https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c1 David Disseldorp changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@suse.com --- Comment #1 from David Disseldorp 2013-10-24 10:28:39 UTC --- Sounds like https://bugzilla.samba.org/show_bug.cgi?id=8845 from upstream, but it should be fixed in your code-base. Please attach logs captured at "log level = 10". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c2 --- Comment #2 from lynn wilson 2013-10-24 10:50:24 UTC --- Created an attachment (id=564799) --> (http://bugzilla.novell.com/attachment.cgi?id=564799) log level 10 log.smbd at log level 10 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c4 --- Comment #4 from lynn wilson 2013-10-24 10:51:47 UTC --- The error remains. 3.1 with a zypper dup today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c6 lynn wilson changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|lynn@steve-ss.com | --- Comment #6 from lynn wilson 2013-10-24 21:59:51 UTC --- apparmor was disabled using yast. The error remains. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |samba-maintainers@SuSE.de AssignedTo|samba-maintainers@SuSE.de |lmuelle@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c9 --- Comment #9 from Lars Müller 2013-10-25 13:33:17 CEST --- Created an attachment (id=564988) --> (http://bugzilla.novell.com/attachment.cgi?id=564988) Syslog-ng excerpt while AppArmor is in enforce mode -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c11 --- Comment #11 from lynn wilson 2013-10-25 11:51:04 UTC --- (In reply to comment #10)

(In reply to comment #7)

...

Does the initial comment show the full smb.conf?

Yes. This file server is for the Linux home directories and the windows profiles only.

...

I did a fresh install from the 13.1 repositories. After joining a Microsoft domain driven by Windows 2008 server I had not been able to login.

With disabled AppArmor login against the Microsoft Domain Controller succeeded.

As the next step I turned AppArmor on again but switched the winbindd profile by calling

aa-complain /usr/sbin/winbindd

into complain mode and all worked.

After calling aa-enforce /usr/sbin/winbindd and restarting winbindd had no longer been able to authenticate against the Microsoft Windows 2008 server.

@Christian: Do you need anything further than the log files I'm going to attach in the next step?

Might this already be addressed with a later update to the apparmor-profiles package? I have apparmor-profiles-2.8.2-4.5.1.noarch installed.

This is with: rpm -q apparmor-profiles apparmor-profiles-2.8.2-4.5.1.noarch The update you refer to enabled smbd to start when apparmor was enabled. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c13 --- Comment #13 from lynn wilson 2013-10-25 20:30:23 UTC --- (In reply to comment #12)

From the logs, the winbindd profile needs the following additions:

deny capability block_suspend, /tmp/krb5cc_* rwk, /var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"? /var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections? /var/log/samba/log.winbindd-dc-connect a, # maybe w instead?

As you can see from my comments, there are some detail questions.

BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)

See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead.

Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards.

Hi. I think this is aimed at another issue. Maybe from comment #7. We cannot test this as we do not use winbind. We are joined to the domain via 'net ads join' with sssd taking responsibility for both krb5 and pam. 12.3 copes fine with sssd in this scenario. Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c15 --- Comment #15 from lynn wilson 2013-11-02 07:14:58 UTC --- Re: apparmor in a domain: http://lists.opensuse.org/opensuse-factory/2013-11/msg00036.html Please could we recognise that samba is often used as a domain file server and add: /var/lib/sss/mc/passwd read (r) /var/lib/sss/pubconf/kdcinfo.$KRB5.REALM read (r) /etc/krb5.keytab lock (k) to the profile for: /usr/sbin/smbd I include the sssd files since I assumed that openSUSE now prefers it over pam ldap and nss ldap (e.g. they changed from those to sssd for their YaST ldap config). The $KRB5.REALM is not a real enviromnent variable but can easily be obtained from sssd.conf or krb5.conf. There's another problem here since sssd does not need /etc/krb5.conf to be present so apparmor looks for it and will never find it. Do we have any dev who works with Samba in a domain? Thanks so much for your help. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c17 --- Comment #17 from Bernhard Wiedemann 2013-11-02 21:00:08 CET --- This is an autogenerated message for OBS integration: This bug (846586) was mentioned in https://build.opensuse.org/request/show/205616 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c19 Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|lmuelle@suse.com | Resolution| |FIXED --- Comment #19 from Lars Müller 2013-11-26 12:49:15 CET --- (In reply to comment #12)

From the logs, the winbindd profile needs the following additions:

deny capability block_suspend, /tmp/krb5cc_* rwk,

And with the current package in openSUSE Factory we use: Environment=KRB5CCNAME=/run/samba/krb5cc_samba in the systemd service files for nmbd, smbd, and winbindd.

