[Samba] Workstations cannot update DNS

Rowland penny rpenny at samba.org
Tue May 14 20:50:01 UTC 2019


On 14/05/2019 21:36, Durwin via samba wrote:
> I am trying to get DDNS working, so workstations can update their ip.
>
> The domain is msi.mycompany.com
>
> The DC server works, as well as group policies.
>
> I set rights to these files
>> chgrp bind /var/lib/samba/private/
>> chmod 750 /var/lib/samba/private/
>> chgrp bind /var/lib/samba/private/dns.keytab
>> chmod 640 /var/lib/samba/private/dns.keytab
> journalctl shows this.
> May 14 14:22:32 audit[2117]: AVC apparmor="DENIED" operation="file_lock"
> profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab"
> pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k"
> fsuid=111 ouid=0
> May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35):
> apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named"
> name="/var/lib/samba/private/dns.keytab" pid=2117 comm="isc-worker0000"
> requested_mask="k" denied_mask="k" fsuid=111 ouid=0

It looks like you need to fix Apparmor (at least), try reading this:

https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

Rowland




More information about the samba mailing list