(t) Samba shares not accessible 5.0.6-0 & 5.0.7-0

[Hooverdan96]

Thanks to forum user Mark93, it appears that in the latest testing channels (5.0.6 & 5.07) samba shares are not accessible and fail in the area related to the recently revamped secrets management. For details of symptoms and troubleshooting refer to the thread:

SMB Shares inaccessible after update to 5.0.6-0

@FroggyFlox has identified a possible fix for this situation here:

Comment 18.

If that is indeed the solve, two questions (and they can be handled in separate issues):

• will other services be affected in a similar manner?
• since that environment variable is used in multiple places now, can the keyring directory path be parameterized, so if in the future design decisions affect its location, it does not have to be adjusted in multiple places?

[phillxnet]

Adding associated forum reporters:
Warbucks, DrHolzer, Tex1954, McFaul.

[phillxnet]

It would be nice to have a linux cli client reproducer for this, i.e. a command line smbclient command or the like to reproduce the issue. We then have a simple proof of fix reproducer. A pull request is now in the works (draft - in-development status).

@Hooverdan96
Re:

... since that environment variable is used in multiple places now, can the keyring directory path be parameterized,

The hope is we can clean this up a tad. Take a look at the linked draft PR, I think on the poetry side we can use the indicated plugin (yet to be proven), but I'm hoping we can use this same file equally in systemd scripts via EnvironmentFile= or the like. Still a work in progress however. And likely also in bash scripts via source: again still as yet untested as I'm not yet familiar with the expected file format.

EnvironmentFile: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#EnvironmentFile=

[FroggyFlox]

It would be nice to have a linux cli client reproducer for this

My apologies for the slightly rushed troubleshooting on the forum thread linked above. I should have provided a more clear list of steps.

The following was tested on a Rockstor-5.0.7 RPM, as well as on Rockstor built-from-source using current Testing branch:

1. Create a new share in rockstor: test_share01
2. Set Rockstor user radmin as owner, users as group for this share.
3. Configure Samba Service using Rocsktor's default (workgroup = WORKGROUP)
4. Create a Samba export for this Share using defaults: no admin user, browsable OK, no guest access, no special config.
5. On Rockstor server, check logs from client (note, this file should only be created if this client has already accessed Rocsktor's SMB server). I'm monitoring them using a simple tail:

$ tail -f /var/log/samba/log.<client_hostname>

6. Use client (Tumbleweed), to access that Samba share using smbclient:

$ smbclient --version
Version 4.19.2-git.324.fa0b54b91bSUSE-oS16.9-x86_64

$ smbclient //<Rockstor-IP-Address>/test_share01 -U radmin
Password for [WORKGROUP\radmin]:
tree connect failed: NT_STATUS_ACCESS_DENIED

The samba log shows:

$ tail -f /var/log/samba/log.<client_hostname>
[2024/02/05 17:08:47.152009,  3] ../../source3/smbd/vfs.c:141(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
Error: password store is empty. Try "pass init".
Traceback (most recent call last):
  File "/opt/rockstor/.venv/bin/mnt-share", line 3, in <module>
    from scripts.mount_share import mount_share
  File "/opt/rockstor/src/rockstor/scripts/__init__.py", line 8, in <module>
    django.setup()
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/__init__.py", line 19, in setup
    configure_logging(settings.LOGGING_CONFIG, settings.LOGGING)
                      ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 102, in __getattr__
    self._setup(name)
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 89, in _setup
    self._wrapped = Settings(settings_module)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/django/conf/__init__.py", line 217, in __init__
    mod = importlib.import_module(self.SETTINGS_MODULE)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/src/rockstor/settings.py", line 120, in <module>
    SECRET_KEY = keyring.get_password("rockstor", "SECRET_KEY")
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/core.py", line 55, in get_password
    return get_keyring().get_password(service_name, username)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/rockstor/.venv/lib/python3.11/site-packages/keyring/backends/fail.py", line 25, in get_password
    raise NoKeyringError(msg)
keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
[2024/02/05 17:08:47.645028,  1] ../../source3/smbd/service.c:721(make_connection_snum)

[phillxnet]

Closing as:
Fixed by #2797