Re: [opensuse-factory] samba woes with apparmor

1 Nov 2013

      On Fri, 2013-11-01 at 10:14 +0100, lynn wrote:
...
13.1 rc2 domain client with 13.1 rc2 file server
Hi
We cannot connect to the smbd file server unless apparmor is disabled.
here is a user logging in and requesting his home directory on the
client
1. With apprpmor enabled on the file server:
:00 altet kernel: [  197.753781] FS-Cache: Netfs 'c
ifs' registered for caching
2013-11-01T09:44:04.729844+01:00 altet kernel: [  197.753872] Key type
cifs.spne
go registered
2013-11-01T09:44:04.729861+01:00 altet kernel: [  197.753917] Key type
cifs.idma
p registered
2013-11-01T09:44:10.981390+01:00 altet kernel: [  204.006781] CIFS VFS:
Error co
nnecting to socket. Aborting operation.
2013-11-01T09:44:10.988813+01:00 altet kerne
2. With apparmor disabled on the fle server:
2013-11-01T10:01:13.830490+01:00 altet cifs.upcall: key description:
cifs.spnego
;3000022;20513;39010000;ver=0x2;host=altea;ip4=192.168.1.100;sec=krb5;uid=0x2dc6
d6;creduid=0x2dc6d6;pid=0x4ae
2013-11-01T10:01:13.833652+01:00 altet cifs.upcall: ver=2
2013-11-01T10:01:13.843315+01:00 altet cifs.upcall: host=altea
2013-11-01T10:01:13.850828+01:00 altet cifs.upcall: ip=192.168.1.100
2013-11-01T10:01:13.852993+01:00 altet cifs.upcall: sec=1
2013-11-01T10:01:13.856451+01:00 altet cifs.upcall: uid=3000022
2013-11-01T10:01:13.859580+01:00 altet cifs.upcall: creduid=3000022
2013-11-01T10:01:13.861792+01:00 altet cifs.upcall: pid=1198
2013-11-01T10:01:13.863942+01:00 altet cifs.upcall: find_krb5_cc:
considering /tmp/krb5cc_3000022_7DxCVc
2013-11-01T10:01:13.871110+01:00 altet cifs.upcall: find_krb5_cc:
FILE:/tmp/krb5cc_3000022_7DxCVc is valid ccache
2013-11-01T10:01:13.875609+01:00 altet cifs.upcall: find_krb5_cc:
considering /tmp/krb5cc_3000021_dOfJgo
2013-11-01T10:01:13.876966+01:00 altet cifs.upcall:
find_krb5_cc: /tmp/krb5cc_30/var/log/messages lines 1413-1427/1489 96%
 is owned by 0, not 3000022
2013-11-01T10:01:13.881795+01:00 altet cifs.upcall: handle_krb5_mech:
getting service ticket for altea
2013-11-01T10:01:13.883698+01:00 altet cifs.upcall: handle_krb5_mech:
obtained service ticket
2013-11-01T10:01:13.885387+01:00 altet cifs.upcall: Exit status 0
2013-11-01T10:01:14.172911+01:00 altet systemd[1198]: Stopped target
Sound Card.
2013-11-01T10:01:14.181817+01:00 altet systemd[1198]: Starting Default.
2013-11-01T10:01:14.196334+01:00 altet systemd[1198]: Reached target
Default.
2013-11-01T10:01:14.204224+01:00 altet systemd[1198]: Startup finished
in 491ms.
2013-11-01T10:01:14.216885+01:00 altet systemd[1]: Started User Manager
for 3000022.
With apparmor, cifs cannot get through. No firewall is running on the
file server.
Any ideas anyone? Do we need apparmor on an internal network anyway?
Thanks,
L x
Sorry. Here are the apparmor messages:

2013-11-01T09:45:38.403856+01:00 altea kernel: [   22.064252] type=1400
audit(1383295533.160:11): apparmor="STATUS" operation="profile_load"
name="/usr/lib/dovecot/deliver" pid=402 comm="apparmor_parser"
2013-11-01T09:45:46.565992+01:00 altea kernel: [   35.461728] type=1400
audit(1383295546.556:31): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673
comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:46.771902+01:00 altea kernel: [   35.671857] type=1400
audit(1383295546.764:32): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673
comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:46.851116+01:00 altea kernel: [   35.746084] type=1400
audit(1383295546.840:33): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673
comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.551447+01:00 altea kernel: [   36.449978] type=1400
audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.576550+01:00 altea kernel: [   36.473864] type=1400
audit(1383295547.568:35): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.588061+01:00 altea kernel: [   36.487841] type=1400
audit(1383295547.580:36): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.607179+01:00 altea kernel: [   36.505737] type=1400
audit(1383295547.600:37): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.628763+01:00 altea kernel: [   36.526730] type=1400
audit(1383295547.620:38): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.655155+01:00 altea kernel: [   36.552607] type=1400
audit(1383295547.648:39): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:45:47.663271+01:00 altea kernel: [   36.563998] type=1400
audit(1383295547.656:40): apparmor="DENIED" operation="open" parent=1
profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2013-11-01T09:46:04.195179+01:00 altea kernel: [   53.093252] type=1400
audit(1383295564.188:42): apparmor="DENIED" operation="file_lock"
parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=908
comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
2013-11-01T09:47:09.651449+01:00 altea kernel: [  118.550091] type=1400
audit(1383295629.644:43): apparmor="DENIED" operation="file_lock"
parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=912
comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
2013-11-01T09:52:52.798811+01:00 altea kernel: [  459.429987] type=1400
audit(1383295972.791:44): apparmor="DENIED" operation="file_lock"
parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=921
comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

Have we considered kerberos, sssd in combo with smbd with the profiles?
Thanks,
L x

-- 
To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-factory+owner@opensuse.org