2

I install samba 4.12.6 from source on centos 8.

When I start samba directly

/usr/local/samba/sbin/samba

it run es expected.

Now I create a systemd unit:

[Unit]
Description=Samba Active Directory Domain Controller
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/samba/sbin/samba -D
PIDFile=/usr/local/samba/var/run/samba.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=default.target

Start it and it fails with Permission denied

[root@centos-server-01 ~]# systemctl status samba-ad.service
● samba-ad.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2020-09-04 19:03:24 CEST; 14s ago
  Process: 1549 ExecStart=/usr/local/samba/sbin/samba -D (code=exited, status=203/EXEC)

Sep 04 19:03:24 centos-server-01 systemd[1]: Starting Samba Active Directory Domain Controller...
Sep 04 19:03:24 centos-server-01 systemd[1]: samba-ad.service: Control process exited, code=exited status=203
Sep 04 19:03:24 centos-server-01 systemd[1]: samba-ad.service: Failed with result 'exit-code'.
Sep 04 19:03:24 centos-server-01 systemd[1]: Failed to start Samba Active Directory Domain Controller.

journalctl shows:

journalctl _PID=1549
-- Logs begin at Fri 2020-09-04 18:00:19 CEST, end at Fri 2020-09-04 19:03:39 CEST. --
Sep 04 19:03:24 centos-server-01 systemd[1549]: samba-ad.service: Failed to execute command: Permission denied
Sep 04 19:03:24 centos-server-01 systemd[1549]: samba-ad.service: Failed at step EXEC spawning /usr/local/samba/sbin/samba: Permission denied

The samba binary is executable:

ls -al /usr/local/samba/sbin/
total 2816
-rwxr-xr-x.  1 root root  771608 Sep  2 17:28 eventlogadm
-rwxr-xr-x.  1 root root  331304 Sep  2 17:28 nmbd
-rwxr-xr-x.  1 root root   58280 Sep  2 17:27 samba
-rwxr-xr-x.  1 root root    3616 Sep  1 20:15 samba-gpupdate
.
.

file shows:

/usr/local/samba/sbin/samba: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically li    nked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=3f9ee20e102f467fc    12e1b4bc913472f23dcde0b, not stripped

I'm always logged in as root. I read Failed at step EXEC spawning… Permission denied and the following but it has not helped.

Maybe someone has a clue for me

Hambert
  • 23
  • 4
  • Check the audit log. – Michael Hampton Sep 04 '20 at 18:17
  • @MichaelHampton thanks. The audit log showed that the execution was prohibited. This allowed me to google further so that I came to the conditions of SELinux. The answer from _kofermann_ shows the solution. – Hambert Sep 06 '20 at 15:51

1 Answers1

2

The SELinux restricts binaries that can be used in ExecStart to paths that has system_u:object_r:bin_t:s0 attribute set. Typically those are /usr/bin /usr/sbin /usr/libexec /usr/local/bin directories. You need to move samba binary into one of this directories or change selinux policy to allow systemd to use binaries in /usr/local/samba/sbin/ as:

chcon -R -t bin_t /usr/local/samba/sbin/
kofemann
  • 4,308
  • 1
  • 21
  • 27