我正在运行带有大量服务的 Pi,并发现我的smbd.service(版本 4.13.13-Debian)因错误消息而关闭:
Aug 23 18:33:43 RPi64 systemd[879]: smbd.service: Failed to execute /usr/share/samba/update-apparmor-samba-profile: Exec format error
Aug 23 18:33:43 RPi64 systemd[879]: smbd.service: Failed at step EXEC spawning /usr/share/samba/update-apparmor-samba-profile: Exec format error
Aug 23 18:33:43 RPi64 systemd[1]: smbd.service: Control process exited, code=exited, status=203/EXEC
Aug 23 18:33:43 RPi64 systemd[1]: smbd.service: Failed with result 'exit-code'.
Aug 23 18:33:43 RPi64 systemd[1]: Failed to start Samba SMB Daemon.
起初我以为我的想法/etc/samba/smb.conf是错误的,但经过一番调查后,这并不成立。我apt reinstall samba这样做了,之后服务在旧配置下运行良好。
但重启后又坏了。
所以我禁用了apparmor.service,这终于起作用了。
但是,我不知道是否apparmor应该启用它systemd,也不知道它来自哪里。直到现在它才出现。文件中有一行systemd:
ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
不确定这是否是通常的情况。我最近所做的是升级到Raspbian Bullseye 64bit并pivpn安装wireguard。不确定这是否与此有关。
编辑:一天后我无法重现该问题。该文件如下所示:
pi@RPi64:~ $ sudo cat /usr/share/samba/update-apparmor-samba-profile
#!/bin/bash
# update apparmor profile sniplet based on samba configuration
#
# This script creates and updates a profile sniplet with permissions for all
# samba shares, except
# - paths with variables (anything containing a % sign)
# - "/" - if someone is insane enough to share his complete filesystem, he'll have
# to modify the apparmor profile himself
# (c) Christian Boltz 2011-2019
# This script is licensed under the GPL v2 or, at your choice, any later version.
# exit silently - used if no profile update is needed
silentexit() {
# echo "$@"
exit 0
}
# exit with an error message
verboseexit() {
echo "$@" >&2
exit 1
}
# if you change this script, _always_ update the version to force an update of the profile sniplet
versionstring="${0##*/} 1.2+deb"
aastatus="/usr/sbin/aa-status"
aaparser="/sbin/apparmor_parser"
loadedprofiles="/sys/kernel/security/apparmor/profiles"
smbconf="/etc/samba/smb.conf"
smbd_profile="/etc/apparmor.d/usr.sbin.smbd"
profilesniplet="/etc/apparmor.d/samba/smbd-shares"
tmp_profilesniplet="/etc/apparmor.d/samba/smbd-shares.new"
# test -x "$aastatus" || silentexit "apparmor not installed"
# "$aastatus" --enabled || silentexit "apparmor not loaded (or not running as root)"
test -e "$loadedprofiles" || silentexit "apparmor not loaded"
test -d "/etc/apparmor.d/samba" || silentexit "directory for samba profile snippet doesn't exist"
test -r "$loadedprofiles" || verboseexit "no read permissions for $loadedprofiles - not running as root?"
widelinks=$(testparm -s --parameter-name "wide links" 2>/dev/null)
test "$widelinks" == "Yes" && {
echo "[$(date '+%Y/%m/%d %T')] $(basename $0)"
echo ' WARNING: "wide links" enabled. You might need to modify the smbd apparmor profile manually.'
} >> /var/log/samba/log.smbd
grep -q "$versionstring" "$profilesniplet" && {
test "$smbconf" -nt "$profilesniplet" || silentexit "smb.conf is older than the AppArmor profile sniplet"
}
{
echo "# autogenerated by $versionstring at samba start - do not edit!"
echo ""
testparm -s 2>/dev/null |sed -n '/^[ \t]*path[ \t]*=[ \t]*[^% \t]\{2,\}/ s�^[ \t]*path[ \t]*=[ \t]*\([^%]*\)$�"\1/" rk,\n"\1/**" rwkl,�p'
} > "$tmp_profilesniplet"
diff "$profilesniplet" "$tmp_profilesniplet" >/dev/null && {
rm -f "$tmp_profilesniplet"
touch "$profilesniplet" # update timestamp - otherwise we'll have to check again on the next run
silentexit "profile sniplet unchanged"
}
mv -f "$tmp_profilesniplet" "$profilesniplet"
grep -q '^/usr/sbin/smbd (\|^smbd (' /sys/kernel/security/apparmor/profiles || silentexit "smbd profile not loaded"
echo "Reloading updated AppArmor profile for Samba..."
# reload profile
"$aaparser" -r "$smbd_profile"
另外,我在 Samba 配置中应用了以下行,我认为这可能会引发问题,但看起来并非如此:
include /etc/samba/includes.conf
我实际的个人添加配置(共享文件夹)都在include.conf.
编辑:
pi@RPi64:~ $ file /usr/share/samba/update-apparmor-samba-profile
/usr/share/samba/update-apparmor-samba-profile: Bourne-Again shell script, ISO-8859 text executable