[Bug 851131] New: AppArmor prevents winbind from working correctly
https://bugzilla.novell.com/show_bug.cgi?id=851131 https://bugzilla.novell.com/show_bug.cgi?id=851131#c0 Summary: AppArmor prevents winbind from working correctly Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: robin.roevens1@pandora.be QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 My openSUSE installation uses Active Directory domain authentication, configured through YaST. This installation already worked correctly since v12.1. Today I upgraded from 12.3 to 13.1 using instructions from https://en.opensuse.org/SDB:System_upgrade After reboot I could no longer login using my AD domain account. Initially journalctl showed me: nov 19 14:18:09 ********* winbindd[3563]: [2013/11/19 14:18:09.009167, 0] ./lib/util/debug.c:595(reopen_logs_internal) nov 19 14:18:09 ********* winbindd[3563]: Unable to open new log file '/var/log/samba/log.winbindd-dc-connect': Permission denied nov 19 14:18:09 ********* kernel: type=1400 audit(1384867089.008:35): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/log/samba/log.winbindd-dc-connect" pid=3563 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 nov 19 14:18:19 ********* winbindd[3286]: [2013/11/19 14:18:19.013899, 0] ./source3/libads/kerberos_util.c:74(ads_kinit_password) nov 19 14:18:19 ********* winbindd[3286]: kerberos_kinit_password *********$@********* failed: Permission denied nov 19 14:18:19 ********* kernel: type=1400 audit(1384867099.013:36): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_krb5/krb5.conf.***" pid=3286 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 nov 19 14:18:19 ********* kernel: type=1400 audit(1384867099.013:37): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_krb5/krb5.conf.***" pid=3286 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 After changing /var/log/samba/log.winbindd-dc-connect c, into /var/log/samba/log.winbindd-dc-connect w, in the apparmor profile /etc/apparmor.d/usr.sbin.winbindd I now had these winbind-related errors: nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.539361, 0] ./source3/lib/util_sec.c:103(assert_uid) nov 19 14:38:23 ********* winbindd[4342]: Failed to set uid privileges to (-1,39756) now set to (0,0) nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.539444, 0] ./source3/lib/util.c:785(smb_panic_s3) nov 19 14:38:23 ********* winbindd[4342]: PANIC (pid 4342): failed to set uid nov 19 14:38:23 ********* winbindd[4342]: nov 19 14:38:23 uzaws0531 winbindd[4342]: [2013/11/19 14:38:23.539862, 0] ./source3/lib/util.c:896(log_stack_trace) nov 19 14:38:23 ********* winbindd[4342]: BACKTRACE: 18 stack frames: nov 19 14:38:23 ********* winbindd[4342]: #0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fb82acdd2ea] nov 19 14:38:23 ********* winbindd[4342]: #1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fb82acdd3c0] nov 19 14:38:23 ********* winbindd[4342]: #2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7fb82f1d432f] nov 19 14:38:23 ********* winbindd[4342]: #3 /usr/lib64/samba/libsamba3-util.so(+0x32cd) [0x7fb82aaae2cd] nov 19 14:38:23 ********* winbindd[4342]: #4 /usr/sbin/winbindd(winbindd_dual_pam_auth+0xe27) [0x7fb82fa784d7] nov 19 14:38:23 ********* winbindd[4342]: #5 /usr/sbin/winbindd(+0x557c4) [0x7fb82fa8c7c4] nov 19 14:38:23 ********* winbindd[4342]: #6 /usr/lib64/libtevent.so.0(+0x904b) [0x7fb82916804b] nov 19 14:38:23 ********* winbindd[4342]: #7 /usr/lib64/libtevent.so.0(+0x74f7) [0x7fb8291664f7] nov 19 14:38:23 ********* winbindd[4342]: #8 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fb82916300d] nov 19 14:38:23 ********* winbindd[4342]: #9 /usr/sbin/winbindd(+0x57b1a) [0x7fb82fa8eb1a] nov 19 14:38:23 ********* winbindd[4342]: #10 /usr/sbin/winbindd(+0x581d5) [0x7fb82fa8f1d5] nov 19 14:38:23 ********* winbindd[4342]: #11 /usr/lib64/libtevent.so.0(tevent_common_loop_immediate+0xd4) [0x7fb829163834] nov 19 14:38:23 ********* winbindd[4342]: #12 /usr/lib64/libtevent.so.0(+0x8e07) [0x7fb829167e07] nov 19 14:38:23 ********* winbindd[4342]: #13 /usr/lib64/libtevent.so.0(+0x74f7) [0x7fb8291664f7] nov 19 14:38:23 ********* winbindd[4342]: #14 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fb82916300d] nov 19 14:38:23 ********* winbindd[4342]: #15 /usr/sbin/winbindd(main+0xa92) [0x7fb82fa5ec32] nov 19 14:38:23 ********* winbindd[4342]: #16 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7fb828b85be5] nov 19 14:38:23 ********* winbindd[4342]: #17 /usr/sbin/winbindd(+0x28325) [0x7fb82fa5f325] nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.542655, 0] ./source3/lib/dumpcore.c:317(dump_core) nov 19 14:38:23 ********* winbindd[4342]: dumping core in /var/log/samba/cores/winbindd nov 19 14:38:23 ********* winbindd[4342]: nov 19 14:38:23 uzaws0531 kernel: type=1400 audit(1384868303.538:77): apparmor="DENIED" operation="capable" parent=4341 profile="/usr/sbin/winbindd" pid=4342 comm="winbindd" pid=4342 comm="winbindd" capability=7 capname="setuid" So I added capability setuid, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd But logon still failed, now reporting this: nov 19 15:01:48 ********* kernel: audit_printk_skb: 66 callbacks suppressed nov 19 15:01:48 ********* kernel: type=1400 audit(1384869708.922:206): apparmor="DENIED" operation="mknod" parent=4341 profile="/usr/sbin/winbindd" name="/var/tmp/*********-044_39756" pid=5747 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=39756 ouid=39756 Finally adding capability mknod, /var/tmp/* rwlk, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd resolved the logon problem. (the permissions on /var/tmp/ are maybe a bit too open, but I really wanted the problem to be solved quickly by now..) I could now log on, but still some errors where logged: nov 19 15:03:49 ********* kernel: audit_printk_skb: 66 callbacks suppressed nov 19 15:03:49 ********* kernel: type=1400 audit(1384869829.321:238): apparmor="DENIED" operation="capable" parent=4341 profile="/usr/sbin/winbindd" pid=5747 comm="winbindd" pid=5747 comm="winbindd" capability=14 capname="ipc_lock" So this time I added capability ipc_lock, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd And now I don't seem to get any more apparmor/winbind related errors when logging in using my AD domain account. I don't know if this bug only appears when the system is upgraded from 12.3 using yast dup, or if it would also manifest when upgrading using the DVD or even doing a fresh install.. Reproducible: Didn't try Steps to Reproduce: 1. Connect to Windows Domain using YaST 2. (Upgrade openSUSE 12.3 to 13.1 using yast dup method) 3. Try to log in using a domain account Actual Results: winbind can't authenticate the domain user because apparmor denies it from doing so. Expected Results: winbind should be able to correctly authenticate the domain user -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c1
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c2
Robin Roevens
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c3
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c4
--- Comment #4 from Robin Roevens
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c5
Robin Roevens
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c6
Christian Boltz
/var/tmp/uzaws0531-044_39756 seems to be <hostname>-044_<UID> where <hostname> is the hostname of the current workstation and <UID> is the (idmapped) uid of the user logging on using winbind.
Unfortunately there's no apparmor variable for the hostname, but at least it's good to know that the UID is only numeric.
I don't know where 044 is coming from, and if it changes. I don't see it change after multiple winbindd restarts, logon/logoff sequences or even complete reboots..
