[Samba] Setting Win ACLs via Comp Managment, connection to Member Server warning

L.P.H. van Belle belle at bazuin.nl
Wed Feb 22 11:13:33 UTC 2017 

Hai, 

Becarefull with "apt-get remove apparmor". 

If you remove apparmor and mysql-server is installed on the same server,
beware the you remove mysql-server also and re-installing mysql-server also installs apparmor.

I experienced that multiple times with Ubuntu  16.04 and maybe there are more like this. 


The preffered way:

Use the /etc/apparmor.d/disable directory along with the
apparmor_parser -R option to disable a profile. 
Some options. 

1)
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

# Samba on ubuntu 16.04
sudo ln -s /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/
sudo ln -s /etc/apparmor.d/usr.sbin.nmbd /etc/apparmor.d/disable/
sudo ln -s /etc/apparmor.d/usr.sbin.winbind /etc/apparmor.d/disable/

# dhcp also installed 
ln -s /etc/apparmor.d/usr.sbin.dhcpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.dhcpd

# mysql 
ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld

# bind
ln -s /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.named

2)
Or disable it but dont remove it. 
systemctl stop apparmor.service
systemctl disable apparmor.service
update-rc.d -f apparmor remove 

3)
Or configure it correctly.. 

I personaly use the first option. 
I disable only that what needs to be disabled. 
In short, only things that are out of the "debian scope" and not in apparmor.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 22 februari 2017 11:36
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting Win ACLs via Comp Managment, connection to
> Member Server warning
> 
> On Tue, 21 Feb 2017 17:17:50 -0600
> Lin Pro <linforpros at gmail.com> wrote:
> 
> > Both ubuntu machines have iptables -L:
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > And the windows server firewall off
> >
> >
> > How can that happen to me...
> > I am speechless
> > Lin
> 
> After setting up a Ubuntu 16.04 domain member, I found I couldn't open
> the share and couldn't find any reason in the logs on the domain
> member.
> 
> Experience came to my aid ;-)
> 
> sudo apt-get remove apparmor
> sudo reboot
> 
> fixed it for me.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list