[Samba] split horizon and authoritative answers..?

Joachim Lindenberg samba at lindenberg.one
Tue Jul 30 09:30:42 UTC 2019

>> What I am struggling with though is inappropriate 
>> out-of-the-box apparmor configuration. I resorted to 
>> aa-complain /usr/sbin/named... 

>Samba version? 
root at boa:/etc/apparmor.d# samba -V
Version 4.10.6-Ubuntu
root at boa:/etc/apparmor.d# named -V
BIND 9.11.3-1ubuntu1.8-Ubuntu (Extended Support Version) <id:a375815>

>And what did you change exactly. 
Obviously some configuration in /etc/bind.

I added an apparmor configuration I found somewhere:
root at boa:/etc/apparmor.d# cat local/usr.sbin.named
# /var/lib/samba/private/named.conf
# Samba4 DLZ and Active Directory Zones (default source installation)
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,

(I added the bind-dns line).
But that is obviously incomplete.

root at boa:/etc/apparmor.d# aa-logprof
Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.
Complain-mode changes:

Profile:  /usr/sbin/named
Path:     /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so
Old Mode: r
New Mode: mr
Severity: unknown

 [1 - #include <abstractions/lxc/container-base>]
  2 - #include <abstractions/lxc/start-container>
  3 - #include <abstractions/ubuntu-browsers.d/plugins-common>
  4 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_*.so mr,
  5 - /{usr/,}lib{,32,64}/** mr,
  6 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so mr,

>> any chance that this is going to be improved?
>If i know what,i then i can tell. 
I like your attitude!

Thanks, Joachim

More information about the samba mailing list