[Samba] Debian Buster, bind_dlz, and apparmor

Dale Schroeder dale at BriannasSaladDressing.com
Tue Nov 28 18:09:59 UTC 2017 

On 11/28/2017 11:56 AM, Rowland Penny via samba wrote:
> On Tue, 28 Nov 2017 11:24:58 -0600
> Dale Schroeder <dale at BriannasSaladDressing.com> wrote:
>
>> On 11/28/2017 11:11 AM, Robert Wooden wrote:
>>> Dale,
>>>
>>> Been using Ubuntu server for years in my AD. Discovered a long time
>>> ago that apparmor is not needed for a server. (Someone is probably
>>> going to argue the other that is should be but . . .)
>>>
>>> Do not quote me but, I have read that AppArmor is intended more for
>>> a desktop environment. I have always disabled and then removed
>>> AppArmor and have never had any issues. Of course I am behind a
>>> hardware firewall so, hopefully, no exposure to any unwanted
>>> attacks.
>>>
>>> All my servers work fine without AppArmor.
>>>
>>> As an Ubuntu user, my 2 cents . . .
>>>
>>> On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
>>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>>>
>>>      On 11/28/2017 9:02 AM, Rowland Penny wrote:
>>>
>>>          On Tue, 28 Nov 2017 08:37:22 -0600
>>>          Dale Schroeder via samba <samba at lists.samba.org
>>>          <mailto:samba at lists.samba.org>> wrote:
>>>
>>>
>>>              On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>>
>>>                  On Mon, 27 Nov 2017 14:53:32 -0600
>>>                  Dale Schroeder via samba <samba at lists.samba.org
>>>                  <mailto:samba at lists.samba.org>> wrote:
>>>
>>>                      Last week, Debian testing (Buster) added
>>> apparmor to the list of
>>>                      dependencies for its latest kernel release,
>>>                      apparently because
>>>                      systemd needs it.  Recently, I noticed my first
>>>                      casualty - bind9 -
>>>                      due to apparmor failures with bind_dlz.
>>>
>>>                      Knowing next to nothing about apparmor, what is
>>>                      needed to fix this,
>>>                      and what further info do you need from me?
>>>
>>>                      Thanks,
>>>                      Dale
>>>
>>>                  I cannot seem to find a debian kernel that has a
>>>                  dependency on
>>>                  apparmor, can you provide a link ?
>>>
>>>                  Even if debian is making the kernel depend on
>>> apparmor (by the way,
>>>                  does Linus know about this  ?), this isn't a Samba
>>>                  problem, it is an
>>>                  apparmor one.
>>>
>>>                  Rowland
>>>
>>>              Rowland,
>>>
>>>              Thanks for responding.
>>>
>>>              From
>>>              http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>>>              <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
>>>
>>>              [ Ben Hutchings ]
>>>                  * linux-image: Recommend apparmor, as systemd units
>>>              with an
>>>              AppArmor profile will fail without it (Closes: #880441)
>>>
>>>              So, although the word "recommend" implies that one has a
>>>              choice, in
>>>              reality, the kernel upgrade would not proceed without
>>>              installing
>>>              apparmor.
>>>
>>>          Then it is a bug, depend means it will be installed,
>>> recommend means
>>>          what it says, it is recommended to install it, but you do
>>> not need to.
>>>
>>>              I suppose it would be possible to disable, but assuming
>>>              the systemd
>>>              warning is a harbinger of things to come, it seemed best
>>>              to me to
>>>              figure it out now.  I know systemd is not your thing,
>>> and I am inclined to agree; however, Debian sees it otherwise,
>>>              leaving me to
>>>              deal with it.
>>>
>>>          Easier way out of this, stop using debian and use Devuan
>>> instead.
>>>
>>>              I asked here because there is a wiki section devoted to
>>>              the topic -
>>>              https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>>>              <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>>>
>>>              Thus far, SELinux has not been forced by Debian.
>>>              Regardless, since
>>>              the apparmor install, I have not been able to get Bind9
>>> to start if
>>>              bind_dlz is enabled.
>>>
>>>          As I said, apparmor has nothing to do with Samba, the same
>>>          goes for
>>>          selinux and, in my opinion, they should figure out how to
>>> work with
>>>          Samba, not the other way round. The page on the wiki is
>>>          supplied as a
>>>          service, but Samba has no real way to know if the settings
>>> are correct,
>>>          it relies on feedback from users.
>>>
>>>          Rowland
>>>
>>>      Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
>>>      users would chime in.  I had previously tried several different
>>>      incantations with no luck.  Just now, I found this, taken from
>>>      https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
>>>      <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
>>>
>>>        /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
>>>        /var/lib/samba/private/dns.keytab r,
>>>        /var/lib/samba/private/named.conf r,
>>>        /var/lib/samba/private/dns/** rwk,
>>>        /usr/lib/x86_64-linux-gnu/samba/** m,
>>>        /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>>>
>>>      This dated recipe works for me where newer ones did not. BIND
>>>      9.10.6 is happy again.  YMMV
>>>
>>>      Dale
>>>
>>>      --
>>>      To unsubscribe from this list go to the following URL and read
>>> the instructions: https://lists.samba.org/mailman/options/samba
>>>      <https://lists.samba.org/mailman/options/samba>
>>>
>>>
>>>
>>>
>>> -- 
>>> Thank you. Bob Wooden
>>>
>>> 615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>
>>>
>>> "Everyone deserves an award!!"
>> Bob,
>>
>> I agree with everything you say and would rather not have it, but if
>> Debian's kernel maintainers are correct in that more systemd service
>> files will require apparmor, what other choice do I have but to learn
>> it?  I am not sure why Debian has decided to follow the
>> systemd/apparmor path, but I guess I get to go along for the ride. If
>> it becomes too onerous, I may have to do as you did and remove it.
>> BTW, the apparmor file for ntp worked out of the box, no
>> modifications on my part required.
>>
>> Thanks,
>> Dale
> The problem is that debian has fixed only half of the problem, yes
> recommend apparmor by all means, but they also need to fix systemd
> units to NOT fail if apparmor isn't installed, after all, apparmor is a
> 'recommend' and not a 'dependency'. If some systemd units fail if
> apparmor isn't installed, then this is, undoubtedly, a bug.
>
> Mind you, all of this is irrelevant to me, I do not use systemd ;-)
>   
> Rowland
>   
>
You're a lucky guy, Roland. ;-) I've been burned several different times 
with different aspects of systemd, even prior to apparmor.

You are absolutely correct in that the released systemd units should all 
work from the beginning.  I hope that it gets more reliable; time will tell.

Dale

More information about the samba mailing list