[opensuse-factory] samba woes with apparmor
13.1 rc2 domain client with 13.1 rc2 file server Hi We cannot connect to the smbd file server unless apparmor is disabled. here is a user logging in and requesting his home directory on the client 1. With apprpmor enabled on the file server: :00 altet kernel: [ 197.753781] FS-Cache: Netfs 'c ifs' registered for caching 2013-11-01T09:44:04.729844+01:00 altet kernel: [ 197.753872] Key type cifs.spne go registered 2013-11-01T09:44:04.729861+01:00 altet kernel: [ 197.753917] Key type cifs.idma p registered 2013-11-01T09:44:10.981390+01:00 altet kernel: [ 204.006781] CIFS VFS: Error co nnecting to socket. Aborting operation. 2013-11-01T09:44:10.988813+01:00 altet kerne 2. With apparmor disabled on the fle server: 2013-11-01T10:01:13.830490+01:00 altet cifs.upcall: key description: cifs.spnego ;3000022;20513;39010000;ver=0x2;host=altea;ip4=192.168.1.100;sec=krb5;uid=0x2dc6 d6;creduid=0x2dc6d6;pid=0x4ae 2013-11-01T10:01:13.833652+01:00 altet cifs.upcall: ver=2 2013-11-01T10:01:13.843315+01:00 altet cifs.upcall: host=altea 2013-11-01T10:01:13.850828+01:00 altet cifs.upcall: ip=192.168.1.100 2013-11-01T10:01:13.852993+01:00 altet cifs.upcall: sec=1 2013-11-01T10:01:13.856451+01:00 altet cifs.upcall: uid=3000022 2013-11-01T10:01:13.859580+01:00 altet cifs.upcall: creduid=3000022 2013-11-01T10:01:13.861792+01:00 altet cifs.upcall: pid=1198 2013-11-01T10:01:13.863942+01:00 altet cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_3000022_7DxCVc 2013-11-01T10:01:13.871110+01:00 altet cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_3000022_7DxCVc is valid ccache 2013-11-01T10:01:13.875609+01:00 altet cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_3000021_dOfJgo 2013-11-01T10:01:13.876966+01:00 altet cifs.upcall: find_krb5_cc: /tmp/krb5cc_30/var/log/messages lines 1413-1427/1489 96% is owned by 0, not 3000022 2013-11-01T10:01:13.881795+01:00 altet cifs.upcall: handle_krb5_mech: getting service ticket for altea 2013-11-01T10:01:13.883698+01:00 altet cifs.upcall: handle_krb5_mech: obtained service ticket 2013-11-01T10:01:13.885387+01:00 altet cifs.upcall: Exit status 0 2013-11-01T10:01:14.172911+01:00 altet systemd[1198]: Stopped target Sound Card. 2013-11-01T10:01:14.181817+01:00 altet systemd[1198]: Starting Default. 2013-11-01T10:01:14.196334+01:00 altet systemd[1198]: Reached target Default. 2013-11-01T10:01:14.204224+01:00 altet systemd[1198]: Startup finished in 491ms. 2013-11-01T10:01:14.216885+01:00 altet systemd[1]: Started User Manager for 3000022. With apparmor, cifs cannot get through. No firewall is running on the file server. Any ideas anyone? Do we need apparmor on an internal network anyway? Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 01 of November 2013 10:14:34 lynn wrote:
13.1 rc2 domain client with 13.1 rc2 file server Hi We cannot connect to the smbd file server unless apparmor is disabled. here is a user logging in and requesting his home directory on the client
With apparmor, cifs cannot get through. No firewall is running on the file server.
Try running aa-logprof to modify the profile accordingly.
Any ideas anyone? Do we need apparmor on an internal network anyway?
I would argue that apparmor is always necessary, provided that the profiles are up-to-date and the administrator knows how to adjust them properly.
