Results 1 to 3 of 3

Thread: Vista unable to join => Apparmor issue?

  1. #1

    Default Vista unable to join => Apparmor issue?

    Hi all

    I am using stock 13.1 64bit, set up a samba server as pdc (no ad) with ldap. I can share printers and folders without any problem. However, when I try to join a vista ultimate machine, I get the follwing in /var/log/messages:


    Code:
    brutus kernel: [151015.679714] type=1400 audit(1394095938.616:56): apparmor="DENIED" operation="exec" parent=20997 profile="/usr/sbin/smbd" name="/bin/bash" pid=20999 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
    brutus smbd[20997]: [2014/03/06 09:52:18.626917,  0] ../source3/passdb/pdb_interface.c:488(pdb_default_create_user)
    brutus smbd[20997]:   _samr_create_user: Running the command `/usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false pc-lukas$' gave 83
    I have been tweaking around in YAST apparmour profiles for /usr/sbin/smbd and /usr/sbin/smbldap-useradd, following this http://lists.opensuse.org/opensuse-b.../msg03636.html

    However still cannot join my domain.

    Any ideas?

    greez

    chris

  2. #2

    Default Re: Vista unable to join => Apparmor issue?

    So far no success

    I aletered the following apparmor profiles:
    Code:
    cat /etc/apparmor.d/usr.sbin.smbd
    # Last Modified: Thu Mar  6 12:50:05 2014
    #include <tunables/global>
    
    /usr/sbin/smbd {
      #include <abstractions/authentication>
      #include <abstractions/base>
      #include <abstractions/consoles>
      #include <abstractions/cups-client>
      #include <abstractions/nameservice>
      #include <abstractions/samba>
      #include <abstractions/user-tmp>
      #include <abstractions/wutmp>
      #include <local/usr.sbin.smbd>
      #include <local/usr.sbin.smbd-shares>
    
      capability dac_override,
      capability dac_read_search,
      capability fowner,
      capability lease,
      capability net_bind_service,
      capability setgid,
      capability setuid,
      capability sys_resource,
      capability sys_tty_config,
    
    
      /bin/bash ix,
      /etc/mtab r,
      /etc/netgroup r,
      /etc/printcap r,
      /etc/samba/* rwk,
      /proc/*/mounts r,
      /proc/sys/kernel/core_pattern r,
      /usr/lib*/samba/auth/script.so mr,
      /usr/lib*/samba/charset/*.so mr,
      /usr/lib*/samba/pdb/*.so mr,
      /usr/lib*/samba/vfs/*.so mr,
      /usr/lib*/samba/{lowercase,lowcase,upcase,valid}.dat r,
      /usr/sbin/smbd mr,
      /usr/sbin/smbldap-useradd rpx,
      /usr/sbin/useradd rpx, #been adding this to the profile
      /var/cache/samba/** rwk,
      /var/cache/samba/printing/printers.tdb mrw,
      /var/lib/samba/** rwk,
      /var/lib/samba/printers/** rw,
      /var/lib/sss/mc/passwd r,
      /var/lib/sss/pubconf/kdcinfo.* r,
      /var/log/samba/cores/smbd/ rw,
      /var/log/samba/cores/smbd/** rw,
      /var/spool/samba/** rw,
      /{,var/}run/cups/cups.sock rw,
      /{,var/}run/dbus/system_bus_socket rw,
      /{,var/}run/samba/** rk,
      /{,var/}run/samba/ncalrpc/ rw,
      /{,var/}run/samba/ncalrpc/** rw,
      /{,var/}run/samba/smbd.pid rw,
      @{HOMEDIRS}/** rwlk,
    
    }
    Code:
    cat /etc/apparmor.d/usr.sbin.smbldap-useradd
    # Last Modified: Thu Mar  6 11:01:54 2014
    #include <tunables/global>
    
    /usr/sbin/smbldap-useradd {
      #include <abstractions/base>
      #include <abstractions/bash>
      #include <abstractions/nameservice>
      #include <abstractions/perl>
      #include <local/usr.sbin.smbldap-useradd>
    
    
      /bin/bash ix, #been adding this to the profile
      /dev/tty rw,
      /etc/init.d/nscd Cx,
      /etc/shadow r,
      /etc/smbldap-tools/smbldap.conf r,
      /etc/smbldap-tools/smbldap_bind.conf r,
      /usr/sbin/smbldap-useradd rpx,
      /usr/sbin/smbldap_tools.pm r,
      /usr/sbin/useradd rpx, #been adding this to the profile
      /var/log/samba/log.smbd w,
    
    
      profile /etc/init.d/nscd {
        #include <abstractions/base>
        #include <abstractions/nameservice>
    
        capability sys_ptrace,
    
    
        /bin/bash r,
        /bin/mountpoint rix,
        /bin/systemctl rix,
        /dev/tty rw,
        /etc/init.d/nscd r,
        /etc/rc.status r,
    
      }
    }
    Still I get
    Code:
    brutus kernel: [162787.710453] type=1400 audit(1394107710.648:359): apparmor="DENIED" operation="exec" info="profile not found" error=-2 parent=23580 profile="/usr/sbin/smbd" name="/usr/sbin/useradd" pid=23582 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
    2014-03-06T13:08:30.651832+01:00 brutus smbd[23580]: [2014/03/06 13:08:30.651629,  0] ../source3/passdb/pdb_interface.c:488(pdb_default_create_user)
    2014-03-06T13:08:30.653295+01:00 brutus smbd[23580]:   _samr_create_user: Running the command `/usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false pc-lukas$' gave 127
    At current I am out of ideas.

    Any help greatly appreciated.

    Greez

    chris

  3. #3

    Default Re: Vista unable to join => Apparmor issue? [SOLVED

    Hi all

    after an intense degugging session I got to know, that smbldap-tools was not installed, but referred to in apparmor, with even a profile defined (see post above). After adding the corresponding repo from here: https://build.opensuse.org/package/b...=openSUSE_13.1 , installing smbldap-tools, restarting nmb, smb and apparmor, I finally coud get the vista machine to join my domain.

    Gosh, what an experience!

    I am not sure, if this is not a bug. I installed only packages from official opensuse repos with the one exception for smbldap-tools. I would have expected that just the official repos should be sufficient. Should I file a bug report?

    greez

    chris

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •