Hi there,
updated yesterday to the latest TW snapshot VERSION_ID="20180406", but this
seems to be happening since 20180404, as somebody in factory mailing list
writes.

After that smb, nmb and winbindd won't start, but instead throw errors. Looks,
like apparmor denying some capability "net_admin".

There is some bug from 2016,
https://bugzilla.opensuse.org/show_bug.cgi?id=991901 which sounds similar, but
is in state new/needinfo since 2017.

alpha:~ # systemctl status smb
��� smb.service - Samba SMB Daemon
   Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset:
disabled)
   Active: failed (Result: exit-code) since Mon 2018-04-09 19:49:51 CEST; 22s
ago
  Process: 6652 ExecStart=/usr/sbin/smbd $SMBDOPTIONS (code=exited,
status=1/FAILURE)
  Process: 6648 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
(code=exited, status=0/SUCCESS)
 Main PID: 6652 (code=exited, status=1/FAILURE)
   Status: "daemon failed to start: Failed to create session"
    Error: 1 (Die Operation ist nicht erlaubt)


AppArmor audit.log says:

type=AVC msg=audit(1523296191.449:596): apparmor="DENIED" operation="capable"
profile="/usr/sbin/smbd" pid=6652 comm="smbd" capability=12 
capname="net_admin"
type=AVC msg=audit(1523296254.959:597): apparmor="DENIED" operation="capable"
profile="/usr/sbin/nmbd" pid=6667 comm="nmbd" capability=12 
capname="net_admin"
type=AVC msg=audit(1523296296.570:598): apparmor="DENIED" operation="capable"
profile="/usr/sbin/winbindd" pid=6737 comm="winbindd" capability=12 
capname="net_admin"

Regards,
Andreas

Bug ID	1088736
Summary	apparmor denies net_admin capability to smb, nmb and winbindd
Classification	openSUSE
Product	openSUSE Tumbleweed
Version	Current
Hardware	Other
OS	openSUSE Factory
Status	NEW
Severity	Normal
Priority	P5 - None
Component	Samba
Assignee	samba-maintainers@SuSE.de
Reporter	susebugzilla@sajj.de
QA Contact	samba-maintainers@SuSE.de
Found By	---
Blocker	---