Solved samba in jail could not start

bxbzq · May 24, 2023

Hi,
I'm learning to set up samba server in jail. In jail, /usr/local/etc/smb4.conf is created for testing:

Code:

  [global]                                                                         
    netbios name = JFSVR
    realm = OFFICE.IO
    workgroup = OFFICE
    vfs objects = dfs_samba4 zfsacl
    server string = office jserver %v
    server role = standalone server
    passdb backend = tdbsam
    security = user
    dns forwarder = no
    dns proxy = no
    ntlm auth = yes
    os level = 255
    log file = /var/log/samba4/%m
    log level = 3
    max log size = 2000
    hosts allow = 127.0.0.1 192.168.0.0/16
    interfaces = 192.168.1.250        # host ip is 192.168.1.254
    #interfaces = bce0
    bind interfaces only = yes
    remote announce = 192.168.1.255
    socket options = TCP_NODELAY
                                                                                
[tank1]                                                                         
    path = /tank1                                                               
    valid users = @eng @sales @mgmt
    write list = @eng
    browsable = yes
    read only = no
    guest ok = no
    public = no
    create mask = 0666
    directory mask = 0777
    inherit acls = no
    inherit owner = no
    inherit permissions = no

When I try to start the samba server in jail:

Code:

root@jfsvr:/usr/local/etc # service samba_server start
Performing sanity check on Samba configuration: OK
mount: none: Operation not permitted

What am I doing wrong not able to start samba server?
Also, check /var/log/samba4, it is empty, no log files generated.

Thanks.

Emrion · May 24, 2023

You should post the parameters of your jail.
Is /tank1 inside the root dir of the jail?
What about the parameter allow.mount? See jail(8).

bxbzq · May 25, 2023

Code:

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
allow.chflags = 1;
allow.read_msgbuf = 1;
allow.mount = 1;
allow.mount.devfs = 1;
mount.devfs;
allow.mount.nullfs;
exec.system_user = "root";
exec.jail_user = "root";
samba {
    path = "/jails/samba";
    host.hostname = "jfsvr.office.io";
    interface = "bce0";        # the NIC facing external
    ip4.addr = 192.168.1.250;
    persist;
}

The host has zfs and I created datesets:

Code:

root@bsd_fsvr:/etc # zfs list
NAME                      USED  AVAIL     REFER  MOUNTPOINT
zroot                    9.57G   436G       96K  /zroot
zroot/ROOT               2.96G   436G       96K  none
zroot/ROOT/default       2.96G   436G     2.96G  /
zroot/jtank              1.84G   436G       96K  /jails
zroot/jtank/samba        1.84G   436G     1.84G  /jails/samba
zroot/jtank/samba/tank1    96K   436G       96K  /jails/samba/tank1
zroot/jtank/samba/tank2    96K   436G       96K  /jails/samba/tank2
zroot/tmp                 104K   436G      104K  /tmp
zroot/usr                4.76G   436G       96K  /usr
zroot/usr/home           3.21G   436G     3.21G  /usr/home
zroot/usr/ports           816M   436G      816M  /usr/ports
zroot/usr/src             773M   436G      773M  /usr/src
zroot/var                1.38M   436G       96K  /var
zroot/var/audit            96K   436G       96K  /var/audit
zroot/var/crash            96K   436G       96K  /var/crash
zroot/var/log             892K   436G      892K  /var/log
zroot/var/mail            136K   436G      136K  /var/mail
zroot/var/tmp              96K   436G       96K  /var/tmp

bxbzq · May 25, 2023

Tried to create shares inside jail, doesn't make difference. Samba still doesn't start.

rashey · May 25, 2023

You should allow to mount file-descriptor file system in case of Samba 4.16 or newer.
In addition to "allow.mount", set the following lines in jail.conf:

Code:

enforce_statfs = "1";
allow.mount.fdescfs;

But be careful, there is a serious bug in FreeBSD 13.1 and older and you need to disable a cleanvar service to prevent data loss.

sko · May 25, 2023

I also never got samba 4.16 running in a jail, despite allowing statfs and fdescfs and basically allowing any kind of mounts for that jail, while samba 4.13 runs perfectly fine. So if you don't have a special use case that absolutely needs 4.16 and just have/want to get it to work, stay with 4.13 when running in a jail...

bxbzq · May 25, 2023

Thanks. These two lines did the trick. Now samba is running inside jail. The machine is running FBSD 13.2 and samba 4.16.

