SMB Shares inaccessible after update to 5.0.6-0

Flox · January 30, 2024, 10:21pm

Further confirmation: running pass as the preexec script returns the same error:
In smb.conf:

[test_share01]
#    root preexec = "/opt/rockstor/.venv/bin/mnt-share test_share01"
    root preexec = "pass"

Returns the following error in the samba logs:

Error: password store is empty. Try "pass init".

Flox · January 30, 2024, 10:39pm

Using a different script as root preexec in an attempt to check the output of env and gpg --list-secret keys, I get:

LANG=en_US.UTF-8
SYSTEMD_EXEC_PID=15068
INVOCATION_ID=e8fb98302e374dd880eedf5ce9d99c7d
NOTIFY_SOCKET=/run/systemd/notify
SMBDOPTIONS=
PWD=/
JOURNAL_STREAM=8:27930
KRB5CCNAME=/run/samba/krb5cc_samba
NMBDOPTIONS=
PIDFILE=/run/samba/smbd.pid
_NO_WINBINDD=0
SHLVL=2
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
WINBINDOPTIONS=
_=/usr/bin/env


Print gpg secrets:
/root/.gnupg/pubring.kbx
------------------------
sec   rsa3072 2024-01-18 [SC] [expires: 2026-01-17]
      1BDEF96F988FCC0465A368051B2452E3035471FE
uid           [ultimate] rockstor@localhost
ssb   rsa3072 2024-01-18 [E]



ls -lah /root/.password-store/python-keyring/rockstor/
total 12K
drwx------ 1 root root 108 Jan 30 16:55 .
drwx------ 1 root root  16 Jan 18 10:24 ..
-rw------- 1 root root 585 Jan 18 10:37 CLIENT_SECRET.gpg
-rw------- 1 root root 551 Jan 30 16:21 SECRET_KEY_FALLBACK.gpg
-rw------- 1 root root 551 Jan 30 16:55 SECRET_KEY.gpg

The latter is similar to what I have when trying to list the keys manually from the shell on this rockstor machine:

rockstable:/opt/rockstor # gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec   rsa3072 2024-01-18 [SC] [expires: 2026-01-17]
      1BDEF96F988FCC0465A368051B2452E3035471FE
uid           [ultimate] rockstor@localhost
ssb   rsa3072 2024-01-18 [E]

Hooverdan · January 30, 2024, 11:21pm

Do you have to explicitly set the environment variable for the password store?

export PASSWORD_STORE_DIR=<path/to/password storage>

Flox · January 30, 2024, 11:34pm

Good question… I’m afraid I’m not up to speed on that one… You are correct that we do set that in build.sh when we first pass init.
To confirm you are onto something… if the script run by root preexec has:

echo "run pass" >> /opt/rockstor/samba-env.txt
PASSWORD_STORE_DIR=/root/.password-store pass >> /opt/rockstor/samba-env.txt

I then see:

run pass
Password Store
└── python-keyring
    └── rockstor
        ├── CLIENT_SECRET
        ├── SECRET_KEY_FALLBACK
        └── SECRET_KEY

Without setting PASSWORD_STORE_DIR that way, I get the same Error: password store is empty. Try "pass init". error.
Unfortunately, setting that in the preexec line seems to upset the way Samba runs this… For instance:

    root preexec = "PASSWORD_STORE_DIR=/root/.password-store /opt/rockstor/print_env.sh"

gives me:

sh: PASSWORD_STORE_DIR=/root/.password-store: No such file or directory

Flox · January 30, 2024, 11:43pm

Or maybe we can set it in our mount_share.py script. I’m out of time to test that today, though…

Hooverdan · January 31, 2024, 4:51pm

samba has the variable substitution %$(envvar), maybe that will work better. Though it seems that adding an import of the environment variable to the script might be the better solution

Hooverdan · January 31, 2024, 7:31pm

wouldn’t this also need to be a concatenation of commands (i.e. set env variable and then execute shell script)?

    root preexec = "export PASSWORD_STORE_DIR=/root/.password-store && /opt/rockstor/print_env.sh"

Flox · January 31, 2024, 10:51pm

I did try that but I was rushed and failed to specify it… my apologies. It failed the same way.

I did try that as follows. In src/rockstor/scripts/__init__.py:

import os

os.environ["DJANGO_SETTINGS_MODULE"] = "settings"
os.environ["PASSWORD_STORE_DIR"] = "/root/.password-store"  # new line

import django  # noqa E402

django.setup()

/etc/samba/smb.conf remained as produced by Rockstor.

It does seem to fix it as I can connect to that same samba share just fine.
To confirm the need for setting that env variable continuously, I commented out that new line and I could no longer access the Samba share in question, seeing the same 'Error: password store is empty. Try "pass init".' error as before.

@Hooverdan, @phillxnet: I’m not familiar with pass yet when compared to both of you so does that seem like an appropriate fix to you?

Hooverdan · January 31, 2024, 11:14pm

Great find!
Considering that this was required in the bootstrap and pre-service to function, I would assume the same will be required for the “new” thread that the samba preexec opens to execute, But, as always, since @phillxnet did the actual implementation across, he will have an opinion on that. If it is, the question will be whether we need to consider explicit definition of the env variable in other places where it doesn’t exist yet.

Hooverdan · January 31, 2024, 11:35pm

I took the liberty and created an issue on Github for this:

github.com/rockstor/rockstor-core

(t) Samba shares not accessible after testing channel upgrade (affecting upgrades to 5.0.6-0 & 5.0.7-0)

opened 11:34PM - 31 Jan 24 UTC

Hooverdan96

Thanks to forum user [Mark93](https://forum.rockstor.com/u/Mark93), it appears t…hat in the latest testing channels (5.0.6 & 5.07) samba shares are not accessible and fail in the area related to the recently revamped secrets management. For details of symptoms and troubleshooting refer to the thread: [SMB Shares inacessible after update to 5.0.6-0](https://forum.rockstor.com/t/smb-shares-inacessible-after-update-to-5-0-6-0/9229) @FroggyFlox has identified a possible fix for this situation here: [Comment 18](https://forum.rockstor.com/t/smb-shares-inacessible-after-update-to-5-0-6-0/9229/18). If that is indeed the solve, two questions (and they can be handled in separate issues): - will other services be affected in a similar manner? - since that environment variable is used in multiple places now, can the keyring directory path be parameterized, so if in the future design decisions affect its location, it does not have to be adjusted in multiple places?

phillxnet · February 1, 2024, 12:29pm

@Mark93 @Flox @Hooverdan Nice find.

I had completely overlooked this ramification to our new secrets managment added in 5.0.6-0 as a small part of an extensive update of our Python dependencies:

github.com/rockstor/rockstor-core

Adopt dedicated secrets management library #2728

rockstor:testing ← phillxnet:2728-Adopt-dedicated-secrets-management-library

opened 05:38PM - 02 Dec 23 UTC

phillxnet

+378 -68

Adopt password-store by Jason A. Donenfeld of wireguard fame as our base OS pass…word store; under the root user. Employ as back-end to python-keyring via adapter shim keyring-pass. Enabling lightweight/secure (via GPG encryption) secrets management from both an OS level and from within our Python Poetry venv. # Includes: - Keyring-pass additional dependency, with secondary dependency on python-keyring. - ExecStartPre additions to initialise GNUPG, pass, and rotate/generate Django's SECRET_KEY. - PASSWORD_STORE_DIR environmental variable in all main rockstor systemd services. - Add Django's new-in-4.1 SECRET_KEY_FALLBACKS setting. - Incidental update to cryptography: 41.0.5 to 41.0.7. - Incidental update to idna: 3.4 to 3.6. - Set CLIENT_SECRET in keyring via initrock.py, and maintain as install instance persistent. Set only during db initialisation, or if this key does not exist: i.e. updating from pre keyring install. - Get CLIENT_SECRET (settings.py) from keyring. - Update build.sh with developer instructions re GnuPG & pass. - Additional minimal setup of GNUPG & pass in build.sh as we need a valid Django config for collectstatic, and we now store SECRET_KEY in OS provided 'pass'. - Incidental addition of Poetry 1.2 style dev dependencies group, with the addition of `black` as an optional install. - Incidental black re-format of initrock.py - Simplify logging within initrock.py. Fixes #2728

And yes, there is a definite requirement for us to declare the environmental variable that guides pass to it’s pre-configured secrets store.

Excellent exposition here folks. But I’ve yet to fully digest all this as I’m currently working in another area currently. Lets try to have a fix ready for our next rpm release.

This one was quite the puzzle for a bit there

Tex1954 · February 3, 2024, 2:42pm

I am also interested. Since installing 5.06.0 then updating to 5.07.0 I can no longer access my setup from my Windows 11,10,7 systems no matter what I try.

DrHolzer · February 4, 2024, 7:25am

I can now connect to my Samba shares but they all show as \host\export\share_name instead of \host\share_name. A short term frustration I can overcome to be sure. Is anyone else experiencing this inconvenience?

Flox · February 4, 2024, 12:58pm

Hi @DrHolzer,

Thanks for reporting this. At first glance, what you described seems to fit the failing script detailed above so I think we are seeing the same root cause here.

phillxnet · February 7, 2024, 7:33pm

@Mark93 @Flox @Hooverdan @Tex1954 @DrHolzer

Just a quick update, in the issue specific branch of by current draft pull request, associated with the GitHub issue raised by @Hooverdan, I’m pretty sure I’m on the home run to a proper fix for at least the reported keyring.errors.NoKeyringError related to an unset PASSWORD_STORE_DIR when samba tries to run the preexec for each export.

And under @Hooverdan’s in-issue advisement , and given we are still in testing phase here, I’ve also centralised our problematic secrets store env var. An overdue arrangement that seems to have found it’s time be be resolved.

Hope that helps, at least by way of a progress update. Once all sorted and provisionally tested, I’ll build and release our next testing channel updates rpm. This should retroactively fix all current testing rpm installs in this regard.

DrHolzer · February 7, 2024, 9:03pm

The fix shown at SMB Shares inaccessible after update to 5.0.6-0 - #18 by Flox fixed things for me. At first shares showed up as \host\exports\share-name instead of \host\share-name but are a reboot it went back to the latter.

Sorry for this not being prettier but i am sending it from my phone.

McFaul · February 12, 2024, 4:19pm

Just to confirm 5.0.8 fixed the SMB issue for me - thanks for all the hard work guys!

Warbucks · February 12, 2024, 10:35pm

Seconded, working great without having to do anything other than update

Tex1954 · February 13, 2024, 9:24am

YES YES YES!

Werky Verry Gud !!!

r0ssi77 · February 15, 2024, 3:39pm

Yesterday I updated to version 5.0.8 and now the smb share works again. thanks to everyone who helped.