SMB Shares inaccessible after update to 5.0.6-0

Mark93 · January 20, 2024, 9:07am

Hi,
after the latest testing update, my SMB Shares are inaccessible. I noticed the whole SMB Share configuration in the WebGUI was missing. After adding it and restarting the service and the appliance, it is still inaccessible.

rockstor4:/var/log/samba # zypper info rockstor
Loading repository data...
Reading installed packages...


Information for package rockstor:
---------------------------------
Repository     : Rockstor-Testing
Name           : rockstor
Version        : 5.0.6-0
Arch           : x86_64
Vendor         : YewTreeApps
Installed Size : 7.8 MiB
Installed      : Yes
Status         : up-to-date
Source package : rockstor-5.0.6-0.src
Upstream URL   : https://rockstor.com/
Summary        : Btrfs Network Attached Storage (NAS) Appliance.
Description    :
    Software raid, snapshot capable NAS solution with built-in file integrity protection.
    Allows for file sharing between network attached devices.

A look into smbd.<myipaddress> shows this:

[2024/01/20 09:48:22.210625,  1] ../../source3/smbd/service.c:721(make_connection_snum)
  root preexec gave 1 - failing connection
[2024/01/20 09:48:22.210727,  3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_tcon.c:151
[2024/01/20 09:48:22.211331,  3] ../../source3/smbd/msdfs.c:1083(get_referred_path)
  get_referred_path: |Scan| in dfs path \192.168.30.75\Scan is not a dfs root.
[2024/01/20 09:48:22.211366,  3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/20 09:48:22.211410,  3] ../../source3/smbd/msdfs.c:1083(get_referred_path)
  get_referred_path: |Scan| in dfs path \192.168.30.75\Scan is not a dfs root.
[2024/01/20 09:48:22.211425,  3] ../../source3/smbd/smb2_server.c:3956(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NOT_FOUND] || at ../../source3/smbd/smb2_ioctl.c:353
[2024/01/20 09:48:22.211777,  3] ../../lib/util/access.c:372(allow_access)
  Allowed connection from 192.168.30.51 (192.168.30.51)
[2024/01/20 09:48:22.211826,  3] ../../source3/smbd/service.c:611(make_connection_snum)
  make_connection_snum: Connect path is '/mnt2/Scan' for service [Scan]
[2024/01/20 09:48:22.211853,  3] ../../source3/smbd/vfs.c:115(vfs_init_default)
  Initialising default vfs hooks
[2024/01/20 09:48:22.211864,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2024/01/20 09:48:22.211875,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [shadow_copy2]
Error: password store is empty. Try "pass init".
Traceback (most recent call last):
  File "/opt/rockstor/.venv/bin/mnt-share", line 3, in <module>
    from scripts.mount_share import mount_share
  File "/opt/rockstor/src/rockstor/scripts/__init__.py", line 6, in <module>
    django.setup()
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/__init__.py", line 19, in setup
    configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
                      ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 102, in __getattr__
    self._setup(name)
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 89, in _setup
    self._wrapped = Settings(settings_module)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 217, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/src/rockstor/settings.py", line 120, in <module>
    SECRET_KEY = keyring.get_password("rockstor", "SECRET_KEY")
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/core.py", line 55, in get_password
    return get_keyring().get_password(service_name, username)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/backends/fail.py", line 25, in get_password
    raise NoKeyringError(msg)
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.

These messages repeat over and over.

sudo zypper in --force rockstor or adding a new user didn’t help.

phillxnet · January 20, 2024, 3:00pm

@Mark93 Hello again. And thanks for the report.

Your issue could well be due to a an older database format from 4.1.0 stable or before having been transitioned via a zypper dup etc to a newer Leap and now using the testing channel. Let us know if this correlates to yoru system.