Is running samba inside jail a solid solution for production? The bug makes me wonder if it can be error-prone.

rashey said:
You should allow to mount file-descriptor file system in case of Samba 4.16 or newer.
In addition to "allow.mount", set the following lines in jail.conf:

Code:

enforce_statfs = "1"; allow.mount.fdescfs;

But be careful, there is a serious bug in FreeBSD 13.1 and older and you need to disable a cleanvar service to prevent data loss.

rashey · May 25, 2023

The bug is fixed in FreeBSD 13.2.

matties · Aug 28, 2023

I have Freebsd 13.2 running on Pine64Pro (arm64), with zfs and 7 jails. Somehow and today (28 aug, 2023) one of them didn't show up as smb-server. All others still do and all have the same issue :
"
WARNING: samba_server: cannot fdescfs mount to /var/run/samba4/fd ".
Even after adding those rules from above: added: enforce_statfs = "1"; etc.
It did not work.
~~However I still do not know why smb:"ip-address" still works and smb:<servername> doesn't.~~
Allow.mount = "true" did the trick. Now no warings.

Emrion · Nov 26, 2023

I'm facing the same problem, I mean "mount: none: Operation not permitted" with samba416 in a Jail. I'm on 13.2-RELEASE-p5. I would like to stay with samba413 as sko stated, but:

jail: smb
samba413-4.13.17_8: Tag: expiration_date Value: 2023-12-31
samba413-4.13.17_8: Tag: deprecated Value: Reached its EoL on March 21, 2022

It's time to make this thing working. I narrowed down the problem to:

root@smb:~ # sysctl security.jail.mount_fdescfs_allowed
security.jail.mount_fdescfs_allowed: 0

Knowing that:

root@smb:~ # sysctl security.jail.mount_allowed
security.jail.mount_allowed: 1
root@smb:~ # sysctl security.jail.enforce_statfs
security.jail.enforce_statfs: 1

I use sysutils/ezjail and it turns out I'm unable to set jail.mount_fdescfs_allowed to 1.
/usr/local/etc/ezjail/smb

export jail_smb_hostname="smb"
export jail_smb_rootdir="/usr/jails/smb"
export jail_smb_exec_start="/bin/sh /etc/rc"
export jail_smb_exec_stop=""
export jail_smb_mount_enable="YES"
export jail_smb_devfs_enable="YES"
export jail_smb_devfs_ruleset="devfsrules_jail"
export jail_smb_procfs_enable="YES"
export jail_smb_enforce_statfs="1"
export jail_smb_fdescfs_enable="YES"
#export jail_smb_parameters="allow.mount.fdescfs" <- Something I tried, in vain.
export jail_smb_image=""
export jail_smb_imagetype="zfs"
export jail_smb_attachparams=""
export jail_smb_attachblocking=""
export jail_smb_forceblocking=""
export jail_smb_zfs_datasets=""
export jail_smb_cpuset=""
export jail_smb_fib=""
export jail_smb_parameters=""
export jail_smb_post_start_script=""
export jail_smb_retention_policy=""

Can someone help me?

Note: I found a patch from Yoshihiro Takahashi that makes samba work despite security.jail.mount_fdescfs_allowed=0 but I don't think it will be ever committed. I remember that long ago, I did a patch for a real but not very important bug and it has been ignored.

rootbert · Nov 26, 2023

samba416 working here. I do not mount fdescfs, and I do NOT use enforce_statfs=1 nor allow.mount.fdescfs ... it just works without any special configuration.

Emrion · Nov 27, 2023

rootbert said:
samba416 working here. I do not mount fdescfs, and I do NOT use enforce_statfs=1 nor allow.mount.fdescfs ... it just works without any special configuration.

A useful and constructive answer...

Emrion · Dec 3, 2023

It turns out that's a problem with ezjail which doesn't pass the parameter allow.mount.fdescfs before to launch the jail.

I (manually) created a thin jail using nullfs like ezjail and if the correct parameters are set, samba416 starts successfully; this time security.jail.mount_fdescfs_allowed=1.

I think I have to write my own framework for jails as I did for bhyve VMs. It will take time but anyway ezjail is obsolete, so this must be done.

Emrion · Dec 29, 2023

Just a little new about this problem.

So, I wrote my own framework for managing the jails. I shamefully plagiarized sysutils/ezjail because I love this software (thin jails based on nullfs and the "flavour" principle). I simplified it to suit my own needs and used jail conf files to avoid complains from the jail sub-system.

I resolved the main drawback of thin jails (merge of config files during upgrades) by the use of etcupdate on each jail. It works great.

