[Samba] Debian Buster, bind_dlz, and apparmor

Dale Schroeder dale at BriannasSaladDressing.com
Tue Nov 28 16:55:17 UTC 2017 

On 11/28/2017 9:02 AM, Rowland Penny wrote:
> On Tue, 28 Nov 2017 08:37:22 -0600
> Dale Schroeder via samba <samba at lists.samba.org> wrote:
>
>>
>> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>> On Mon, 27 Nov 2017 14:53:32 -0600
>>> Dale Schroeder via samba <samba at lists.samba.org> wrote:
>>>
>>>> Last week, Debian testing (Buster) added apparmor to the list of
>>>> dependencies for its latest kernel release, apparently because
>>>> systemd needs it.  Recently, I noticed my first casualty - bind9 -
>>>> due to apparmor failures with bind_dlz.
>>>>
>>>> Knowing next to nothing about apparmor, what is needed to fix this,
>>>> and what further info do you need from me?
>>>>
>>>> Thanks,
>>>> Dale
>>> I cannot seem to find a debian kernel that has a dependency on
>>> apparmor, can you provide a link ?
>>>
>>> Even if debian is making the kernel depend on apparmor (by the way,
>>> does Linus know about this  ?), this isn't a Samba problem, it is an
>>> apparmor one.
>>>
>>> Rowland
>> Rowland,
>>
>> Thanks for responding.
>>
>> From
>> http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>>
>> [ Ben Hutchings ]
>>     * linux-image: Recommend apparmor, as systemd units with an
>> AppArmor profile will fail without it (Closes: #880441)
>>
>> So, although the word "recommend" implies that one has a choice, in
>> reality, the kernel upgrade would not proceed without installing
>> apparmor.
> Then it is a bug, depend means it will be installed, recommend means
> what it says, it is recommended to install it, but you do not need to.
>    
>> I suppose it would be possible to disable, but assuming the systemd
>> warning is a harbinger of things to come, it seemed best to me to
>> figure it out now.  I know systemd is not your thing, and I am
>> inclined to agree; however, Debian sees it otherwise, leaving me to
>> deal with it.
> Easier way out of this, stop using debian and use Devuan instead.
>
>> I asked here because there is a wiki section devoted to the topic -
>> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>>
>> Thus far, SELinux has not been forced by Debian.  Regardless, since
>> the apparmor install, I have not been able to get Bind9 to start if
>> bind_dlz is enabled.
>>
> As I said, apparmor has nothing to do with Samba, the same goes for
> selinux and, in my opinion, they should figure out how to work with
> Samba, not the other way round. The page on the wiki is supplied as a
> service, but Samba has no real way to know if the settings are correct,
> it relies on feedback from users.
>
> Rowland
Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS users 
would chime in.  I had previously tried several different incantations 
with no luck.  Just now, I found this, taken from 
https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404

   /var/lib/samba/private/krb5.conf r,
   /var/lib/samba/private/dns.keytab r,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /usr/lib/x86_64-linux-gnu/samba/** m,
   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,

This dated recipe works for me where newer ones did not.  BIND 9.10.6 is 
happy again.  YMMV

Dale

More information about the samba mailing list