Thanks, L x Regards, Peter -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2013-11-01 at 10:14 +0100, lynn wrote:
13.1 rc2 domain client with 13.1 rc2 file server Hi We cannot connect to the smbd file server unless apparmor is disabled. here is a user logging in and requesting his home directory on the client 1. With apprpmor enabled on the file server:
:00 altet kernel: [ 197.753781] FS-Cache: Netfs 'c ifs' registered for caching 2013-11-01T09:44:04.729844+01:00 altet kernel: [ 197.753872] Key type cifs.spne go registered 2013-11-01T09:44:04.729861+01:00 altet kernel: [ 197.753917] Key type cifs.idma p registered 2013-11-01T09:44:10.981390+01:00 altet kernel: [ 204.006781] CIFS VFS: Error co nnecting to socket. Aborting operation. 2013-11-01T09:44:10.988813+01:00 altet kerne
2. With apparmor disabled on the fle server:
2013-11-01T10:01:13.830490+01:00 altet cifs.upcall: key description: cifs.spnego ;3000022;20513;39010000;ver=0x2;host=altea;ip4=192.168.1.100;sec=krb5;uid=0x2dc6 d6;creduid=0x2dc6d6;pid=0x4ae 2013-11-01T10:01:13.833652+01:00 altet cifs.upcall: ver=2 2013-11-01T10:01:13.843315+01:00 altet cifs.upcall: host=altea 2013-11-01T10:01:13.850828+01:00 altet cifs.upcall: ip=192.168.1.100 2013-11-01T10:01:13.852993+01:00 altet cifs.upcall: sec=1 2013-11-01T10:01:13.856451+01:00 altet cifs.upcall: uid=3000022 2013-11-01T10:01:13.859580+01:00 altet cifs.upcall: creduid=3000022 2013-11-01T10:01:13.861792+01:00 altet cifs.upcall: pid=1198 2013-11-01T10:01:13.863942+01:00 altet cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_3000022_7DxCVc 2013-11-01T10:01:13.871110+01:00 altet cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_3000022_7DxCVc is valid ccache 2013-11-01T10:01:13.875609+01:00 altet cifs.upcall: find_krb5_cc: considering /tmp/krb5cc_3000021_dOfJgo 2013-11-01T10:01:13.876966+01:00 altet cifs.upcall: find_krb5_cc: /tmp/krb5cc_30/var/log/messages lines 1413-1427/1489 96% is owned by 0, not 3000022 2013-11-01T10:01:13.881795+01:00 altet cifs.upcall: handle_krb5_mech: getting service ticket for altea 2013-11-01T10:01:13.883698+01:00 altet cifs.upcall: handle_krb5_mech: obtained service ticket 2013-11-01T10:01:13.885387+01:00 altet cifs.upcall: Exit status 0 2013-11-01T10:01:14.172911+01:00 altet systemd[1198]: Stopped target Sound Card. 2013-11-01T10:01:14.181817+01:00 altet systemd[1198]: Starting Default. 2013-11-01T10:01:14.196334+01:00 altet systemd[1198]: Reached target Default. 2013-11-01T10:01:14.204224+01:00 altet systemd[1198]: Startup finished in 491ms. 2013-11-01T10:01:14.216885+01:00 altet systemd[1]: Started User Manager for 3000022.
With apparmor, cifs cannot get through. No firewall is running on the file server. Any ideas anyone? Do we need apparmor on an internal network anyway? Thanks, L x
Sorry. Here are the apparmor messages: 2013-11-01T09:45:38.403856+01:00 altea kernel: [ 22.064252] type=1400 audit(1383295533.160:11): apparmor="STATUS" operation="profile_load" name="/usr/lib/dovecot/deliver" pid=402 comm="apparmor_parser" 2013-11-01T09:45:46.565992+01:00 altea kernel: [ 35.461728] type=1400 audit(1383295546.556:31): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:46.771902+01:00 altea kernel: [ 35.671857] type=1400 audit(1383295546.764:32): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:46.851116+01:00 altea kernel: [ 35.746084] type=1400 audit(1383295546.840:33): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/mc/passwd" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.551447+01:00 altea kernel: [ 36.449978] type=1400 audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.576550+01:00 altea kernel: [ 36.473864] type=1400 audit(1383295547.568:35): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.588061+01:00 altea kernel: [ 36.487841] type=1400 audit(1383295547.580:36): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.607179+01:00 altea kernel: [ 36.505737] type=1400 audit(1383295547.600:37): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.628763+01:00 altea kernel: [ 36.526730] type=1400 audit(1383295547.620:38): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.655155+01:00 altea kernel: [ 36.552607] type=1400 audit(1383295547.648:39): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:45:47.663271+01:00 altea kernel: [ 36.563998] type=1400 audit(1383295547.656:40): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE" pid=673 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 2013-11-01T09:46:04.195179+01:00 altea kernel: [ 53.093252] type=1400 audit(1383295564.188:42): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=908 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 2013-11-01T09:47:09.651449+01:00 altea kernel: [ 118.550091] type=1400 audit(1383295629.644:43): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=912 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 2013-11-01T09:52:52.798811+01:00 altea kernel: [ 459.429987] type=1400 audit(1383295972.791:44): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=921 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0 Have we considered kerberos, sssd in combo with smbd with the profiles? Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2013-11-01 10:32, lynn wrote:
Sorry. Here are the apparmor messages:
It is telling you exactly what to do.
