https://bugzilla.novell.com/show_bug.cgi?id=846586
https://bugzilla.novell.com/show_bug.cgi?id=846586#c19
Lars Müller
From the logs, the winbindd profile needs the following additions:
deny capability block_suspend, /tmp/krb5cc_* rwk,
And with the current package in openSUSE Factory we use: Environment=KRB5CCNAME=/run/samba/krb5cc_samba in the systemd service files for nmbd, smbd, and winbindd.
/var/lib/samba/smb_krb5/krb5.conf.LURCH w, # or "krb5.conf*"?
Correct, as the joined domain name gets added at the end of the file name.
/var/lib/samba/smb_tmp_krb5.* rw, /var/lib/samba/**.tdb rwk, # to avoid/replace the ever-growing filelist - any objections?
No, as these files are created by the Samba daemons.
/var/log/samba/log.winbindd-dc-connect a, # maybe w instead?
Yes. Why should we allow only append?
As you can see from my comments, there are some detail questions.
BTW: Is the directory /var/lib/samba/smb_krb5/ shipped with the samba package or does winbindd create it at runtime if needed (this would mean we also need to allow this ;-)
Winbindd creates it.
See bug 807104 for details why I _deny_ block_suspend - if you have good arguments, I can of course allow it instead.
Can you please test with the lines above added to the profile, and answer my questions? I'll update the profile afterwards.
All answers are untested. But the update is out anyhow meanwhile. Therefore I'm closing this report. We have bnc#852326 for further fun. ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.