep 08 21:47:20 machine systemd[1]: home-johndoe.mount: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://
--
-- The unit home-johndoe.mount has successfully entered the 'dead' state.
Sep 08 21:47:20 machine systemd[1]: smbd.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: http://
--
-- The unit smbd.service has successfully entered the 'dead' state.
Sep 08 21:47:20 machine systemd[1]: Stopped Samba SMB Daemon.
-- Subject: A stop job for unit smbd.service has finished
-- Defined-By: systemd
-- Support: http://
=======
So in short: smbd closing the login session for my interactive user via pam_unix also pulls the mounted ecryptfs home folder out right from under "my feet". As you can imagine the symptoms after the ecryptfs home folder are unavailable are pretty inconvenient and I found no other remedy than to log out and back in to mitigate it. Yes, I am aware of ecryptfs-
But this means that evidently there is some session cleanup initiated by smbd which causes systemd to happily unmount my home folder. I apologize if this means I should have filed this with systemd as having the defect. It's presumably the interaction of both that causes this.
The gist of the smb.conf (before my workaround) as produced by testparm looks like this (redacted path, share and user names respectively):
=======
$ testparm|sed 's|'$(whoami)
Load smb config files from /etc/samba/smb.conf
WARNING: The "syslog only" option is deprecated
WARNING: The "syslog" option is deprecated
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
debug uid = Yes
dns proxy = No
guest account = johndoe
log file = /var/log/
map to guest = Bad Password
max log size = 1000
obey pam restrictions = Yes
panic action = /usr/share/
passwd chat = *Enter\
passwd program = /usr/bin/passwd %u
security = USER
server role = standalone server
server string = %h server (Samba, Ubuntu)
syslog = 7
syslog only = Yes
workgroup = NULL
idmap config * : backend = tdb
[sharename]
force create mode = 0660
force directory mode = 0770
guest ok = Yes
guest only = Yes
path = /data/sharedir
read only = No
=======
MY WORKAROUND:
Right now (and for my use case that's perfectly fine, it seems) I have have simply set "obey pam restrictions = no" in smb.conf and retried with my above trial&error method and the issue can no longer be reproduced.
The version information requested in the Ubuntu bug reporting guidelines:
=======
$ lsb_release -rd
Description: Ubuntu 20.04.1 LTS
Release: 20.04
$ apt policy samba
samba:
Installed: 2:4.11.
Candidate: 2:4.11.
Version table:
*** 2:4.11.
500 http://
500 http://
100 /var/lib/
2:4.11.
500 http://
=======
If there is any information missing, please let me know and I'll try to amend the ticket.
I also asked about this over here https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: samba 2:4.11.
ProcVersionSign
Uname: Linux 5.4.0-47-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu27.8
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: KDE
Date: Tue Sep 8 22:09:33 2020
EcryptfsInUse: Yes
OtherFailedConnect: Yes
SambaServerRegr
SmbConfIncluded: No
SourcePackage: samba
TestparmExitCode: 0
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in ecryptfs-utils (Ubuntu): | |
assignee: | Rafael David Tinoco (rafaeldtinoco) → nobody |
Thank you for reporting this, that was indeed a long bug description. I read it entirely - so you don't think I skipped any detail on purpose, If I did it was an accident - and the way I see this could be something as simple as:
SAMBA upstream has:
obey pam restrictions = no (by default)
and, according to man page:
obey pam restrictions (G)
When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter
directives. The default behavior is to use PAM for clear text authentication only and
authenticat ion in the case of encrypt passwords = yes. The reason is that PAM modules
will control whether or not Samba should obey PAM's account and session management
to ignore any account or session management. Note that Samba always ignores PAM for
cannot support the challenge/response authentication mechanism needed in the presence
of SMB password encryption.
Default: obey pam restrictions = no
but the default we have in Debian/Ubuntu is "true". I could not find a specific reason to it.
----
From PAM.. the only thing I could notice is this:
/etc/pam.d/samba includes:
@include common-auth session- noninteractive
@include common-account
@include common-
and the difference between non-interactive and interactive is this setting:
session optional pam_systemd.so
that interactive session includes (and non-interactive does not).
----
The "session" comes from session- noninteractive PAM configuration file.
(1)
What do you have in that file ? I wonder if you're getting some kind of session timeout for your interactive and/or non interactive sessions.
(2)
What does it happen if you run sudo pam-auth-update and enables Unix authentication only ?
Nevertheless, this does not seem like a bug (yet ?) to me, but a misconfiguration.