/var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"?

Correct, as the joined domain name gets added at the end of the file name.

/var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections?

No, as these files are created by the Samba daemons.

/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?

Yes. Why should we allow only append?

As you can see from my comments, there are some detail questions.

BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)

Winbindd creates it.

See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead.

Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards.

All answers are untested. But the update is out anyhow meanwhile. Therefore I'm closing this report. We have bnc#852326 for further fun. ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lmuelle@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c22 Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|lmuelle@suse.com | --- Comment #22 from Lars Müller 2014-01-16 20:34:57 CET --- (In reply to comment #20)

Reopening - some of the things you mentioned need profile additions.

(In reply to comment #19)

...

And with the current package in openSUSE Factory we use:

Environment=KRB5CCNAME=/run/samba/krb5cc_samba

in the systemd service files for nmbd, smbd, and winbindd.

-> needs profile updates

...

...

/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?

Yes. Why should we allow only append?

Counter-question: why should we allow more than append? ;-) It's a log file, so append should be enough, and ensures winbindd can't modify the log after writing it. (I'd guess there are more log files where "a" would be enough - they probably got their "w" permissions due to a bug I found in aa-logprof some months ago (it mapped "create file" to "w", but "a" is enough ;-)

It's a log file and append should be enough. We'll see. (In reply to comment #21)

The log from bnc851984 comment 13 contains:

type=1400 audit(1385505724.059:38): apparmor="DENIED" operation="mkdir" parent=1 profile="/usr/sbin/smbd" name="/var/cache/samba/" pid=2129 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

Lars, does smbd need to create the /var/cache/samba/ directory on first startup? (at least rpm -qf says "not owned by any package" on my system)

That's a packaging bug. I've added %dir /var/cache/samba to the client package as we have /var/lib/samba in it too. It might be time to add a subpackage named common. This change will first go into the network:samba:STABLE/samba package and soon after into openSUSE Factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c24 --- Comment #24 from Bernhard Wiedemann 2014-01-17 11:00:11 CET --- This is an autogenerated message for OBS integration: This bug (846586) was mentioned in https://build.opensuse.org/request/show/214148 Factory / samba -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c26 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #26 from Christian Boltz 2014-01-19 16:19:59 CET --- (In reply to comment #25)

Can we reopen a bug that was never closed?

You don't need to do that ;-) All issues mentioned in this bug are solved in the packages in security:apparmor, and I just submitted SR 214402 to openSUSE:13.1:Update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2642:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c29 --- Comment #29 from Swamp Workflow Management 2014-03-20 07:05:54 UTC --- openSUSE-SU-2014:0404-1: An update that solves two vulnerabilities and has 21 fixes is now available. Category: security (moderate) Bug References: 437293,726937,786677,844307,846586,849224,855866,856759,857454,860648,860809,860832,861135,862370,862558,863079,863748,865095,865397,865561,865641,865771,867665 CVE References: CVE-2013-4496,CVE-2013-6442 Sources used: openSUSE 13.1 (src): samba-4.1.6-3.18.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c31 --- Comment #31 from Lars Müller 2014-03-21 23:23:07 CET --- We need to configure --with-cachedir and use the same location as for the lockdir. As the data stored at /var/cache/samba is volatile and generated on demand there is no risk to lose anything. Cf bnc#869724#c0 for the argument. In short: keep it simple stupid (at one common location). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c33 --- Comment #33 from Lars Müller 2014-03-22 16:39:56 CET --- The cachedir relocation and changes required to the AppArmor profile due to them are tracked by bnc#869787 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c36 --- Comment #36 from Bernhard Wiedemann 2014-03-29 00:00:17 CET --- This is an autogenerated message for OBS integration: This bug (846586) was mentioned in https://build.opensuse.org/request/show/228155 Factory / samba -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=846586 https://bugzilla.novell.com/show_bug.cgi?id=846586#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:2642:moderate |obs:running:2642:moderate | |obs:running:2889:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=846586 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2642:moderate |obs:running:2642:moderate |obs:running:2889:moderate |obs:running:2889:moderate | |obs:running:3208:low -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=846586 --- Comment #39 from Swamp Workflow Management --- openSUSE-RU-2014:1481-1: An update that has 19 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 846586,848215,850374,851131,852018,853019,856651,857122,863226,869787,870607,885317,886225,889650,889651,889652,892374,899746,904620 CVE References: Sources used: openSUSE 12.3 (src): apparmor-2.8.4-3.8.1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=846586 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2889:moderate |obs:running:3208:moderate |obs:running:3208:moderate | -- You are receiving this mail because: You are on the CC list for the bug.