Comment # 9 on bug 1065551 from David Disseldorp

(In reply to Aurelien Aptel from comment #7)
> Here's a diff (- is upstream, + is ours) with some personal analysis. I'm
> still for keeping ours.

Thanks for the analysis.

> --- samba-4.7.3+git.30.54c196e5d35/packaging/systemd/smb.service       
> 2017-11-29 16:17:28.000000000 +0100
> +++ vendor-files-git.4adce31/systemd/smb.service        2017-11-03
> 15:58:19.000000000 +0100
> @@ -1,16 +1,16 @@
>  [Unit]
>  Description=Samba SMB Daemon
> -After=syslog.target network.target nmb.service winbind.service
> +After=network.target nmb.service winbind.service
> 
> ^^^ we can keep upstream
> 
>  [Service]
>  Type=notify
>  NotifyAccess=all
> -PIDFile=/run/smbd.pid
> ^^^ wrong path

The waf build takes a --with-piddir= parameter, so we should just generate this
at build time. 

> +Environment=KRB5CCNAME=/run/samba/krb5cc_samba
> 
> ^^^ don't know what this is for

Looks like it's used by pam_winbind - not sure why this needs to be specified
here instead of in smb.conf - @Andreas, any reason for this?


> 
>  LimitNOFILE=16384
>  EnvironmentFile=-/etc/sysconfig/samba
> +ExecStartPre=/usr/share/samba/update-apparmor-samba-profile
> 
> ^^^ this script makes dynamic apparmor rules based on the smb.conf. we need
> to keep this AFAIK

Hmm, this is a little ugly, I guess we could add a new --with-apparmor config
parameter for Samba that sets this up (and push update-apparmor-samba-profile
upstream).