Solved samba in jail could not start

bxbzq · May 24, 2023

Hi,
I'm learning to set up samba server in jail. In jail, /usr/local/etc/smb4.conf is created for testing:

Code:

  [global]                                                                         
    netbios name = JFSVR
    realm = OFFICE.IO
    workgroup = OFFICE
    vfs objects = dfs_samba4 zfsacl
    server string = office jserver %v
    server role = standalone server
    passdb backend = tdbsam
    security = user
    dns forwarder = no
    dns proxy = no
    ntlm auth = yes
    os level = 255
    log file = /var/log/samba4/%m
    log level = 3
    max log size = 2000
    hosts allow = 127.0.0.1 192.168.0.0/16
    interfaces = 192.168.1.250        # host ip is 192.168.1.254
    #interfaces = bce0
    bind interfaces only = yes
    remote announce = 192.168.1.255
    socket options = TCP_NODELAY
                                                                                
[tank1]                                                                         
    path = /tank1                                                               
    valid users = @eng @sales @mgmt
    write list = @eng
    browsable = yes
    read only = no
    guest ok = no
    public = no
    create mask = 0666
    directory mask = 0777
    inherit acls = no
    inherit owner = no
    inherit permissions = no

When I try to start the samba server in jail:

Code:

root@jfsvr:/usr/local/etc # service samba_server start
Performing sanity check on Samba configuration: OK
mount: none: Operation not permitted

What am I doing wrong not able to start samba server?
Also, check /var/log/samba4, it is empty, no log files generated.

Thanks.

Emrion · May 24, 2023

You should post the parameters of your jail.
Is /tank1 inside the root dir of the jail?
What about the parameter allow.mount? See jail(8).

bxbzq · May 25, 2023

Code:

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
allow.chflags = 1;
allow.read_msgbuf = 1;
allow.mount = 1;
allow.mount.devfs = 1;
mount.devfs;
allow.mount.nullfs;
exec.system_user = "root";
exec.jail_user = "root";
samba {
    path = "/jails/samba";
    host.hostname = "jfsvr.office.io";
    interface = "bce0";        # the NIC facing external
    ip4.addr = 192.168.1.250;
    persist;
}

The host has zfs and I created datesets:

Code:

root@bsd_fsvr:/etc # zfs list
NAME                      USED  AVAIL     REFER  MOUNTPOINT
zroot                    9.57G   436G       96K  /zroot
zroot/ROOT               2.96G   436G       96K  none
zroot/ROOT/default       2.96G   436G     2.96G  /
zroot/jtank              1.84G   436G       96K  /jails
zroot/jtank/samba        1.84G   436G     1.84G  /jails/samba
zroot/jtank/samba/tank1    96K   436G       96K  /jails/samba/tank1
zroot/jtank/samba/tank2    96K   436G       96K  /jails/samba/tank2
zroot/tmp                 104K   436G      104K  /tmp
zroot/usr                4.76G   436G       96K  /usr
zroot/usr/home           3.21G   436G     3.21G  /usr/home
zroot/usr/ports           816M   436G      816M  /usr/ports
zroot/usr/src             773M   436G      773M  /usr/src
zroot/var                1.38M   436G       96K  /var
zroot/var/audit            96K   436G       96K  /var/audit
zroot/var/crash            96K   436G       96K  /var/crash
zroot/var/log             892K   436G      892K  /var/log
zroot/var/mail            136K   436G      136K  /var/mail
zroot/var/tmp              96K   436G       96K  /var/tmp

bxbzq · May 25, 2023

Tried to create shares inside jail, doesn't make difference. Samba still doesn't start.

rashey · May 25, 2023

You should allow to mount file-descriptor file system in case of Samba 4.16 or newer.
In addition to "allow.mount", set the following lines in jail.conf:

Code:

enforce_statfs = "1";
allow.mount.fdescfs;

But be careful, there is a serious bug in FreeBSD 13.1 and older and you need to disable a cleanvar service to prevent data loss.

sko · May 25, 2023

I also never got samba 4.16 running in a jail, despite allowing statfs and fdescfs and basically allowing any kind of mounts for that jail, while samba 4.13 runs perfectly fine. So if you don't have a special use case that absolutely needs 4.16 and just have/want to get it to work, stay with 4.13 when running in a jail...

bxbzq · May 25, 2023

Thanks. These two lines did the trick. Now samba is running inside jail. The machine is running FBSD 13.2 and samba 4.16.

