Bug 49933 - Unexpected behavior of UCR samba/interfaces and samba/register/exclude/interfaces
Unexpected behavior of UCR samba/interfaces and samba/register/exclude/interf...
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-29 16:15 CEST by Christian Völker
Modified: 2020-07-29 17:04 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019071821000406
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2019-07-29 16:15:30 CEST
Somehow the samba interfaces UCRV are at least confusing

samba/interfaces/bindonly: <empty>
 If this variable is set to 'yes', Samba only listens to requests on the network interfaces specified in the variable 'samba/interfaces'. If the variable is unset, Samba listens on all interfaces.

But:
ucr unset samba/interfaces/bindonly
ucr set samba/interfaces="lo eth0 eth2"
grep interfaces /etc/smb.conf
	interfaces	= lo eth0 eth2

According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on)

Getting even weirder when using the exclude statement additionally:
ucr set samba/register/exclude/interfaces=docker0
Create samba/register/exclude/interfaces
Multifile: /etc/samba/smb.conf
grep interfaces smb.conf
	interfaces	= lo eth0 eth2
	# ignore interfaces in samba/register/exclude/interfaces
	bind interfaces only = yes
	interfaces = lo ens192

In this case it completly ignores the setting of samba/interfaces and adds two contradicting entries to smb.conf!

In the end it is working but at least the bindonly parameter should be treated correctly.
Comment 1 Arvid Requate univentionstaff 2019-07-30 15:26:01 CEST
The URCV are just setting the corresponding smb.conf parameters.

This is what man smb.conf says about "interfaces" and that sounds like "client" to me:

* "This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic."

This is what smb.conf says about "bind interfaces only" and that sounds like "server" to me:

* "This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests."



> According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on)

Ok, that might be a bug in Samba then.


> Getting even weirder when using the exclude statement additionally:

Yes, we may need to adjust the UCRv documentation of the exclude variable to point out that it implies "bindonly".
Comment 2 Christian Völker univentionstaff 2019-07-30 19:11:09 CEST
(In reply to Arvid Requate from comment #1)
> The URCV are just setting the corresponding smb.conf parameters.
I am aware how it works- but it is editing the smb.conf at least in a confusing way!
Why does it add two "interface" lines? This is confusing when troubleshooting.

ucr set samba/register/exclude/interfaces=docker0
Create samba/register/exclude/interfaces
Multifile: /etc/samba/smb.conf
grep interfaces smb.conf
	interfaces	= lo eth0 eth2
	# ignore interfaces in samba/register/exclude/interfaces
	bind interfaces only = yes
	interfaces = lo ens192

> > According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on)
> 
> Ok, that might be a bug in Samba then.
No, it is not- so far Samba has not even been started! I referred just to the result of the UCRV in smb.conf. See "grep" lines in comment#0.

> > Getting even weirder when using the exclude statement additionally:
> Yes, we may need to adjust the UCRv documentation of the exclude variable to
> point out that it implies "bindonly".

Well, and refer in the docs for bindonly to the exclude...
And prevent douple "interface" entries in smb.conf under all circumstances...
Comment 3 Christina Scheinig univentionstaff 2019-11-13 11:35:51 CET
I may have an other confusing scenario for bindonly.
A customer referred to a debian Bug  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873073
Therefor he wanted to set samba/interfaces/bindonly to No. This is kind of tricky to get that set in smb.conf. 

Looking in our template:
==========================================================================================================================================
@%@UCRWARNING=# @%@

[global]
@!@
print '\tdebug level\t= %s' % configRegistry.get('samba/debug/level', 0)
print '\tlogging\t\t= file'
print '\tmax log size\t= %s\n' % configRegistry.get('samba/max_log_size', 0)

max_open_files = configRegistry.get('samba/max_open_files')
if max_open_files:
        print '\tmax open files = %s' % max_open_files
if configRegistry.get('samba/serverstring'):
        print '\tserver string = %s' % configRegistry['samba/serverstring']
else:
        print '\tserver string = %h univention corporate server'

for key, smbstring in [('samba/interfaces','interfaces'),
                       ('samba/charset/dos', 'dos charset'),
                       ('samba/charset/unix', 'unix charset'),
                       ('samba/charset/display', 'display charset'),
                       ('samba/enable-privileges', 'enable privileges'),
                           ('samba/interfaces/bindonly', 'bind interfaces only'),]:
        if configRegistry.get(key):
                print '\t%s = %s' % (smbstring, configRegistry[key])

