[Bug 713728] New: AD authentication with samba doesn't work without reprofiling apparmor
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c0 Summary: AD authentication with samba doesn't work without reprofiling apparmor Classification: openSUSE Product: openSUSE 12.1 Version: Milestone 3 Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: diego.ercolani@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=447186) --> (http://bugzilla.novell.com/attachment.cgi?id=447186) new apparmor profile for nmbd User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 When select authenticating mode from Active Directory Domain, samba services (smbd, nmbd, winbindd) are executing but without changing apparmor profiles or disabling apparmor, samba fails without any log output. I used the aa-logprof utility to enable file accesses needed by nmbd and smbd daemons. I attach my /etc/apparmor.d/usr.sbin.{nmbd,smbd} files for information purpose. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c1 --- Comment #1 from Diego Ercolani <diego.ercolani@gmail.com> 2011-08-23 13:32:29 UTC --- Created an attachment (id=447187) --> (http://bugzilla.novell.com/attachment.cgi?id=447187) new apparmor profile for smbd -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c2 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |jeffm@novell.com, | |suse-beta@cboltz.de AssignedTo|jeffm@novell.com |suse-beta@cboltz.de --- Comment #2 from Christian Boltz <suse-beta@cboltz.de> 2011-08-23 22:24:01 CEST --- Difference / patch against current upstream (AppArmor 2.7 beta1): === modified file 'profiles/apparmor.d/usr.sbin.nmbd' --- profiles/apparmor.d/usr.sbin.nmbd 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.sbin.nmbd 2011-08-23 20:16:07 +0000 @@ -7,8 +7,12 @@ capability net_bind_service, + /etc/samba/dhcp.conf r, + /proc/sys/kernel/core_pattern r, /usr/sbin/nmbd mr, /var/cache/samba/browse.dat* rw, + /var/lib/samba/* w, + /var/lib/samba/browse.dat. rw, /var/lib/samba/wins.dat* rw, /{,var/}run/samba/** rk, /{,var/}run/samba/nmbd.pid rw, === modified file 'profiles/apparmor.d/usr.sbin.smbd' --- profiles/apparmor.d/usr.sbin.smbd 2011-07-14 12:57:57 +0000 +++ profiles/apparmor.d/usr.sbin.smbd 2011-08-23 20:14:45 +0000 @@ -18,7 +18,11 @@ /etc/mtab r, /etc/printcap r, + /etc/samba/dhcp.conf r, + /etc/samba/passdb.tdb rwk, + /etc/samba/secrets.tdb rwk, /proc/*/mounts r, + /proc/sys/kernel/core_pattern r, /usr/sbin/smbd mr, /var/cache/samba/** rwk, /var/cache/samba/printing/printers.tdb mrw, I'm a bit worried about the /var/lib/samba/* w, in the nmbd profile. Can you restrict that to specific files? If unsure, attach your /var/log/audit/audit.log and I'll check it myself. Note to myself: Some of these changes are already in the apparmor-profiles-samba-11.4/apparmor-profiles-samba-updated patch (only applied on 11.4:Update, not in Factory) that is currently pending for review upstream. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c3 --- Comment #3 from Diego Ercolani <diego.ercolani@gmail.com> 2011-08-24 07:30:36 UTC --- Created an attachment (id=447353) --> (http://bugzilla.novell.com/attachment.cgi?id=447353) the audit.log wich have denied entryies As you requested I attached the audit.log. As I'm currently working with the desktop I'm playing with; I have removed the /var/lib/samba/** permissions and I have moved the apparmor for /usr/sbin/{smbd,nmbd} to complain mode so I have only warnings that I will notify to you. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c4 --- Comment #4 from Diego Ercolani <diego.ercolani@gmail.com> 2011-08-25 09:47:53 UTC --- Created an attachment (id=447610) --> (http://bugzilla.novell.com/attachment.cgi?id=447610) audit.log where nmbd and smbd are set only to complain mode to set a more granular permission mask This is the file I promised with the complain mode activated -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c5 --- Comment #5 from Steven Beattie <novell@nxnw.org> 2011-08-27 01:53:58 UTC --- Hi Diego, Not directly related to the samba elements of this bug report, I'm curious why you're seeing the following entries: type=AVC msg=audit(1314189869.552:93): apparmor="DENIED" operation="change_hat" info="unconfined" error=-1 pid=12278 comm="su" Are you using the apparmor pam module? Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c6 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> 2011-08-27 20:54:16 CEST --- Updated profiles commited upstream - should be part of AppArmor 2.7 beta2. If you want to test the updated smbd and nmbd profiles, you can get them from http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/files/head:/profil... (you'll also need to update abstractions/samba) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c7 --- Comment #7 from Diego Ercolani <diego.ercolani@gmail.com> 2011-08-29 07:14:38 UTC --- @Steven Beattie, Hi, regarding pam-apparmor, Onestly I didn't configure anything about authentication out of provided Milestone3 configuration, but it seem that yes, I'm using also apparmor: pc-diego:/etc/pam.d # grep apparmor /etc/pam.d/* /etc/pam.d/common-session:session optional pam_apparmor.so /etc/pam.d/common-session-pc:session optional pam_apparmor.so -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c8 --- Comment #8 from Diego Ercolani <diego.ercolani@gmail.com> 2011-08-29 08:07:10 UTC --- @Christian boltz: I saw you've left /var/lib/samba rwk-able... too difficult to set file by file I know... by the way I'm trying your profile so I'll let you know about misconfigurations. Thank you -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c9 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #9 from Christian Boltz <suse-beta@cboltz.de> 2011-09-16 17:19:39 CEST --- Fixed in AppArmor 2.7 beta2, which I'll commit to Factory in some hours. If you find more problems, feel free to reopen ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=713728 https://bugzilla.novell.com/show_bug.cgi?id=713728#c10 --- Comment #10 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-16 19:00:39 CEST --- This is an autogenerated message for OBS integration: This bug (713728) was mentioned in https://build.opensuse.org/request/show/82501 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com