Is running samba inside jail a solid solution for production? The bug makes me wonder if it can be error-prone.

rashey said:
You should allow to mount file-descriptor file system in case of Samba 4.16 or newer.
In addition to "allow.mount", set the following lines in jail.conf:

Code:

enforce_statfs = "1"; allow.mount.fdescfs;

But be careful, there is a serious bug in FreeBSD 13.1 and older and you need to disable a cleanvar service to prevent data loss.

rashey · May 25, 2023

The bug is fixed in FreeBSD 13.2.

matties · Aug 28, 2023

I have Freebsd 13.2 running on Pine64Pro (arm64), with zfs and 7 jails. Somehow and today (28 aug, 2023) one of them didn't show up as smb-server. All others still do and all have the same issue :
"
WARNING: samba_server: cannot fdescfs mount to /var/run/samba4/fd ".
Even after adding those rules from above: added: enforce_statfs = "1"; etc.
It did not work.
~~However I still do not know why smb:"ip-address" still works and smb:<servername> doesn't.~~
Allow.mount = "true" did the trick. Now no warings.

Emrion · Nov 26, 2023

I'm facing the same problem, I mean "mount: none: Operation not permitted" with samba416 in a Jail. I'm on 13.2-RELEASE-p5. I would like to stay with samba413 as sko stated, but:

jail: smb
samba413-4.13.17_8: Tag: expiration_date Value: 2023-12-31
samba413-4.13.17_8: Tag: deprecated Value: Reached its EoL on March 21, 2022

It's time to make this thing working. I narrowed down the problem to:

root@smb:~ # sysctl security.jail.mount_fdescfs_allowed
security.jail.mount_fdescfs_allowed: 0

Knowing that:

root@smb:~ # sysctl security.jail.mount_allowed
security.jail.mount_allowed: 1
root@smb:~ # sysctl security.jail.enforce_statfs
security.jail.enforce_statfs: 1

I use sysutils/ezjail and it turns out I'm unable to set jail.mount_fdescfs_allowed to 1.
/usr/local/etc/ezjail/smb

export jail_smb_hostname="smb"
export jail_smb_rootdir="/usr/jails/smb"
export jail_smb_exec_start="/bin/sh /etc/rc"
export jail_smb_exec_stop=""
export jail_smb_mount_enable="YES"
export jail_smb_devfs_enable="YES"
export jail_smb_devfs_ruleset="devfsrules_jail"
export jail_smb_procfs_enable="YES"
export jail_smb_enforce_statfs="1"
export jail_smb_fdescfs_enable="YES"
#export jail_smb_parameters="allow.mount.fdescfs" <- Something I tried, in vain.
export jail_smb_image=""
export jail_smb_imagetype="zfs"
export jail_smb_attachparams=""
export jail_smb_attachblocking=""
export jail_smb_forceblocking=""
export jail_smb_zfs_datasets=""
export jail_smb_cpuset=""
export jail_smb_fib=""
export jail_smb_parameters=""
export jail_smb_post_start_script=""
export jail_smb_retention_policy=""

Can someone help me?

Note: I found a patch from Yoshihiro Takahashi that makes samba work despite security.jail.mount_fdescfs_allowed=0 but I don't think it will be ever committed. I remember that long ago, I did a patch for a real but not very important bug and it has been ignored.

rootbert · Nov 26, 2023

samba416 working here. I do not mount fdescfs, and I do NOT use enforce_statfs=1 nor allow.mount.fdescfs ... it just works without any special configuration.

Emrion · Nov 27, 2023

rootbert said:
samba416 working here. I do not mount fdescfs, and I do NOT use enforce_statfs=1 nor allow.mount.fdescfs ... it just works without any special configuration.

A useful and constructive answer...

Emrion · Dec 3, 2023

It turns out that's a problem with ezjail which doesn't pass the parameter allow.mount.fdescfs before to launch the jail.

I (manually) created a thin jail using nullfs like ezjail and if the correct parameters are set, samba416 starts successfully; this time security.jail.mount_fdescfs_allowed=1.

I think I have to write my own framework for jails as I did for bhyve VMs. It will take time but anyway ezjail is obsolete, so this must be done.

Emrion · Dec 29, 2023

Just a little new about this problem.

So, I wrote my own framework for managing the jails. I shamefully plagiarized sysutils/ezjail because I love this software (thin jails based on nullfs and the "flavour" principle). I simplified it to suit my own needs and used jail conf files to avoid complains from the jail sub-system.

I resolved the main drawback of thin jails (merge of config files during upgrades) by the use of etcupdate on each jail. It works great.

I didn't yet put it in my server/router, waiting for more testing result. But, I'm very happy with my code.