See the following known issue (testing 5.0.6-0 only) that is currently being resolved:

via the linked issue repeated here for ease:

github.com/rockstor/rockstor-core

Establish Postgres database format upgrade

opened 12:23PM - 19 Jan 24 UTC

phillxnet

Thanks to @FroggyFlox & KarstenV on the forum for identifying this need. From t…esting channel/branch v5.0.6.0 onwards we have fully updated our Django to 4.2 LTS, and the related python interface library of psycopg to V3: this has surfaced a Django/db-format incompatibility requiring an in-place db update capability. From @FroggyFlox's forum comment here: https://forum.rockstor.com/t/after-updating-to-5-0-6-0-web-interface-is-not-accesible-and-network-shares-are-also-not-accesible/9226/29 We see that although we have previously update our Postgres dependency to 13, and enforce that binaries use via the alternatives system when doing an rpm update, this does not in-itself adjust the underlying DB format, and the newer start up scripts, if they find an older database, will in-fact invoke the relevant older binary of Postgres, regardless of the alternatives system. New, or more recent installs are not affected assuming the use of our official installer as this always wipes the entire system disk, and so always establish a fresh and alternatives guided postgresql version. But Rockstor installs that have been updated from older Leap instances will inherit DB formats that were default at that time: to date we have reports of Postgres version 10 databases. It is proposed that for the next Stable release we develop a script/mechanism to identify and then migrate, in-place, older db versions to the newer 13 version that we currently favour. From the reports in our ongoing testing phase we have the following from KarstenV's testing efforts with 5.0.6-0 (RC1) rpm. Where we significantly updated our Django (twice), as well as adopting psycopg3 which are both very significant update. ``` NotSupportedError(', ‘django.db.utils.NotSupportedError: PostgreSQL 12 or later is required (found 10.23).’, ‘’] ``` Due to the Postgresql startup scripts failing over to the older Postgres to accomodate the older DB format found: ``` Jan 18 22:28:33 RockstorNAS postgresql-script[7819]: Your database files were created by PostgreSQL version 10. ``` The latter resulted when removing the co-resident postgres v10 as openSUSE can carry multiple postgres package installs and auto-selects the newest able to read the database in question. I.e. form @FroggyFlox's exposition of this issue on the linked form thread we have: > This happens when the postgresql.service systemd service tries to start. If we look at that service (systemctl cat postgresql.service), we can see it tries to run the following: > > ExecStart=/usr/share/postgresql/postgresql-script start > That file is provided by the system postgresql-server package and > That script is just a bash script that does some checks, such as compatibility between postgresql versions. The part that is failing on your machine is: ```bash if test -r $DATADIR/PG_VERSION ; then DATA_VERSION=$(cat $DATADIR/PG_VERSION) POSTGRES=/usr/lib/postgresql$(echo -n $DATA_VERSION | tr -d .)/bin/postgres fi if test -x /usr/bin/postgres; then ACTIVE=$(readlink -q -f /usr/bin/postgres) test -z "$POSTGRES" && POSTGRES="$ACTIVE" fi if test -n "$DATA_VERSION"; then if test -z "$ACTIVE" -o "$ACTIVE" != "$POSTGRES"; then echo " Your database files were created by PostgreSQL version $DATA_VERSION." if test -x "$POSTGRES"; then echo " Using the executables in $(dirname $POSTGRES)." else echo " Could not find executables for this version." echo " Please install the PostgreSQL server package for version $DATA_VERSION." fi fi ``` Similarly we might establish our own script to identify older 10 db instances: established by old official installers, and provide an in-place update mechanism via presumably: (pg_upgrade)[https://www.postgresql.org/docs/13/pgupgrade.html] which must be run under the newer/target Postgres version involved in the migration. Note that a prior name for pg_upgrade was pg_migrator.

We only try to ensure stable to stable updates and this latest testing channel release has helped to uncovered this new DB compatibility issue ready for the next Stable release. That was we can help to ensure the production update nature we have thus far maintained in the Stable channel. I.e. 4.1.0-0 updates via our how-to to 4.6.1-0. And post the above fix and many others already resolved in testing and to be resolved should help to ensure that 4.6.1-0 updates successfully to 5.1.0-0 when it is released.

The plan is to have a fix for this DB migration issue very shortly. But again this only affects Stables from 4.1.0-0 Leap 15.3 eara that have then been transitioned to latest stable as of a few days ago.

Hang in there and keep an eye on that issue. I’ll update this thread when there is a resolution at hand.

Hope that helps. And it would be good to have your confirmation of a fix on the next testing release, as your report does look a little different. But the indicated issue is my current priority re Rockstor.

Warbucks · January 21, 2024, 7:49am

Im in essentially the same boat. Webpage has no problem loading. I can run a balance for instance.

Accessing my Media Share under SMB returns an access denied error on both Windows and Kodi on my amazon fire stick. But Kodi on that same fire stick can see everything if using NFS.

Rockstor install is relatively recent as I installed a new OS drive. The original version of 5 was which ever version introduced tailscale, which ive only briefly messed with.

