OK -- two more issues have been spotted. 1./ current AppArmor profiles prevent Samba log rotation ---------------------------------------------------- In /etc/apparmor.d/abstractions/samba (latest available stable version: 15.1, fully patched), we see this: /var/log/samba/* w, In order to allow rotation of log.smbd, log.nmbd, etc. to *.old, that should be: /var/log/samba/* rwk, (not sure the 'k' is strictly needed) 2./ the AD DC process itself has no AppArmor profile ------------------------------------------------ The main process on a Samba4 AD DC is '/usr/sbin/samba'. That process doesn't have *any* AppArmor profile, even though I suspect it would be the most critical / vulnerable one.