Univention Bugzilla – Bug 49933
Unexpected behavior of UCR samba/interfaces and samba/register/exclude/interfaces
Last modified: 2020-07-29 17:04:19 CEST
Somehow the samba interfaces UCRV are at least confusing samba/interfaces/bindonly: <empty> If this variable is set to 'yes', Samba only listens to requests on the network interfaces specified in the variable 'samba/interfaces'. If the variable is unset, Samba listens on all interfaces. But: ucr unset samba/interfaces/bindonly ucr set samba/interfaces="lo eth0 eth2" grep interfaces /etc/smb.conf interfaces = lo eth0 eth2 According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on) Getting even weirder when using the exclude statement additionally: ucr set samba/register/exclude/interfaces=docker0 Create samba/register/exclude/interfaces Multifile: /etc/samba/smb.conf grep interfaces smb.conf interfaces = lo eth0 eth2 # ignore interfaces in samba/register/exclude/interfaces bind interfaces only = yes interfaces = lo ens192 In this case it completly ignores the setting of samba/interfaces and adds two contradicting entries to smb.conf! In the end it is working but at least the bindonly parameter should be treated correctly.
The URCV are just setting the corresponding smb.conf parameters. This is what man smb.conf says about "interfaces" and that sounds like "client" to me: * "This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic." This is what smb.conf says about "bind interfaces only" and that sounds like "server" to me: * "This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests." > According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on) Ok, that might be a bug in Samba then. > Getting even weirder when using the exclude statement additionally: Yes, we may need to adjust the UCRv documentation of the exclude variable to point out that it implies "bindonly".
(In reply to Arvid Requate from comment #1) > The URCV are just setting the corresponding smb.conf parameters. I am aware how it works- but it is editing the smb.conf at least in a confusing way! Why does it add two "interface" lines? This is confusing when troubleshooting. ucr set samba/register/exclude/interfaces=docker0 Create samba/register/exclude/interfaces Multifile: /etc/samba/smb.conf grep interfaces smb.conf interfaces = lo eth0 eth2 # ignore interfaces in samba/register/exclude/interfaces bind interfaces only = yes interfaces = lo ens192 > > According to the above help text Samba should listen to all interfaces but it does not (here eth1 exists but Samba does not listen on) > > Ok, that might be a bug in Samba then. No, it is not- so far Samba has not even been started! I referred just to the result of the UCRV in smb.conf. See "grep" lines in comment#0. > > Getting even weirder when using the exclude statement additionally: > Yes, we may need to adjust the UCRv documentation of the exclude variable to > point out that it implies "bindonly". Well, and refer in the docs for bindonly to the exclude... And prevent douple "interface" entries in smb.conf under all circumstances...
I may have an other confusing scenario for bindonly. A customer referred to a debian Bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873073 Therefor he wanted to set samba/interfaces/bindonly to No. This is kind of tricky to get that set in smb.conf. Looking in our template: ========================================================================================================================================== @%@UCRWARNING=# @%@ [global] @!@ print '\tdebug level\t= %s' % configRegistry.get('samba/debug/level', 0) print '\tlogging\t\t= file' print '\tmax log size\t= %s\n' % configRegistry.get('samba/max_log_size', 0) max_open_files = configRegistry.get('samba/max_open_files') if max_open_files: print '\tmax open files = %s' % max_open_files if configRegistry.get('samba/serverstring'): print '\tserver string = %s' % configRegistry['samba/serverstring'] else: print '\tserver string = %h univention corporate server' for key, smbstring in [('samba/interfaces','interfaces'), ('samba/charset/dos', 'dos charset'), ('samba/charset/unix', 'unix charset'), ('samba/charset/display', 'display charset'), ('samba/enable-privileges', 'enable privileges'), ('samba/interfaces/bindonly', 'bind interfaces only'),]: if configRegistry.get(key): print '\t%s = %s' % (smbstring, configRegistry[key]) if configRegistry.get('samba/socket_options'): print '\tsocket options = %s' % configRegistry['samba/socket_options'] print '\tntlm auth\t= %s' % (configRegistry.get('samba/ntlm/auth', 'ntlmv2-only')) print '\tmachine password timeout\t= %d' % int(configRegistry.get('samba/machine_password_timeout', 0)) if configRegistry.is_true('samba/acl/allow/execute/always', True): print '\tacl allow execute always = True' if configRegistry.get('samba/register/exclude/interfaces') and not configRegistry.is_true('samba/interfaces/bindonly', False): from univention.config_registry.interfaces import Interfaces interfaces = Interfaces(configRegistry) interface_list = [_name for _name, iface in interfaces.all_interfaces] for ignore in configRegistry['samba/register/exclude/interfaces'].split(' '): if ignore in interface_list: interface_list.remove(ignore) # also ignore appliance-mode-temporary interface for iface in interface_list[:]: if configRegistry.get('interfaces/%s/type' % iface, '') == 'appliance-mode-temporary': interface_list.remove(iface) if interface_list: print print '\t# ignore interfaces in samba/register/exclude/interfaces' print '\tbind interfaces only = yes' print '\tinterfaces = lo %s' % ' '.join(interface_list) @!@ ================================================================================================================================ the bindonly parameter is written with yes to the config, if samba/register/exclude/interfaces is set, which we do by default with docker. ---------------------------------------------------------------- ucr search --brief samba/interface samba/register samba/interfaces/bindonly: no samba/interfaces: <empty> samba/register/exclude/interfaces: docker0 ---------------------------------------------------------------- testparm -sv |grep interface Server role: ROLE_DOMAIN_MEMBER bind interfaces only = Yes interfaces = lo ens3 ---------------------------------------------------------------- ucr unset samba/register/exclude/interfaces Unsetting samba/register/exclude/interfaces Multifile: /etc/samba/smb.conf ---------------------------------------------------------------- testparm -sv |grep interface Load smb config files from /etc/samba/smb.conf Server role: ROLE_DOMAIN_MEMBER bind interfaces only = No interfaces = ----------------------------------------------------------------- Now samba listenes on all interfaces ---------------------------------------------------------------- lsof -i -P |grep smbd smbd 8498 root 33u IPv6 2783546 0t0 TCP *:445 (LISTEN) smbd 8498 root 34u IPv6 2783547 0t0 TCP *:139 (LISTEN) smbd 8498 root 35u IPv4 2783548 0t0 TCP *:445 (LISTEN) smbd 8498 root 36u IPv4 2783549 0t0 TCP *:139 (LISTEN) ---------------------------------------------------------------- ucr set samba/register/exclude/interfaces=docker0 testparm -sv |grep interface Load smb config files from /etc/samba/smb.conf Server role: ROLE_DOMAIN_MEMBER bind interfaces only = Yes interfaces = lo ens3 ---------------------------------------------------------------- lsof -i -P |grep smbd smbd 26123 root 33u IPv4 3130134 0t0 TCP real-member.schein.ig:445 (LISTEN) smbd 26123 root 34u IPv4 3130135 0t0 TCP real-member.schein.ig:139 (LISTEN) smbd 26123 root 35u IPv4 3130136 0t0 TCP localhost:445 (LISTEN) smbd 26123 root 36u IPv4 3130137 0t0 TCP localhost:139 (LISTEN) smbd 26123 root 37u IPv6 3130138 0t0 TCP localhost:445 (LISTEN) smbd 26123 root 38u IPv6 3130139 0t0 TCP localhost:139 (LISTEN) ---------------------------------------------------------------- Because of the exclude parameter, which is set by default to docker0, the bindonly parameter is always set to Yes. This is not explained anywhere, this is not in the ucr info. You may get that understanding the code or with trial and error