Its a simple file server so i can wait on the fix with out issue

phillxnet · January 21, 2024, 5:10pm

@Warbucks Hello again.

@Mark93 's report does look to be different from our ongoing, and currently prioritized database incompatibliity issue. So your likewise may not be the same either. You mention installing a version with Tailscale in. That feature currently only exists in testing and we have no installer that includes that version of testing out yet. Can you confirm that you installed your setup via one of our installers.

@Mark93 Likewise, can you confirm the nature of how you installed this instance of rockstor. Your log would suggest that your system does not have the new back-end we use for storing secrets (cliapp password), but this indicated as a dependency in our rpmbuild spec file. See:

github.com/rockstor/rockstor-rpmbuild

Adopt "password-store" #53

rockstor:testing ← phillxnet:53-Adopt-password-store

opened 03:05PM - 02 Dec 23 UTC

phillxnet

+13 -2

Align with rockstor-core changes regarding 'pass' adoption for secrets storage. …Install via OS provided 'password-store'. See partner draft PR: https://github.com/rockstor/rockstor-core/pull/2756/files ## Includes - Additional minimal setup of GNUPG & pass to enable %check scriptlet function as we need a running Django instance for our tests. - BuildRequires 'password-store' OS package for 'pass': required for %check scriptlet. - Requires 'password-store' OS package on all OS targets. - Minor README.md typos. Fixes #53

I.e. the password-store package was added as a new dependency.

We also have some setup done within the rpm scriptlets. What do you get, as the root user, at the command line, when you type pass? It should be similar to:

rleap15-5:~ # pass
Password Store
└── python-keyring
    └── rockstor
        ├── CLIENT_SECRET
        ├── SECRET_KEY_FALLBACK
        └── SECRET_KEY

Thanks to you both for the feedback, we are heading towards our next stable release now, within current testing, so such feedback on update failures etc is invaluable. The aim being to resolve all breaking changes that have been made in the earlier stages of the current testing phase.

We plan to have another testing release out due next week, so we can pick up after that one also give it should resolve at least the ongoing DB issue. And as you say @Warbucks, this will not have affected you if you installed with anything after our our early openSUSE based installer based on 15.3 and carrying our 4.1.0-0 rpm. All later installers will have created a 13 format database where-as the 10 format is the once which turned out to be too old for 5.0.6-0’s new Django and Postgres interface library.

Hope that helps. And thanks for your patience here folks. This testing phase has been a little rough on the updates but we have had many long-awaited updates along the way, so should be all good in the end.

Warbucks · January 22, 2024, 3:11am

Hello Philip!

If there wasn’t an official installer I must have installed the latest 4 version then id have turned on the testing channels.

I installed tailscale using the instructions referenced in the 5.0 announcements thread

Mark93 · January 22, 2024, 12:42pm

Hi @phillxnet
I’m not 100% sure, but I think that I used the Leap 15.4 package V4.5.8-0 from the Download Section and switched then to testing channel.
I remember that I had issues at some point with testing at V5.0.0-5.2.0 at started over with the beforementioned installer package.

The “pass” output looks more or less similar:
rockstor4:~ # pass
Password Store
└── python-keyring
└── rockstor
├── CLIENT_SECRET
├── SECRET_KEY
└── SECRET_KEY_FALLBACK

Mark93 · January 30, 2024, 7:02pm

I still have the same issues after updating to 5.0.7-0.
Also I checked some outputs from this post https://forum.rockstor.com/t/after-updating-to-5-0-6-0-web-interface-is-not-accessible-and-network-shares-are-also-not-accessible/9226/48 and it all looks like postgres v13
Except for SMB everything I tested works fine

phillxnet · January 30, 2024, 8:01pm

@Mark93 Thanks for the feedback.

We have yet to identify the SMB issue and in 5.0.7-0 we only addressed the indicated issues in the release notes. Mainly around the DB format update, if required (i.e. installs derived originally from our 15.3 based installer), and a failure to uninstall the legacy Poetry.

If you could provide any diagnostic info re Samba logs/services etc we can proceed with identifing and fixing that also.

Getting there, bit by bit.

And we do also have @KarstenV pending input on their likely related SMB failure. We have made no changes in that area ourselves, so it may be we have a further adaptation required.

Thanks again for the confirmation, and it’s good to know 5.0.7-0 otherwise installed/worked as intended.

