[Samba] BIND 9.9 setup with samba

[Justin Clacherty]

Hi,

I ran into some trouble last night when setting up samba (4.1.5) with bind 9.9 as the backend.  I followed the instructions on the wiki but found that the apparmor settings that are suggested don't actually work (at least for me running Ubuntu 13.10).  Just putting it here for others that may experience the same issue and to check that I haven't done something silly.  If what I've done is correct then it might be worthwhile updating the wiki (or I will if it's publically updatable).

Current wiki suggestion is to add the following to /etc/apparmor.d/local/usr.sbin.named

/usr/local/samba/lib/** rm,
/usr/local/samba/private/dns.keytab r,
/usr/local/samba/private/named.conf r,
/usr/local/samba/private/dns/** rwk,

I found I needed to add the following

/usr/local/samba/lib/** rm,
/usr/local/samba/private/dns.keytab rk,
/usr/local/samba/private/named.conf r,
/usr/local/samba/private/dns/** rwk,
/usr/local/samba/etc/smb.conf r,
/var/tmp/** rw,
/var/tmp/ rw,

FYI /var/tmp is where the .jnl is being written, presumably it's bind that's deciding to put it here and not samba.  I've also seen another apparmor related error message pop up today when adding a machine to the domain.

Mar 10 14:03:44 server kernel: [ 6809.180969] type=1400 audit(1394420624.565:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/sbin/named" name="/dev/urandom" pid=1491 comm="named" requested_mask="wc" denied_mask="wc" fsuid=107 ouid=0

The PC was actually added to DNS so I'm not sure what the ramifications of this error would be.

Cheers,
Justin.