https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c18
--- Comment #18 from Lars Heide
/etc/samba/secrets.tdb.tmp rwk,
Did you really see a need/log entry for this? (I never did, and therefore the profile doesn't allow it yet.)
No, I didn't. Just a precaution I deemed harmless but you are right, I shouldn't do this if not really necessary.
audit(1410424585.466:41): apparmor="DENIED" operation="capable" parent=1941 profile="/usr/sbin/winbindd" pid=2135 comm="winbindd" pid=2135 comm="winbindd" capability=1 capname="dac_override"
Didn't seem to impair functionality. Somebody can elaborate on this?
See man capabilities(7): CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
Or simplified: the process is running as root and tries to read a file that is owned by a user without permissions for root, for example -rw-r-- cb users [...] /some/file
The general rule "root is allowed to do everything" allows read and write access to this file nevertheless, but it needs the dac_override capability. (Any idea which file winbindd tried to access?)
I'm sorry, I should have been more specific. I knew what the functionality meant, just wondered why it is not allowed (i.e. is this on purpose). I see this additionally in my logs: 2014-09-03T17:44:34.044481+02:00 iek3150 winbindd[2283]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsremove_ccache: failed to destroy user krb5 ccache FILE:/tmp/krb5cc_164480 with: Credentials cache permissions incorrect 2014-09-03T17:44:34.044708+02:00 iek3150 winbindd[2283]: [2014/09/03 17:44:34.044501, 0] ../source3/winbindd/winbindd_pam.c:2204(winbindd_dual_pam_logoff) 2014-09-03T17:44:34.044852+02:00 iek3150 winbindd[2283]: winbindd_pam_logoff: failed to remove ccache: NT_STATUS_UNSUCCESSFUL Note: the system does not serve any files. It's just using winbind for authentication. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.