[Samba] Debian Buster, bind_dlz, and apparmor

Robert Wooden bob at donelsontrophy.com
Tue Nov 28 17:11:29 UTC 2017 

Dale,

Been using Ubuntu server for years in my AD. Discovered a long time ago
that apparmor is not needed for a server. (Someone is probably going to
argue the other that is should be but . . .)

Do not quote me but, I have read that AppArmor is intended more for a
desktop environment. I have always disabled and then removed AppArmor and
have never had any issues. Of course I am behind a hardware firewall so,
hopefully, no exposure to any unwanted attacks.

All my servers work fine without AppArmor.

As an Ubuntu user, my 2 cents . . .

On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba <
samba at lists.samba.org> wrote:

> On 11/28/2017 9:02 AM, Rowland Penny wrote:
>
>> On Tue, 28 Nov 2017 08:37:22 -0600
>> Dale Schroeder via samba <samba at lists.samba.org> wrote:
>>
>>
>>> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>>
>>>> On Mon, 27 Nov 2017 14:53:32 -0600
>>>> Dale Schroeder via samba <samba at lists.samba.org> wrote:
>>>>
>>>> Last week, Debian testing (Buster) added apparmor to the list of
>>>>> dependencies for its latest kernel release, apparently because
>>>>> systemd needs it.  Recently, I noticed my first casualty - bind9 -
>>>>> due to apparmor failures with bind_dlz.
>>>>>
>>>>> Knowing next to nothing about apparmor, what is needed to fix this,
>>>>> and what further info do you need from me?
>>>>>
>>>>> Thanks,
>>>>> Dale
>>>>>
>>>> I cannot seem to find a debian kernel that has a dependency on
>>>> apparmor, can you provide a link ?
>>>>
>>>> Even if debian is making the kernel depend on apparmor (by the way,
>>>> does Linus know about this  ?), this isn't a Samba problem, it is an
>>>> apparmor one.
>>>>
>>>> Rowland
>>>>
>>> Rowland,
>>>
>>> Thanks for responding.
>>>
>>> From
>>> http://metadata.ftp-master.debian.org/changelogs/main/l/linu
>>> x/linux_4.13.13-1_changelog
>>>
>>> [ Ben Hutchings ]
>>>     * linux-image: Recommend apparmor, as systemd units with an
>>> AppArmor profile will fail without it (Closes: #880441)
>>>
>>> So, although the word "recommend" implies that one has a choice, in
>>> reality, the kernel upgrade would not proceed without installing
>>> apparmor.
>>>
>> Then it is a bug, depend means it will be installed, recommend means
>> what it says, it is recommended to install it, but you do not need to.
>>
>>
>>> I suppose it would be possible to disable, but assuming the systemd
>>> warning is a harbinger of things to come, it seemed best to me to
>>> figure it out now.  I know systemd is not your thing, and I am
>>> inclined to agree; however, Debian sees it otherwise, leaving me to
>>> deal with it.
>>>
>> Easier way out of this, stop using debian and use Devuan instead.
>>
>> I asked here because there is a wiki section devoted to the topic -
>>> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELi
>>> nux_Integration
>>>
>>> Thus far, SELinux has not been forced by Debian.  Regardless, since
>>> the apparmor install, I have not been able to get Bind9 to start if
>>> bind_dlz is enabled.
>>>
>>> As I said, apparmor has nothing to do with Samba, the same goes for
>> selinux and, in my opinion, they should figure out how to work with
>> Samba, not the other way round. The page on the wiki is supplied as a
>> service, but Samba has no real way to know if the settings are correct,
>> it relies on feedback from users.
>>
>> Rowland
>>
> Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS users would
> chime in.  I had previously tried several different incantations with no
> luck.  Just now, I found this, taken from https://2stech.ca/index.php/li
> nux/linuxtutotials/tutorials/234-samba-active-directory-
> with-bind-dns-backend-on-ubuntu-1404
>
>   /var/lib/samba/private/krb5.conf r,
>   /var/lib/samba/private/dns.keytab r,
>   /var/lib/samba/private/named.conf r,
>   /var/lib/samba/private/dns/** rwk,
>   /usr/lib/x86_64-linux-gnu/samba/** m,
>   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>
> This dated recipe works for me where newer ones did not.  BIND 9.10.6 is
> happy again.  YMMV
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 

Thank you.

Bob Wooden

615.885.2846    www.donelsontrophy.com
"Everyone deserves an award!!"

More information about the samba mailing list