Linking to @KarstenV thread where this likely same failure is outstanding in testing channel:

So this outstanding SMB issue is the focus for our next testing rpm release by the looks of it.

Cheers.

Mark93 · January 30, 2024, 8:43pm

Hey, I just started over with a fresh install ( Rockstor-Leap15.4-generic.x86_64-4.5.8-0.install.iso), didn’t really configure anything, updated to v5.0.7-0, set up the necessary config (pool import, smb config) and have exactly the same issue as before with v5.0.6-0 and 5.0.7-0.
The smbd log looks exactly like my previously shared output above.
I will go back to v4.5.8-0 in the meantime… If there is a new release to try, I’ll will upgrade & update asap.

Flox · January 30, 2024, 10:17pm

Confirmation that I can reproduce that error.
Of note, this seems to only concern our Samba standalone script, and not other standalone scripts such as the st-snapshot from scheduled_tasks.

After adding a simple debugging attempt in src.rockstor.scripts.__init__.py:

import os

os.environ["DJANGO_SETTINGS_MODULE"] = "settings"
import django  # noqa E402
from system.osi import run_command

o, e, rc = run_command("pass")
logger.debug(f"o: {o}; e: {e}, rc: {rc}")
django.setup()

I get the following when trying to access a samba share from my Tumbleweed laptop:

Error: password store is empty. Try "pass init".
Traceback (most recent call last):
  File "/opt/rockstor/.venv/bin/mnt-share", line 3, in <module>
    from scripts.mount_share import mount_share
  File "/opt/rockstor/src/rockstor/scripts/__init__.py", line 17, in <module>
    o, e, rc = run_command("pass")
               ^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/src/rockstor/system/osi.py", line 263, in run_command
    raise CommandException(cmd, out, err, rc)
system.exceptions.CommandException: Error running a command. cmd = p a s s. rc = 1. stdout = ['']. stderr = ['Error: password store is empty. Try "pass init".', '']

So, same as the original report above.

As a reminder, this script is triggered as a preexec in our smb.conf. In my case:

[test_share01]
    root preexec = "/opt/rockstor/.venv/bin/mnt-share test_share01"

Running this script manually from the shell works without issue.

My best guess at the moment is that this relates to how Samba calls this root preexec script… Maybe we need to give it some env variables or something like that…
For reference:
https://manpages.opensuse.org/Tumbleweed/samba-client/smb.conf.5.en.html

Flox · January 30, 2024, 10:21pm

Further confirmation: running pass as the preexec script returns the same error:
In smb.conf:

[test_share01]
#    root preexec = "/opt/rockstor/.venv/bin/mnt-share test_share01"
    root preexec = "pass"

Returns the following error in the samba logs:

Error: password store is empty. Try "pass init".

Flox · January 30, 2024, 10:39pm

Using a different script as root preexec in an attempt to check the output of env and gpg --list-secret keys, I get:

LANG=en_US.UTF-8
SYSTEMD_EXEC_PID=15068
INVOCATION_ID=e8fb98302e374dd880eedf5ce9d99c7d
NOTIFY_SOCKET=/run/systemd/notify
SMBDOPTIONS=
PWD=/
JOURNAL_STREAM=8:27930
KRB5CCNAME=/run/samba/krb5cc_samba
NMBDOPTIONS=
PIDFILE=/run/samba/smbd.pid
_NO_WINBINDD=0
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WINBINDOPTIONS=
_=/usr/bin/env


Print gpg secrets:
/root/.gnupg/pubring.kbx
------------------------
sec   rsa3072 2024-01-18 [SC] [expires: 2026-01-17]
      1BDEF96F988FCC0465A368051B2452E3035471FE
uid           [ultimate] rockstor@localhost
ssb   rsa3072 2024-01-18 [E]



ls -lah /root/.password-store/python-keyring/rockstor/
total 12K
drwx------ 1 root root 108 Jan 30 16:55 .
drwx------ 1 root root  16 Jan 18 10:24 ..
-rw------- 1 root root 585 Jan 18 10:37 CLIENT_SECRET.gpg
-rw------- 1 root root 551 Jan 30 16:21 SECRET_KEY_FALLBACK.gpg
-rw------- 1 root root 551 Jan 30 16:55 SECRET_KEY.gpg