if configRegistry.get('samba/socket_options'):
        print '\tsocket options = %s' % configRegistry['samba/socket_options']

print '\tntlm auth\t= %s' % (configRegistry.get('samba/ntlm/auth', 'ntlmv2-only'))

print '\tmachine password timeout\t= %d' % int(configRegistry.get('samba/machine_password_timeout', 0))

if configRegistry.is_true('samba/acl/allow/execute/always', True):
        print '\tacl allow execute always = True'

if configRegistry.get('samba/register/exclude/interfaces') and not configRegistry.is_true('samba/interfaces/bindonly', False):
        from univention.config_registry.interfaces import Interfaces
        interfaces = Interfaces(configRegistry)
        interface_list = [_name for _name, iface in interfaces.all_interfaces]
        for ignore in configRegistry['samba/register/exclude/interfaces'].split(' '):
                if ignore in interface_list:
                        interface_list.remove(ignore)
        # also ignore appliance-mode-temporary interface
        for iface in interface_list[:]:
                if configRegistry.get('interfaces/%s/type' % iface, '') == 'appliance-mode-temporary':
                        interface_list.remove(iface)
        if interface_list:
                print
                print '\t# ignore interfaces in samba/register/exclude/interfaces'
                print '\tbind interfaces only = yes'
                print '\tinterfaces = lo %s' % ' '.join(interface_list)
@!@
================================================================================================================================
the bindonly parameter is written with yes to the config, if samba/register/exclude/interfaces is set, which we do by default with docker.
----------------------------------------------------------------
ucr search --brief samba/interface samba/register
samba/interfaces/bindonly: no
samba/interfaces: <empty>
samba/register/exclude/interfaces: docker0
----------------------------------------------------------------
testparm -sv |grep interface

Server role: ROLE_DOMAIN_MEMBER

        bind interfaces only = Yes
        interfaces = lo ens3
----------------------------------------------------------------
ucr unset samba/register/exclude/interfaces
Unsetting samba/register/exclude/interfaces
Multifile: /etc/samba/smb.conf
----------------------------------------------------------------
testparm -sv |grep interface
Load smb config files from /etc/samba/smb.conf


Server role: ROLE_DOMAIN_MEMBER

        bind interfaces only = No
        interfaces = 
-----------------------------------------------------------------
Now samba listenes on all interfaces

----------------------------------------------------------------
 lsof -i -P |grep smbd
smbd       8498     root   33u  IPv6 2783546      0t0  TCP *:445 (LISTEN)
smbd       8498     root   34u  IPv6 2783547      0t0  TCP *:139 (LISTEN)
smbd       8498     root   35u  IPv4 2783548      0t0  TCP *:445 (LISTEN)
smbd       8498     root   36u  IPv4 2783549      0t0  TCP *:139 (LISTEN)

----------------------------------------------------------------

ucr set samba/register/exclude/interfaces=docker0

testparm -sv |grep interface
Load smb config files from /etc/samba/smb.conf

Server role: ROLE_DOMAIN_MEMBER

        bind interfaces only = Yes
        interfaces = lo ens3

----------------------------------------------------------------
lsof -i -P |grep smbd
smbd      26123     root   33u  IPv4 3130134      0t0  TCP real-member.schein.ig:445 (LISTEN)
smbd      26123     root   34u  IPv4 3130135      0t0  TCP real-member.schein.ig:139 (LISTEN)
smbd      26123     root   35u  IPv4 3130136      0t0  TCP localhost:445 (LISTEN)
smbd      26123     root   36u  IPv4 3130137      0t0  TCP localhost:139 (LISTEN)
smbd      26123     root   37u  IPv6 3130138      0t0  TCP localhost:445 (LISTEN)
smbd      26123     root   38u  IPv6 3130139      0t0  TCP localhost:139 (LISTEN)

----------------------------------------------------------------

Because of the exclude parameter, which is set by default to docker0, the bindonly parameter is always set to Yes.
This is not explained anywhere, this is not in the ucr info. You may get that understanding the code or with trial and error