I didn't yet put it in my server/router, waiting for more testing result. But, I'm very happy with my code.

sko · Apr 30, 2024

This thread still turns up as the first search result for samba>4.13 not wanting to run in a jail with the completely useless error message "mount: none: Operation not permitted".

I just ran into the same problem again while replacing the last few jails running 12.3-RELEASE; one of which contained a samba 4.13 install.
The mentioned sysctls security.jail.mount_fdescfs_allowed and security.jail.param.allow.mount.fdescfs have been deprecated in favor of per-jail options - they don't work.

One has to set allow.mount.fdescfs as well as allow.mount to 1 in order to allow samba >4.13 to run properly in a jail. Iocell currently lacks the "allow_mount_fdescfs" option, so this has to be set manually if using iocell.
I just pushed a PR to iocell, which had a "mount_fdescfs" option, but not an "allow_mount_fdescfs" option to allow those mounts from within the jail:

add jail option 'allow.mount.fdescfs' which is needed to run samba >4.13 in a jail by rostwald · Pull Request #51 · bartekrutkowski/iocell

Make sure to follow and check these boxes before submitting a PR! Thank you. Supply documentation according to CONTRIBUTING.md manpages and help have been updated with the new option Explain t...

github.com

I hope it will get merged soon (as well as some of the other long outstanding PRs...)

rootbert · Apr 30, 2024

I am running samba419 here now in a jail without that configuration, same config as I have mentioned above. However, I do run a jail with vnet if that matters.

CTineo · Wednesday at 1:54 PM

I read this thread. And do not understand the final conclusion.

I'm running FreeBSD 14.0-RELEASE p6 on both the host and the jail.
Samba 4.19.6
Jails managed and created by iocage... yes I know, abandonware, switch to bastille, well, it takes a bit of time.

And I do get the error message upon starting samba, which fails to start:

Code:

root@ABDC011:/var/log/samba4 # service samba_server start
Performing sanity check on Samba configuration: OK
mount: none: Operation not permitted

I'm confused by rootbert post that they are running 419 in a jail, without the 'allow.mount.fdescfs' and 'allow.mount' parameters - which I would have trouble inserting into iocage as they seem not supported, right?

So does anyone know how to run samba4.19 in an iocaged managed jail, under Freebsd 14.0

Any help appreciated.

edited: typos

sko · Wednesday at 3:09 PM

I don't know about iocage, which is the python-based rewrite of iocell. I switched to iocell when ixSystems migrated to python because it was far from production-ready in the beginning and error messages from python are less than useless and the shell-based code just worked. For iocell it is rather straightforward to add jail options, It's basically 2 lines of code that can be copied and modified from other 'allow.xy' jail options.

regarding samba >4.16: you definitely need allow.mount.fdescfs set for the jail. I have no idea why rootbert still insists it is not necessary, but I've tested/confirmed it prior to adding that option to iocell and after adding my patches to sysutils/iocell on freshly set up vanilla 13.3-RELEASE and 14.0-RELEASE VMs and without the allow.mount.fdescfs option set samba won't start, giving that mount: none: Operation not permitted error.
I always tested with samba419 from official package repositories as well as with the packages I build myself with slightly different options:

Code:

Options        :
        ADS            : off
        AD_DC          : off
        AVAHI          : off
        CLUSTER        : off
        CUPS           : on
        DOCS           : on
        FAM            : on
        FRUIT          : off
        GLUSTERFS      : off
        GPGME          : off
        GSSAPI_BUILTIN : off
        GSSAPI_MIT     : on
        LDAP           : off
        MANDOC         : on
        MDNSRESPONDER  : off
        PROFILE        : on
        PYTHON3        : on
        QUOTAS         : on
        SPOTLIGHT      : on
        SYSLOG         : on
        UTMP           : on
        ZEROCONF_NONE  : on

I suspect the file alteration monitor (FAM) might be the culprit, but haven't verified/tested that.

rootbert · Wednesday at 5:52 PM

whenever I do a service samba_server start inside the jail I do get:

Code:

Performing sanity check on Samba configuration: OK
kldload: can't load fdescfs: Operation not permitted
/usr/local/etc/rc.d/samba_server: WARNING: Unable to load kernel module fdescfs
/usr/local/etc/rc.d/samba_server: WARNING: samba_server: cannot fdescfs mount to /var/run/samba4/fd
Starting nmbd.
Starting smbd.

Although errors/WARNINGS are printed and also in the log, samba works as expected.