2013-11-01T09:45:47.551447+01:00 altea kernel: [ 36.449978] type=1400 audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
You need to allow open file /var/lib/sss/pubconf/kdcinfo.HH3.SITE in profile /usr/sbin/smbd
2013-11-01T09:46:04.195179+01:00 altea kernel: [ 53.093252] type=1400 audit(1383295564.188:42): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=908 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
You need to allow lock of /etc/krb5.keytab etc. -- Cheers / Saludos, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar)
On Fri, 2013-11-01 at 11:59 +0100, Carlos E. R. wrote:
On 2013-11-01 10:32, lynn wrote:
Sorry. Here are the apparmor messages:
It is telling you exactly what to do.
2013-11-01T09:45:47.551447+01:00 altea kernel: [ 36.449978] type=1400 audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"
You need to allow open file /var/lib/sss/pubconf/kdcinfo.HH3.SITE in profile /usr/sbin/smbd
2013-11-01T09:46:04.195179+01:00 altea kernel: [ 53.093252] type=1400 audit(1383295564.188:42): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=908 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0
You need to allow lock of /etc/krb5.keytab
etc.
Hi Yeah. OK, thanks. I've added the files. openSUSE always seems to overlook anything that's kerberized. Even Samba! L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Freitag, 1. November 2013 schrieb lynn:
On Fri, 2013-11-01 at 11:59 +0100, Carlos E. R. wrote:
On 2013-11-01 10:32, lynn wrote:
2013-11-01T09:45:47.551447+01:00 altea kernel: [ 36.449978] type=1400 audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"> You need to allow open file /var/lib/sss/pubconf/kdcinfo.HH3.SITE in profile /usr/sbin/smbd
Is "HH3.SITE" your hostname? If yes, you should allow kdcinfo.* instead.
2013-11-01T09:46:04.195179+01:00 altea kernel: [ 53.093252] type=1400 audit(1383295564.188:42): apparmor="DENIED" operation="file_lock" parent=673 profile="/usr/sbin/smbd" name="/etc/krb5.keytab" pid=908 comm="smbd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0> You need to allow lock of /etc/krb5.keytab
etc.
Hi Yeah. OK, thanks. I've added the files. openSUSE always seems to overlook anything that's kerberized. Even Samba!
Last time I used samba was maybe 4 years ago [1], and I only have a very basic samba config. This also means I don't know every possible config option and what it could require. Can you please open a bugreport with your profile additions? Regards, Christian Boltz [1] just starting it to test the basics of the AppArmor profile (which I did some weeks ago) doesn't count as usage ;-) -- Böse Zungen behaupten, ein unterschriebenes Zertifikat bescheinigt dem Client, daß ein unbekannter Serverbetreiber einem unbekannten CA-Betreiber Geld bezahlt hat. Das ist natürlich für eine Kommunikation eine eher nutzlose Garantie. [http://blog.koehntopp.de/archives/3166-Not-Fixing-SSL.html] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2013-11-01 at 15:57 +0100, Christian Boltz wrote:
Hello,
Am Freitag, 1. November 2013 schrieb lynn:
On Fri, 2013-11-01 at 11:59 +0100, Carlos E. R. wrote:
On 2013-11-01 10:32, lynn wrote:
2013-11-01T09:45:47.551447+01:00 altea kernel: [ 36.449978] type=1400 audit(1383295547.544:34): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/smbd" name="/var/lib/sss/pubconf/kdcinfo.HH3.SITE"> You need to allow open file /var/lib/sss/pubconf/kdcinfo.HH3.SITE in profile /usr/sbin/smbd
Is "HH3.SITE" your hostname? If yes, you should allow kdcinfo.* instead.
No, it's the kerberos realm. OK, I've got it going OK now but couldn't we include the kerberos/sssd files in the standard /usr/sbin/smbd profile? I see that openSUSE now favours sssd over nss-ldap these days and also there can't be many non AD file servers left. Even if there are, it wouldn't hurt to include it would it? Wouldn't it just be ignored? Thanks, L x -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
auxsvr@gmail.com
-
Carlos E. R.
-
Christian Boltz
-
lynn