The latter is similar to what I have when trying to list the keys manually from the shell on this rockstor machine:

rockstable:/opt/rockstor # gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec   rsa3072 2024-01-18 [SC] [expires: 2026-01-17]
      1BDEF96F988FCC0465A368051B2452E3035471FE
uid           [ultimate] rockstor@localhost
ssb   rsa3072 2024-01-18 [E]

Hooverdan · January 30, 2024, 11:21pm

Do you have to explicitly set the environment variable for the password store?

export PASSWORD_STORE_DIR=<path/to/password storage>

Flox · January 30, 2024, 11:34pm

Good question… I’m afraid I’m not up to speed on that one… You are correct that we do set that in build.sh when we first pass init.
To confirm you are onto something… if the script run by root preexec has:

echo "run pass" >> /opt/rockstor/samba-env.txt
PASSWORD_STORE_DIR=/root/.password-store pass >> /opt/rockstor/samba-env.txt

I then see:

run pass
Password Store
└── python-keyring
    └── rockstor
        ├── CLIENT_SECRET
        ├── SECRET_KEY_FALLBACK
        └── SECRET_KEY

Without setting PASSWORD_STORE_DIR that way, I get the same Error: password store is empty. Try "pass init". error.
Unfortunately, setting that in the preexec line seems to upset the way Samba runs this… For instance:

    root preexec = "PASSWORD_STORE_DIR=/root/.password-store /opt/rockstor/print_env.sh"

gives me:

sh: PASSWORD_STORE_DIR=/root/.password-store: No such file or directory

Flox · January 30, 2024, 11:43pm

Or maybe we can set it in our mount_share.py script. I’m out of time to test that today, though…

Hooverdan · January 31, 2024, 4:51pm

samba has the variable substitution %$(envvar), maybe that will work better. Though it seems that adding an import of the environment variable to the script might be the better solution

Hooverdan · January 31, 2024, 7:31pm

wouldn’t this also need to be a concatenation of commands (i.e. set env variable and then execute shell script)?

    root preexec = "export PASSWORD_STORE_DIR=/root/.password-store && /opt/rockstor/print_env.sh"

Flox · January 31, 2024, 10:51pm

I did try that but I was rushed and failed to specify it… my apologies. It failed the same way.

I did try that as follows. In src/rockstor/scripts/__init__.py:

import os

os.environ["DJANGO_SETTINGS_MODULE"] = "settings"
os.environ["PASSWORD_STORE_DIR"] = "/root/.password-store"  # new line

import django  # noqa E402

django.setup()

/etc/samba/smb.conf remained as produced by Rockstor.

It does seem to fix it as I can connect to that same samba share just fine.
To confirm the need for setting that env variable continuously, I commented out that new line and I could no longer access the Samba share in question, seeing the same 'Error: password store is empty. Try "pass init".' error as before.

@Hooverdan, @phillxnet: I’m not familiar with pass yet when compared to both of you so does that seem like an appropriate fix to you?

Hooverdan · January 31, 2024, 11:14pm

Great find!
Considering that this was required in the bootstrap and pre-service to function, I would assume the same will be required for the “new” thread that the samba preexec opens to execute, But, as always, since @phillxnet did the actual implementation across, he will have an opinion on that. If it is, the question will be whether we need to consider explicit definition of the env variable in other places where it doesn’t exist yet.

Hooverdan · January 31, 2024, 11:35pm

I took the liberty and created an issue on Github for this:

github.com/rockstor/rockstor-core

(t) Samba shares not accessible after testing channel upgrade (affecting upgrades to 5.0.6-0 & 5.0.7-0)

opened 11:34PM - 31 Jan 24 UTC

Hooverdan96

Thanks to forum user [Mark93](https://forum.rockstor.com/u/Mark93), it appears t…hat in the latest testing channels (5.0.6 & 5.07) samba shares are not accessible and fail in the area related to the recently revamped secrets management. For details of symptoms and troubleshooting refer to the thread: [SMB Shares inacessible after update to 5.0.6-0](https://forum.rockstor.com/t/smb-shares-inacessible-after-update-to-5-0-6-0/9229) @FroggyFlox has identified a possible fix for this situation here: [Comment 18](https://forum.rockstor.com/t/smb-shares-inacessible-after-update-to-5-0-6-0/9229/18). If that is indeed the solve, two questions (and they can be handled in separate issues): - will other services be affected in a similar manner? - since that environment variable is used in multiple places now, can the keyring directory path be parameterized, so if in the future design decisions affect its location, it does not have to be adjusted in multiple places?