[Samba] Debian Buster, bind_dlz, and apparmor
Dale Schroeder
dale at BriannasSaladDressing.com
Tue Nov 28 19:08:25 UTC 2017
On 11/28/2017 12:07 PM, L.P.H. van Belle via samba wrote:
> Hai,
> Normaly i kick in sooner but im in bed fit by flu. :-(
>
>
> You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also.
> debian wiki or ubuntu wiki shows how.
>
>
> But why are you using buster, imo really not safe, if you wany a 4.7 for stretch use my apt.
>
>
> When im better i can have a look into your problem more closely.
>
>
> greetz
>
>
> Louis..
> (mobile)
Hi Louis,
Sorry to hear you're not feeling well. I hope it resolves soon.
I finally got a working apparmor config for bind_dlz and Samba; it's
toward the bottom of this thread.
As far as using Buster is concerned, I've found that most things work OK
using Debian testing. So, what I do is use it at home and on other
nonessential systems. This allows me to learn the things that break
from an upgrade (like this one) one at a time, rather than having to
figure all of them out during a full upgrade. I am forewarned and
forearmed. In this case, I took an NT domain through the classic
upgrade process and worked out those problems, only to be derailed by
apparmor. (Unrelated to Samba, but the MySQL to MariaDB upgrade has not
gone well at all, but I digress......)
Dale
>
>
>
> Op 28 nov. 2017 om 18:26 heeft Dale Schroeder via samba <samba at lists.samba.org> het volgende geschreven:
>
>
> On 11/28/2017 11:11 AM, Robert Wooden wrote:
> Dale,
>
> Been using Ubuntu server for years in my AD. Discovered a long time
> ago that apparmor is not needed for a server. (Someone is probably
> going to argue the other that is should be but . . .)
>
> Do not quote me but, I have read that AppArmor is intended more for a
> desktop environment. I have always disabled and then removed AppArmor
> and have never had any issues. Of course I am behind a hardware
> firewall so, hopefully, no exposure to any unwanted attacks.
>
> All my servers work fine without AppArmor.
>
> As an Ubuntu user, my 2 cents . . .
>
> On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> On 11/28/2017 9:02 AM, Rowland Penny wrote:
>
> On Tue, 28 Nov 2017 08:37:22 -0600
> Dale Schroeder via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>> wrote:
>
>
> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>
> On Mon, 27 Nov 2017 14:53:32 -0600
> Dale Schroeder via samba <samba at lists.samba.org
> <mailto:samba at lists.samba.org>> wrote:
>
> Last week, Debian testing (Buster) added apparmor
> to the list of
> dependencies for its latest kernel release,
> apparently because
> systemd needs it. Recently, I noticed my first
> casualty - bind9 -
> due to apparmor failures with bind_dlz.
>
> Knowing next to nothing about apparmor, what is
> needed to fix this,
> and what further info do you need from me?
>
> Thanks,
> Dale
>
> I cannot seem to find a debian kernel that has a
> dependency on
> apparmor, can you provide a link ?
>
> Even if debian is making the kernel depend on apparmor
> (by the way,
> does Linus know about this ?), this isn't a Samba
> problem, it is an
> apparmor one.
>
> Rowland
>
> Rowland,
>
> Thanks for responding.
>
> From
> http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
> <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
>
> [ Ben Hutchings ]
> * linux-image: Recommend apparmor, as systemd units
> with an
> AppArmor profile will fail without it (Closes: #880441)
>
> So, although the word "recommend" implies that one has a
> choice, in
> reality, the kernel upgrade would not proceed without
> installing
> apparmor.
>
> Then it is a bug, depend means it will be installed, recommend
> means
> what it says, it is recommended to install it, but you do not
> need to.
>
> I suppose it would be possible to disable, but assuming
> the systemd
> warning is a harbinger of things to come, it seemed best
> to me to
> figure it out now. I know systemd is not your thing, and I am
> inclined to agree; however, Debian sees it otherwise,
> leaving me to
> deal with it.
>
> Easier way out of this, stop using debian and use Devuan instead.
>
> I asked here because there is a wiki section devoted to
> the topic -
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
> <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>
> Thus far, SELinux has not been forced by Debian.
> Regardless, since
> the apparmor install, I have not been able to get Bind9 to
> start if
> bind_dlz is enabled.
>
> As I said, apparmor has nothing to do with Samba, the same
> goes for
> selinux and, in my opinion, they should figure out how to work
> with
> Samba, not the other way round. The page on the wiki is
> supplied as a
> service, but Samba has no real way to know if the settings are
> correct,
> it relies on feedback from users.
>
> Rowland
>
> Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
> users would chime in. I had previously tried several different
> incantations with no luck. Just now, I found this, taken from
> https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
> <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
>
> /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> /usr/lib/x86_64-linux-gnu/samba/** m,
> /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>
> This dated recipe works for me where newer ones did not. BIND
> 9.10.6 is happy again. YMMV
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> <https://lists.samba.org/mailman/options/samba>
>
>
>
>
More information about the samba
mailing list