[Samba] Debian Buster, bind_dlz, and apparmor

L.P.H. van Belle belle at bazuin.nl
Tue Nov 28 18:07:57 UTC 2017


Hai, 
Normaly i kick in sooner but im in bed fit by flu. :-( 


You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also.
debian wiki or ubuntu wiki shows how. 


But why are you using buster, imo really not safe,  if you wany a 4.7 for stretch use my apt.


When im better i can have a look into your problem more closely.


greetz


Louis..
(mobile)



Op 28 nov. 2017 om 18:26 heeft Dale Schroeder via samba <samba at lists.samba.org> het volgende geschreven:


On 11/28/2017 11:11 AM, Robert Wooden wrote:
Dale,

Been using Ubuntu server for years in my AD. Discovered a long time 
ago that apparmor is not needed for a server. (Someone is probably 
going to argue the other that is should be but . . .)

Do not quote me but, I have read that AppArmor is intended more for a 
desktop environment. I have always disabled and then removed AppArmor 
and have never had any issues. Of course I am behind a hardware 
firewall so, hopefully, no exposure to any unwanted attacks.

All my servers work fine without AppArmor.

As an Ubuntu user, my 2 cents . . .

On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba 
<samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:

   On 11/28/2017 9:02 AM, Rowland Penny wrote:

       On Tue, 28 Nov 2017 08:37:22 -0600
       Dale Schroeder via samba <samba at lists.samba.org
       <mailto:samba at lists.samba.org>> wrote:


           On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:

               On Mon, 27 Nov 2017 14:53:32 -0600
               Dale Schroeder via samba <samba at lists.samba.org
               <mailto:samba at lists.samba.org>> wrote:

                   Last week, Debian testing (Buster) added apparmor
                   to the list of
                   dependencies for its latest kernel release,
                   apparently because
                   systemd needs it.  Recently, I noticed my first
                   casualty - bind9 -
                   due to apparmor failures with bind_dlz.

                   Knowing next to nothing about apparmor, what is
                   needed to fix this,
                   and what further info do you need from me?

                   Thanks,
                   Dale

               I cannot seem to find a debian kernel that has a
               dependency on
               apparmor, can you provide a link ?

               Even if debian is making the kernel depend on apparmor
               (by the way,
               does Linus know about this  ?), this isn't a Samba
               problem, it is an
               apparmor one.

               Rowland

           Rowland,

           Thanks for responding.

           From
           http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
           <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>

           [ Ben Hutchings ]
               * linux-image: Recommend apparmor, as systemd units
           with an
           AppArmor profile will fail without it (Closes: #880441)

           So, although the word "recommend" implies that one has a
           choice, in
           reality, the kernel upgrade would not proceed without
           installing
           apparmor.

       Then it is a bug, depend means it will be installed, recommend
       means
       what it says, it is recommended to install it, but you do not
       need to.

           I suppose it would be possible to disable, but assuming
           the systemd
           warning is a harbinger of things to come, it seemed best
           to me to
           figure it out now.  I know systemd is not your thing, and I am
           inclined to agree; however, Debian sees it otherwise,
           leaving me to
           deal with it.

       Easier way out of this, stop using debian and use Devuan instead.

           I asked here because there is a wiki section devoted to
           the topic -
           https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
           <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>

           Thus far, SELinux has not been forced by Debian.
           Regardless, since
           the apparmor install, I have not been able to get Bind9 to
           start if
           bind_dlz is enabled.

       As I said, apparmor has nothing to do with Samba, the same
       goes for
       selinux and, in my opinion, they should figure out how to work
       with
       Samba, not the other way round. The page on the wiki is
       supplied as a
       service, but Samba has no real way to know if the settings are
       correct,
       it relies on feedback from users.

       Rowland

   Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
   users would chime in.  I had previously tried several different
   incantations with no luck.  Just now, I found this, taken from
   https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
   <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>

     /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
     /var/lib/samba/private/dns.keytab r,
     /var/lib/samba/private/named.conf r,
     /var/lib/samba/private/dns/** rwk,
     /usr/lib/x86_64-linux-gnu/samba/** m,
     /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,

   This dated recipe works for me where newer ones did not. BIND
   9.10.6 is happy again.  YMMV

   Dale

   -- 
   To unsubscribe from this list go to the following URL and read the
   instructions: https://lists.samba.org/mailman/options/samba
   <https://lists.samba.org/mailman/options/samba>




-- 
Thank you. Bob Wooden

615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>

"Everyone deserves an award!!"
Bob,

I agree with everything you say and would rather not have it, but if 
Debian's kernel maintainers are correct in that more systemd service 
files will require apparmor, what other choice do I have but to learn 
it?  I am not sure why Debian has decided to follow the systemd/apparmor 
path, but I guess I get to go along for the ride. If it becomes to 
onerous, I may have to do as you did and remove it.  BTW, the apparmor 
file for ntp worked out of the box, no modifications on my part required.

Thanks,
Dale
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list