Lars, you know samba/winbindd better than I do - is the "-044_" part static or can it be different on other machines? (I'd like to avoid rw access for /var/tmp/* - that's why I'm asking if there are fixed parts in the filename.) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131 https://bugzilla.novell.com/show_bug.cgi?id=851131#c7 Anastasios Papadopoulos <70tas@usa.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |70tas@usa.net --- Comment #7 from Anastasios Papadopoulos <70tas@usa.net> 2013-11-21 21:54:16 UTC --- I had the same issue, although I did not track it to AppArmour. I did an in-place upgrade and could not login via AD. I built a new system from the DVD; had issues getting attached to the domain via YaST. I was able to run the 'net ads join' command via CLI and it worked. However I still could not connect via AD. Seeing this bug, I simply disabled AppArmour, and was immediately able to login. I can provide information that may needed, but someone will have to be explicit in what I should do, and what I should collect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c8
--- Comment #8 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c9
--- Comment #9 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c10
--- Comment #10 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c11
--- Comment #11 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c12
--- Comment #12 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c13
Deryk Lister
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c15
--- Comment #15 from Christian Boltz
/var/log/messages contains: type=1400 audit(1400761278.341:40): apparmor="DENIED" operation="mknod" parent=2602 profile="/usr/sbin/winbindd" name="/var/tmp/s5143l-044_10000"
My only thought is that I used capital letters in the hostname, and if something in apparmor is expecting to allow /var/tmp/S5143L-044_10000 instead of /var/tmp/s5143l-044_10000 that might upset it.
That's (more or less) intentional, see comment #11: ----- The only exception is "/var/tmp/* rw," which is too broad IMHO, and I don't have a good way to restrict it to /var/tmp/$hostname. Please add this part to /etc/apparmor.d/local/usr.sbin.winbindd yourself if you need it. ----- So please add /var/tmp/* rw, to /etc/apparmor.d/local/usr.sbin.winbindd. @Lars: the remaining section of comment 11 is still valid: ----- Lars, I'm still waiting for an answer to comment #6 ;-) (as an alternative, moving those files to /run/samba/ or something like that would be even better - if you do this, please tell me so that I can provide updated profiles in time.) ------ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c16
Lars Heide
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c17
--- Comment #17 from Christian Boltz
I had to add this rule to apparmor to have winbind working:
/var/cache/krb5rcache/* rw, /etc/samba/passdb.tdb.tmp rwk,
Those are already covered in security:apparmor (make sure to use the 2.8.3 package, not 2.8.96) and will be part of an update for 13.1 when a) 2.8.4 is released upstream and b) I have some time ;-)
/etc/samba/secrets.tdb.tmp rwk,
Did you really see a need/log entry for this? (I never did, and therefore the profile doesn't allow it yet.)
audit(1410424585.466:41): apparmor="DENIED" operation="capable" parent=1941 profile="/usr/sbin/winbindd" pid=2135 comm="winbindd" pid=2135 comm="winbindd" capability=1 capname="dac_override"
Didn't seem to impair functionality. Somebody can elaborate on this?
See man capabilities(7): CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".) Or simplified: the process is running as root and tries to read a file that is owned by a user without permissions for root, for example -rw-r-- cb users [...] /some/file The general rule "root is allowed to do everything" allows read and write access to this file nevertheless, but it needs the dac_override capability. (Any idea which file winbindd tried to access?) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c18
--- Comment #18 from Lars Heide
/etc/samba/secrets.tdb.tmp rwk,
Did you really see a need/log entry for this? (I never did, and therefore the profile doesn't allow it yet.)
No, I didn't. Just a precaution I deemed harmless but you are right, I shouldn't do this if not really necessary.
audit(1410424585.466:41): apparmor="DENIED" operation="capable" parent=1941 profile="/usr/sbin/winbindd" pid=2135 comm="winbindd" pid=2135 comm="winbindd" capability=1 capname="dac_override"
Didn't seem to impair functionality. Somebody can elaborate on this?
See man capabilities(7): CAP_DAC_OVERRIDE Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
Or simplified: the process is running as root and tries to read a file that is owned by a user without permissions for root, for example -rw-r-- cb users [...] /some/file
The general rule "root is allowed to do everything" allows read and write access to this file nevertheless, but it needs the dac_override capability. (Any idea which file winbindd tried to access?)
