[Samba] Debian Buster, bind_dlz, and apparmor
L.P.H. van Belle
belle at bazuin.nl
Tue Nov 28 18:07:57 UTC 2017
Hai,
Normaly i kick in sooner but im in bed fit by flu. :-(
You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also.
debian wiki or ubuntu wiki shows how.
But why are you using buster, imo really not safe, if you wany a 4.7 for stretch use my apt.
When im better i can have a look into your problem more closely.
greetz
Louis..
(mobile)
Op 28 nov. 2017 om 18:26 heeft Dale Schroeder via samba <samba at lists.samba.org> het volgende geschreven:
On 11/28/2017 11:11 AM, Robert Wooden wrote:
Dale,
Been using Ubuntu server for years in my AD. Discovered a long time
ago that apparmor is not needed for a server. (Someone is probably
going to argue the other that is should be but . . .)
Do not quote me but, I have read that AppArmor is intended more for a
desktop environment. I have always disabled and then removed AppArmor
and have never had any issues. Of course I am behind a hardware
firewall so, hopefully, no exposure to any unwanted attacks.
All my servers work fine without AppArmor.
As an Ubuntu user, my 2 cents . . .
On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
<samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
On 11/28/2017 9:02 AM, Rowland Penny wrote:
On Tue, 28 Nov 2017 08:37:22 -0600
Dale Schroeder via samba <samba at lists.samba.org
<mailto:samba at lists.samba.org>> wrote:
On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
On Mon, 27 Nov 2017 14:53:32 -0600
Dale Schroeder via samba <samba at lists.samba.org
<mailto:samba at lists.samba.org>> wrote:
Last week, Debian testing (Buster) added apparmor
to the list of
dependencies for its latest kernel release,
apparently because
systemd needs it. Recently, I noticed my first
casualty - bind9 -
due to apparmor failures with bind_dlz.
Knowing next to nothing about apparmor, what is
needed to fix this,
and what further info do you need from me?
Thanks,
Dale
I cannot seem to find a debian kernel that has a
dependency on
apparmor, can you provide a link ?
Even if debian is making the kernel depend on apparmor
(by the way,
does Linus know about this ?), this isn't a Samba
problem, it is an
apparmor one.
Rowland
Rowland,
Thanks for responding.
From
http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
<http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
[ Ben Hutchings ]
* linux-image: Recommend apparmor, as systemd units
with an
AppArmor profile will fail without it (Closes: #880441)
So, although the word "recommend" implies that one has a
choice, in
reality, the kernel upgrade would not proceed without
installing
apparmor.
Then it is a bug, depend means it will be installed, recommend
means
what it says, it is recommended to install it, but you do not
need to.
I suppose it would be possible to disable, but assuming
the systemd
warning is a harbinger of things to come, it seemed best
to me to
figure it out now. I know systemd is not your thing, and I am
inclined to agree; however, Debian sees it otherwise,
leaving me to
deal with it.
Easier way out of this, stop using debian and use Devuan instead.
I asked here because there is a wiki section devoted to
the topic -
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
<https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
Thus far, SELinux has not been forced by Debian.
Regardless, since
the apparmor install, I have not been able to get Bind9 to
start if
bind_dlz is enabled.
As I said, apparmor has nothing to do with Samba, the same
goes for
selinux and, in my opinion, they should figure out how to work
with
Samba, not the other way round. The page on the wiki is
supplied as a
service, but Samba has no real way to know if the settings are
correct,
it relies on feedback from users.
Rowland
Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
users would chime in. I had previously tried several different
incantations with no luck. Just now, I found this, taken from
https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
<https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
/var/lib/samba/private/krb5.co <http://krb5.co>nf r,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/usr/lib/x86_64-linux-gnu/samba/** m,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
This dated recipe works for me where newer ones did not. BIND
9.10.6 is happy again. YMMV
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
--
Thank you. Bob Wooden
615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>
"Everyone deserves an award!!"
Bob,
I agree with everything you say and would rather not have it, but if
Debian's kernel maintainers are correct in that more systemd service
files will require apparmor, what other choice do I have but to learn
it? I am not sure why Debian has decided to follow the systemd/apparmor
path, but I guess I get to go along for the ride. If it becomes to
onerous, I may have to do as you did and remove it. BTW, the apparmor
file for ntp worked out of the box, no modifications on my part required.
Thanks,
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list