https://bugzilla.novell.com/show_bug.cgi?id=851131 https://bugzilla.novell.com/show_bug.cgi?id=851131#c0 Summary: AppArmor prevents winbind from working correctly Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: robin.roevens1@pandora.be QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0 My openSUSE installation uses Active Directory domain authentication, configured through YaST. This installation already worked correctly since v12.1. Today I upgraded from 12.3 to 13.1 using instructions from https://en.opensuse.org/SDB:System_upgrade After reboot I could no longer login using my AD domain account. Initially journalctl showed me: nov 19 14:18:09 ********* winbindd[3563]: [2013/11/19 14:18:09.009167, 0] ./lib/util/debug.c:595(reopen_logs_internal) nov 19 14:18:09 ********* winbindd[3563]: Unable to open new log file '/var/log/samba/log.winbindd-dc-connect': Permission denied nov 19 14:18:09 ********* kernel: type=1400 audit(1384867089.008:35): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/log/samba/log.winbindd-dc-connect" pid=3563 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 nov 19 14:18:19 ********* winbindd[3286]: [2013/11/19 14:18:19.013899, 0] ./source3/libads/kerberos_util.c:74(ads_kinit_password) nov 19 14:18:19 ********* winbindd[3286]: kerberos_kinit_password *********$@********* failed: Permission denied nov 19 14:18:19 ********* kernel: type=1400 audit(1384867099.013:36): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_krb5/krb5.conf.***" pid=3286 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 nov 19 14:18:19 ********* kernel: type=1400 audit(1384867099.013:37): apparmor="DENIED" operation="open" parent=3243 profile="/usr/sbin/winbindd" name="/var/lib/samba/smb_krb5/krb5.conf.***" pid=3286 comm="winbindd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 After changing /var/log/samba/log.winbindd-dc-connect c, into /var/log/samba/log.winbindd-dc-connect w, in the apparmor profile /etc/apparmor.d/usr.sbin.winbindd I now had these winbind-related errors: nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.539361, 0] ./source3/lib/util_sec.c:103(assert_uid) nov 19 14:38:23 ********* winbindd[4342]: Failed to set uid privileges to (-1,39756) now set to (0,0) nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.539444, 0] ./source3/lib/util.c:785(smb_panic_s3) nov 19 14:38:23 ********* winbindd[4342]: PANIC (pid 4342): failed to set uid nov 19 14:38:23 ********* winbindd[4342]: nov 19 14:38:23 uzaws0531 winbindd[4342]: [2013/11/19 14:38:23.539862, 0] ./source3/lib/util.c:896(log_stack_trace) nov 19 14:38:23 ********* winbindd[4342]: BACKTRACE: 18 stack frames: nov 19 14:38:23 ********* winbindd[4342]: #0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fb82acdd2ea] nov 19 14:38:23 ********* winbindd[4342]: #1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fb82acdd3c0] nov 19 14:38:23 ********* winbindd[4342]: #2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7fb82f1d432f] nov 19 14:38:23 ********* winbindd[4342]: #3 /usr/lib64/samba/libsamba3-util.so(+0x32cd) [0x7fb82aaae2cd] nov 19 14:38:23 ********* winbindd[4342]: #4 /usr/sbin/winbindd(winbindd_dual_pam_auth+0xe27) [0x7fb82fa784d7] nov 19 14:38:23 ********* winbindd[4342]: #5 /usr/sbin/winbindd(+0x557c4) [0x7fb82fa8c7c4] nov 19 14:38:23 ********* winbindd[4342]: #6 /usr/lib64/libtevent.so.0(+0x904b) [0x7fb82916804b] nov 19 14:38:23 ********* winbindd[4342]: #7 /usr/lib64/libtevent.so.0(+0x74f7) [0x7fb8291664f7] nov 19 14:38:23 ********* winbindd[4342]: #8 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fb82916300d] nov 19 14:38:23 ********* winbindd[4342]: #9 /usr/sbin/winbindd(+0x57b1a) [0x7fb82fa8eb1a] nov 19 14:38:23 ********* winbindd[4342]: #10 /usr/sbin/winbindd(+0x581d5) [0x7fb82fa8f1d5] nov 19 14:38:23 ********* winbindd[4342]: #11 /usr/lib64/libtevent.so.0(tevent_common_loop_immediate+0xd4) [0x7fb829163834] nov 19 14:38:23 ********* winbindd[4342]: #12 /usr/lib64/libtevent.so.0(+0x8e07) [0x7fb829167e07] nov 19 14:38:23 ********* winbindd[4342]: #13 /usr/lib64/libtevent.so.0(+0x74f7) [0x7fb8291664f7] nov 19 14:38:23 ********* winbindd[4342]: #14 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fb82916300d] nov 19 14:38:23 ********* winbindd[4342]: #15 /usr/sbin/winbindd(main+0xa92) [0x7fb82fa5ec32] nov 19 14:38:23 ********* winbindd[4342]: #16 /lib64/libc.so.6(__libc_start_main+0xf5) [0x7fb828b85be5] nov 19 14:38:23 ********* winbindd[4342]: #17 /usr/sbin/winbindd(+0x28325) [0x7fb82fa5f325] nov 19 14:38:23 ********* winbindd[4342]: [2013/11/19 14:38:23.542655, 0] ./source3/lib/dumpcore.c:317(dump_core) nov 19 14:38:23 ********* winbindd[4342]: dumping core in /var/log/samba/cores/winbindd nov 19 14:38:23 ********* winbindd[4342]: nov 19 14:38:23 uzaws0531 kernel: type=1400 audit(1384868303.538:77): apparmor="DENIED" operation="capable" parent=4341 profile="/usr/sbin/winbindd" pid=4342 comm="winbindd" pid=4342 comm="winbindd" capability=7 capname="setuid" So I added capability setuid, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd But logon still failed, now reporting this: nov 19 15:01:48 ********* kernel: audit_printk_skb: 66 callbacks suppressed nov 19 15:01:48 ********* kernel: type=1400 audit(1384869708.922:206): apparmor="DENIED" operation="mknod" parent=4341 profile="/usr/sbin/winbindd" name="/var/tmp/*********-044_39756" pid=5747 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=39756 ouid=39756 Finally adding capability mknod, /var/tmp/* rwlk, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd resolved the logon problem. (the permissions on /var/tmp/ are maybe a bit too open, but I really wanted the problem to be solved quickly by now..) I could now log on, but still some errors where logged: nov 19 15:03:49 ********* kernel: audit_printk_skb: 66 callbacks suppressed nov 19 15:03:49 ********* kernel: type=1400 audit(1384869829.321:238): apparmor="DENIED" operation="capable" parent=4341 profile="/usr/sbin/winbindd" pid=5747 comm="winbindd" pid=5747 comm="winbindd" capability=14 capname="ipc_lock" So this time I added capability ipc_lock, to the apparmor profile /etc/apparmor.d/usr.sbin.winbindd And now I don't seem to get any more apparmor/winbind related errors when logging in using my AD domain account. I don't know if this bug only appears when the system is upgraded from 12.3 using yast dup, or if it would also manifest when upgrading using the DVD or even doing a fresh install.. Reproducible: Didn't try Steps to Reproduce: 1. Connect to Windows Domain using YaST 2. (Upgrade openSUSE 12.3 to 13.1 using yast dup method) 3. Try to log in using a domain account Actual Results: winbind can't authenticate the domain user because apparmor denies it from doing so. Expected Results: winbind should be able to correctly authenticate the domain user -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.