In net-fs/samba-3.0.7-r1, the file secrets.tdb is in /etc/samba/private, and thus in /etc and *thus* (most of the time) on the / fs. Because Samba's smbd needs to have that file open all the time, it's not possible to remount the containing filesystem read-only. That's a pity, because it makes it harder than necessary to take an image of the / fs - it is obviously a bad idea to take a "dd if=/dev/hda1 of=/mnt/backup-of-slash" image, if the filesystem is in rw mode. [15:51:39 alexander@server:~] $ LC_ALL=C sudo mount -o remount,ro / mount: / is busy [15:51:43 alexander@server:~] $ sudo /usr/sbin/lsof / | awk '$4~/^[0-9]+[wu]/' udevd 787 root 0u CHR 1,3 36869 /dev/null udevd 787 root 1u CHR 1,3 36869 /dev/null udevd 787 root 2u CHR 1,3 36869 /dev/null smbd 16129 root 4u REG 3,7 8192 4585 /etc/samba/private/secrets.tdb smbd 16132 root 4u REG 3,7 8192 4585 /etc/samba/private/secrets.tdb [15:52:01 alexander@server:~] $ sudo /etc/init.d/samba stop * samba -> stop: smbd ... [ ok ] * samba -> stop: nmbd ... [ ok ] [15:52:14 alexander@server:~] $ LC_ALL=C sudo mount -v -o remount,ro / /dev/hda7 on / type ext3 (ro,noatime) To be able to mount the fs ro, there must not be any file that gets written to. secrets.tdb makes that impossible. One possible - and IMO easy - fix is to make the secrets.tdb not be on /etc. IMO, it's better located at something like /var/lib/samba/private. Reproducible: Always Steps to Reproduce: [15:45:32 alexander@server:~] $ emerge info Portage 2.0.51-r3 (default-x86-2004.2, gcc-3.4.2, glibc-2.3.4.20041102-r0, 2.6.9-ck2ASN_20041106_03.no-devfs i686) ================================================================= System uname: 2.6.9-ck2ASN_20041106_03.no-devfs i686 AMD Athlon(tm) XP 2000+ Gentoo Base System version 1.6.5 ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.92.0.2-r1 Headers: sys-kernel/linux26-headers-2.6.8.1-r1 Libtools: sys-devel/libtool-1.5.2-r6 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache collision-protect distlocks sandbox" GENTOO_MIRRORS="http://localhost/~alexander/gentoo-files/ http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo http://194.117.158.29" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowex X aalib acl alsa apache2 apm arts artswrappersuid async avi bluetooth bzlib cairo calendar cddb cdparanoia cdr cdrom codecs crypt cscope cups curl curlwrappers dga diet directfb divx4linux djbfft encode esd ethereal evo exif fam fbcon fbdev ffmpeg fftw flac flash foomaticdb foreign-package foreign-sysvinit ftp fwdzone gd gdbm gif gimp gimpprint gnokii gnome gphoto2 gpm gstreamer gtk gtk2 guile hal iconv imagemagick imap imlib immqt-bc java javascript jpeg kde libedit libg++ libwww lzo lzw lzw-tiff mad maildir mailwrapper matroska matrox mbox mmap mmx mng mozilla mpeg ncurses network nls noantlr nobcel nobeanutils nobsh nocommonslogging nocommonsnet nojdepend nojsch nojython nolog4j nooro noregexp norhino noxalan noxerces nptl nptlonly offensive ofx oggvorbis opengl oss pam parse-clocks pcntl pcre pdflib perl pic pie png posix ppds python qt quicktime quotes readline recode samba sasl sdl shared slang sockets spell sse ssl svg sysvipc tcltk tcpd tetex theora tiff truetype unicode usb videos vim-with-x wmf x86 xchattext xfs xml2 xmms xv xvid zlib video_cards_matrox linguas_de"
I think a symbolic link to [anywhere mounted rw] from [/etc/samba/private] could be enough... In any cas, if /etc is mounted 'ro', you have to provide a symbolic link for /etc/mtab to a rw position as well....
Well, I'd rather have --with-privatedir point someplace else. A symlink is the workaround I currently use, but IMO that's not a clean solution. /etc/samba/private/secrets.tdb is the only file on my system that's open all the time. And IMO those files shouldn't be in etc.
well, according to File System Hierarchy standards, 'private' could go on /var/lib/samba/private also. mglauche, what do you think about?
Hmm .. as the files in private are usually not for editing by hand, the /var/lib/samba/private location would make more sense. But we need another big fat warning on the ebuild about the new location :)
ok. so, next ebuild for 3.0.8 I'm doing something about it just now
should be fixed in 3.0.8, closing this bug now
