https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c17
--- Comment #17 from Christian Boltz
I had to add this rule to apparmor to have winbind working:
/var/cache/krb5rcache/* rw, /etc/samba/passdb.tdb.tmp rwk,
Those are already covered in security:apparmor (make sure to use the 2.8.3 package, not 2.8.96) and will be part of an update for 13.1 when a) 2.8.4 is released upstream and b) I have some time ;-)
/etc/samba/secrets.tdb.tmp rwk,
Did you really see a need/log entry for this? (I never did, and therefore the profile doesn't allow it yet.)
audit(1410424585.466:41): apparmor="DENIED" operation="capable" parent=1941 profile="/usr/sbin/winbindd" pid=2135 comm="winbindd" pid=2135 comm="winbindd" capability=1 capname="dac_override"
Didn't seem to impair functionality. Somebody can elaborate on this?
See man capabilities(7): CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) Or simplified: the process is running as root and tries to read a file that is owned by a user without permissions for root, for example -rw-r-- cb users [...] /some/file The general rule "root is allowed to do everything" allows read and write access to this file nevertheless, but it needs the dac_override capability. (Any idea which file winbindd tried to access?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.