[Pkg-samba-maint] Bug#886897: samba: samba cannot export LUKs encrypted disks mounted manually after systemd boot

David Maslen dmm_au at yahoo.com
Thu Jan 11 02:58:56 UTC 2018

Package: samba
Version: 2:4.7.3+dfsg-1
Severity: important

Dear Maintainer,

I recently added a LUKS encrypted data disk to my system working system.
I have samba configured to share some of the directories from that disk,
mounted at /mnt/crypt.

By default, when my system boots I am prompted to enter my LUKs
password. When I do, the systemd boots and samba serves the /mnt/crypt
directories. My encrypted disks is mounted via the fstab, via the cryptab.

However the server is generally headless, so it suited me better to boot
the machine remotely, then ssh in and mount the encypted data disk

To achieve this I added "noauto" to the relevant line in /etc/crypttab
and /etc/fstab.

Once logged in I could run
# cryptdisks_start mydisk

followed by

# mount /mnt/crypt

While this appear to work, I noticed that I got errors when attempting
to mount the samba directories on my macbook. The connection would time
out with an error about files not not found.

Samba logs showed this error
[2018/01/11 11:14:10.716971,  0] ../source3/smbd/service.c:774(make_connection_snum)
  canonicalize_connect_path failed for service multimedia, path /mnt/crypt/multimedia
[2018/01/11 11:14:14.121656,  0] ../source3/param/loadparm.c:3066(check_usershare_stat)
  check_usershare_stat: file /var/lib/samba/usershares/ owned by uid 0 is not a regular file

Reverting back to unlocking the LUKS disk during the init everything
works again.

I think the difference in the two startup methods is that this
mnt-crypt.mount service is only created when I enter the LUKs password
at boot, and for some reason the Samba service depends on it having been
mounted by systemd rather than manually, post boot.

# systemctl |grep mnt-crypt
systemctl |grep mnt-crypt
  mnt-crypt.mount                                                                                                                loaded active mounted   /mnt/crypt                                               

This is an inconvenience to me as it causes samba to fail without a
useful error message.

I have classified the bug as important, because it may simply appear
that samba wont export shares with underlying encryption to others.

I can reproduce this bug.

-- Package-specific info:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20180111/d30533e0/attachment.ksh>
-------------- next part --------------

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (150, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages samba depends on:
ii  adduser           3.116
ii  dpkg    
ii  libattr1          1:2.4.47-2+b2
ii  libbsd0           0.8.6-3
ii  libc6             2.26-2
ii  libldb1           2:1.2.2-2
ii  libpam-modules    1.1.8-3.6
ii  libpam-runtime    1.1.8-3.6
ii  libpopt0          1.16-10+b2
ii  libpython2.7      2.7.14-4
ii  libtalloc2        2.1.10-2
ii  libtdb1           1.3.15-2
ii  libtevent0        0.9.34-1
ii  lsb-base          9.20170808
ii  procps            2:3.3.12-3
ii  python            2.7.14-4
ii  python-dnspython  1.15.0-1
ii  python-samba      2:4.7.3+dfsg-1
ii  python2.7         2.7.14-4
ii  samba-common      2:4.7.3+dfsg-1
ii  samba-common-bin  2:4.7.3+dfsg-1
ii  samba-libs        2:4.7.3+dfsg-1
ii  tdb-tools         1.3.15-2

Versions of packages samba recommends:
ii  attr                1:2.4.47-2+b2
ii  logrotate           3.11.0-0.1
ii  samba-dsdb-modules  2:4.7.3+dfsg-1
ii  samba-vfs-modules   2:4.7.3+dfsg-1

Versions of packages samba suggests:
ii  bind9          1:9.11.2+dfsg-5
ii  bind9utils     1:9.11.2+dfsg-5
ii  ctdb           2:4.7.3+dfsg-1
ii  ldb-tools      2:1.2.2-2
ii  ntp            1:4.2.8p10+dfsg-5
ii  smbldap-tools  0.9.9-1
pn  ufw            <none>
ii  winbind        2:4.7.3+dfsg-1

-- debconf information:
  samba/run_mode: daemons

More information about the Pkg-samba-maint mailing list