Comment # 3 on bug 921098 from Christian Boltz

(In reply to David Disseldorp from comment #1)
> (In reply to David Disseldorp from comment #0)
> 
> > The Apparmor profile should permit winbindd full access to these paths, like
> > smbd.
> 
> Hmm, looks like abstractions/samba would be the best place to fix this, as
> it's included by usr.sbin.smbd and usr.sbin.winbindd .

FYI: abstractions/samba is also included by usr.sbin.nmbd, and the changes you
propose are quite permissive (whole directory instead of some individual
files). Do you see any security risks in giving nmbd those additional
permissions?

BTW: You should probably switch your samba profiles into complain mode with
aa-complain, run samba for a while and then update the profiles with
aa-logprof. That's easier than fixing one permission at a time and running into
the next a minute later. Don't forget to switch the profiles back to enforce
mode with aa-enforce afterwards ;-)