Vista unable to join => Apparmor issue?

Hi all

I am using stock 13.1 64bit, set up a samba server as pdc (no ad) with ldap. I can share printers and folders without any problem. However, when I try to join a vista ultimate machine, I get the follwing in /var/log/messages:

brutus kernel: [151015.679714] type=1400 audit(1394095938.616:56): apparmor="DENIED" operation="exec" parent=20997 profile="/usr/sbin/smbd" name="/bin/bash" pid=20999 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
brutus smbd[20997]: [2014/03/06 09:52:18.626917,  0] ../source3/passdb/pdb_interface.c:488(pdb_default_create_user)
brutus smbd[20997]:   _samr_create_user: Running the command `/usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false pc-lukas$' gave 83

I have been tweaking around in YAST apparmour profiles for /usr/sbin/smbd and /usr/sbin/smbldap-useradd, following this http://lists.opensuse.org/opensuse-bugs/2011-12/msg03636.html

However still cannot join my domain.

Any ideas?

greez

chris

So far no success

I aletered the following apparmor profiles:

cat /etc/apparmor.d/usr.sbin.smbd
# Last Modified: Thu Mar  6 12:50:05 2014
#include <tunables/global>

/usr/sbin/smbd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/cups-client>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>
  #include <local/usr.sbin.smbd>
  #include <local/usr.sbin.smbd-shares>

  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability lease,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,
  capability sys_tty_config,


  /bin/bash ix,
  /etc/mtab r,
  /etc/netgroup r,
  /etc/printcap r,
  /etc/samba/* rwk,
  /proc/*/mounts r,
  /proc/sys/kernel/core_pattern r,
  /usr/lib*/samba/auth/script.so mr,
  /usr/lib*/samba/charset/*.so mr,
  /usr/lib*/samba/pdb/*.so mr,
  /usr/lib*/samba/vfs/*.so mr,
  /usr/lib*/samba/{lowercase,lowcase,upcase,valid}.dat r,
  /usr/sbin/smbd mr,
  /usr/sbin/smbldap-useradd rpx,
  /usr/sbin/useradd rpx, #been adding this to the profile
  /var/cache/samba/** rwk,
  /var/cache/samba/printing/printers.tdb mrw,
  /var/lib/samba/** rwk,
  /var/lib/samba/printers/** rw,
  /var/lib/sss/mc/passwd r,
  /var/lib/sss/pubconf/kdcinfo.* r,
  /var/log/samba/cores/smbd/ rw,
  /var/log/samba/cores/smbd/** rw,
  /var/spool/samba/** rw,
  /{,var/}run/cups/cups.sock rw,
  /{,var/}run/dbus/system_bus_socket rw,
  /{,var/}run/samba/** rk,
  /{,var/}run/samba/ncalrpc/ rw,
  /{,var/}run/samba/ncalrpc/** rw,
  /{,var/}run/samba/smbd.pid rw,
  @{HOMEDIRS}/** rwlk,

}
cat /etc/apparmor.d/usr.sbin.smbldap-useradd
# Last Modified: Thu Mar  6 11:01:54 2014
#include <tunables/global>

/usr/sbin/smbldap-useradd {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/nameservice>
  #include <abstractions/perl>
  #include <local/usr.sbin.smbldap-useradd>


  /bin/bash ix, #been adding this to the profile
  /dev/tty rw,
  /etc/init.d/nscd Cx,
  /etc/shadow r,
  /etc/smbldap-tools/smbldap.conf r,
  /etc/smbldap-tools/smbldap_bind.conf r,
  /usr/sbin/smbldap-useradd rpx,
  /usr/sbin/smbldap_tools.pm r,
  /usr/sbin/useradd rpx, #been adding this to the profile
  /var/log/samba/log.smbd w,


  profile /etc/init.d/nscd {
    #include <abstractions/base>
    #include <abstractions/nameservice>

    capability sys_ptrace,


    /bin/bash r,
    /bin/mountpoint rix,
    /bin/systemctl rix,
    /dev/tty rw,
    /etc/init.d/nscd r,
    /etc/rc.status r,

  }
}

Still I get

brutus kernel: [162787.710453] type=1400 audit(1394107710.648:359): apparmor="DENIED" operation="exec" info="profile not found" error=-2 parent=23580 profile="/usr/sbin/smbd" name="/usr/sbin/useradd" pid=23582 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2014-03-06T13:08:30.651832+01:00 brutus smbd[23580]: [2014/03/06 13:08:30.651629,  0] ../source3/passdb/pdb_interface.c:488(pdb_default_create_user)
2014-03-06T13:08:30.653295+01:00 brutus smbd[23580]:   _samr_create_user: Running the command `/usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false pc-lukas$' gave 127

At current I am out of ideas.

Any help greatly appreciated.

Greez

chris

Hi all

after an intense degugging session I got to know, that smbldap-tools was not installed, but referred to in apparmor, with even a profile defined (see post above). After adding the corresponding repo from here: https://build.opensuse.org/package/binaries/spins:invis/smbldap-tools?repository=openSUSE_13.1 , installing smbldap-tools, restarting nmb, smb and apparmor, I finally coud get the vista machine to join my domain.

Gosh, what an experience!

I am not sure, if this is not a bug. I installed only packages from official opensuse repos with the one exception for smbldap-tools. I would have expected that just the official repos should be sufficient. Should I file a bug report?

greez

chris