[Samba] split horizon and authoritative answers..?

L.P.H. van Belle belle at bazuin.nl
Tue Jul 30 10:10:24 UTC 2019 

Hai, 

Hm, well, i cant add that to my packages because we need to report it as bug for bind9. 
Since these settings are done in usr.sbin.named.

But i can tell you, i have this for it. ( bit modified from what you showed below. ) 
Add this part in : local/usr.sbin.named 

  # Samba DLZ
  /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
  /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
  /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
  # before of samba 4.9
  /var/lib/samba/private/dns.keytab rk,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/dlz_bind9_*.so rm,
  # as of samba 4.9+ 
  /var/lib/samba/bind-dns/dns.keytab rk,
  /var/lib/samba/bind-dns/named.conf r,
  /var/lib/samba/bind-dns/dns/dlz_bind9_*.so rm,
  /etc/samba/smb.conf r,
  /dev/urandom rwmk,
  owner /var/tmp/krb5_* rwk,

I just must say, im (still) not into apparmor, as in,.. 
above works for me, try it, test it, improve it, report it.  ;-) 
But above should/could be improved with better settings. 

Also, looking at : >  [1 - #include <abstractions/lxc/container-base>] 
Your using lxc containers, so you might need a bit of other settings also, but that i really cant tell. 
I dont use container here, but i know other list member do so, 
so maybe if we are luck one replies and gives the rest of info we need. ;-) 

So far, 

Greetz, 

Louis


 

> -----Oorspronkelijk bericht-----
> Van: Joachim Lindenberg [mailto:samba at lindenberg.one] 
> Verzonden: dinsdag 30 juli 2019 11:31
> Aan: 'L.P.H. van Belle'; samba at lists.samba.org
> Onderwerp: AW: [Samba] split horizon and authoritative answers..?
> 
> >> What I am struggling with though is inappropriate 
> >> out-of-the-box apparmor configuration. I resorted to 
> >> aa-complain /usr/sbin/named... 
> 
> >Samba version? 
> root at boa:/etc/apparmor.d# samba -V
> Version 4.10.6-Ubuntu
> root at boa:/etc/apparmor.d# named -V
> BIND 9.11.3-1ubuntu1.8-Ubuntu (Extended Support Version) <id:a375815>
> 
> >And what did you change exactly. 
> Obviously some configuration in /etc/bind.
> 
> I added an apparmor configuration I found somewhere:
> root at boa:/etc/apparmor.d# cat local/usr.sbin.named
> # /var/lib/samba/private/named.conf
> # Samba4 DLZ and Active Directory Zones (default source installation)
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/bind-dns/named.conf r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
> 
> (I added the bind-dns line).
> But that is obviously incomplete.
> 
> root at boa:/etc/apparmor.d# aa-logprof
> Reading log entries from /var/log/syslog.
> Updating AppArmor profiles in /etc/apparmor.d.
> Complain-mode changes:
> 
> Profile:  /usr/sbin/named
> Path:     /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so
> Old Mode: r
> New Mode: mr
> Severity: unknown
> 
>  [1 - #include <abstractions/lxc/container-base>]
>   2 - #include <abstractions/lxc/start-container>
>   3 - #include <abstractions/ubuntu-browsers.d/plugins-common>
>   4 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_*.so mr,
>   5 - /{usr/,}lib{,32,64}/** mr,
>   6 - /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so mr,
> 
> 
> >> any chance that this is going to be improved?
> >If i know what,i then i can tell. 
> I like your attitude!
> 
> Thanks, Joachim
> 
>

More information about the samba mailing list