I'm sorry, I should have been more specific. I knew what the functionality meant, just wondered why it is not allowed (i.e. is this on purpose). I see this additionally in my logs: 2014-09-03T17:44:34.044481+02:00 iek3150 winbindd[2283]: STATUS=daemon 'winbindd' finished starting up and ready to serve connectionsremove_ccache: failed to destroy user krb5 ccache FILE:/tmp/krb5cc_164480 with: Credentials cache permissions incorrect 2014-09-03T17:44:34.044708+02:00 iek3150 winbindd[2283]: [2014/09/03 17:44:34.044501, 0] ../source3/winbindd/winbindd_pam.c:2204(winbindd_dual_pam_logoff) 2014-09-03T17:44:34.044852+02:00 iek3150 winbindd[2283]: winbindd_pam_logoff: failed to remove ccache: NT_STATUS_UNSUCCESSFUL Note: the system does not serve any files. It's just using winbind for authentication. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c19
--- Comment #19 from Lars Heide
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c20
--- Comment #20 from Christian Boltz
profile="/usr/sbin/winbindd" name="/var/cache/krb5rcache/hostname-044_6540"
I think I'll disable apparmor for winbind.
Please don't ;-) Instead, please replace your winbind profile with the profile attached to this comment and run "rcapparmor reload" to load it. Instead of disabling the AppArmor profile for winbind, you can/should switch it to complain mode with aa-complain. This means it allows everything and logs everything the profile wouldn't allow. (Please report all log events so that I can improve the profile.) I'm waiting for the upstream 2.8.4 release and will then submit an update for 13.1 that also includes the updated winbind profile. (You can install apparmor-profiles-2.8.3 from security:apparmor/apparmor_2_8 if you want all updated profiles.) (In reply to comment #18)
(In reply to comment #17)
audit(1410424585.466:41): apparmor="DENIED" operation="capable" parent=1941 profile="/usr/sbin/winbindd" pid=2135 comm="winbindd" pid=2135 comm="winbindd" capability=1 capname="dac_override"
This log message is from # date -d @1410424585.466 Thu Sep 11 10:36:25 CEST 2014
I see this additionally in my logs:
2014-09-03T17:44:34.044481+02:00 iek3150 winbindd[2283]:
Needless to say that this is a totally different date/event ;-)
failed to destroy user krb5 ccache FILE:/tmp/krb5cc_164480 with: Credentials cache permissions incorrect
That's the /tmp/krb5cc_* issue you reported earlier - that's also fixed in the attached profile already. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c21
--- Comment #21 from Lars Heide
Instead, please replace your winbind profile with the profile attached to this comment and run "rcapparmor reload" to load it.
I tried "/sbin/apparmor_parser -r /etc/apparmor.d/usr.sbin.winbindd" which did not seem to load the additional file. I'll try if "rcapparmor reload" does the trick.
(In reply to comment #18) This log message is from # date -d @1410424585.466 Thu Sep 11 10:36:25 CEST 2014
I see this additionally in my logs:
2014-09-03T17:44:34.044481+02:00 iek3150 winbindd[2283]:
Needless to say that this is a totally different date/event ;-)
Yes, I have a few systems running, so I draw these errors from different sources. Sorry for having such a jumble of messages. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c22
--- Comment #22 from Lars Heide
2014-09-16T12:19:55.346048+02:00 hostname kernel: [77334.850010] type=1400 audit(1410862795.340:46): apparmor="DENIED" operation="mknod" parent=23745 profile="/usr/sbin/winbindd" name="/var/cache/krb5rcache/hostname-044_6540" pid=23772 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=6540 ouid=6540
Is this handled by "/var/cache/krb5rcache/* rw," or would I need "capability mknod," ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=851131
https://bugzilla.novell.com/show_bug.cgi?id=851131#c23
--- Comment #23 from Christian Boltz
I tried "/sbin/apparmor_parser -r /etc/apparmor.d/usr.sbin.winbindd" which did not seem to load the additional file. I'll try if "rcapparmor reload" does the trick.
Your apparmor_parser command looks correct. The expected output is nothing, which means "no need to complain about anything" ;-) (add "-v" if you want a success message) (In reply to comment #22)
Is this handled by "/var/cache/krb5rcache/* rw," or would I need "capability mknod," ?
mknod (creating a file) is covered by "w" - no need for an explicit capability rule. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=851131
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=851131
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=851131
Christian Boltz
http://bugzilla.novell.com/show_bug.cgi?id=851131
--- Comment #27 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=851131
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com