smb config
[global]
workgroup = company
realm = COMPANY.LOCAL
netbios name = zentyal
server string = Zentyal Server
server role = dc
server role check:inhibit = yes
server services = -dns
server signing = auto
dsdb:schema update allowed = yes
ldap server require strong auth = no
drs:max object sync = 1200
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
template homedir = /home/%U
rpc server dynamic port range = 49152-65535
interfaces = lo,eth0,eth1
bind interfaces only = yes
map to guest = Bad User
log level = 3
log file = /var/log/samba/samba.log
max log size = 100000
include = /etc/samba/shares.conf
[netlogon]
path = /var/lib/samba/sysvol/company.local/scripts
browseable = no
read only = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = no
---------- Forwarded message ---------
Från: Birger Birger <[email protected]>
Date: tors 5 sep. 2019 kl 10:01
Subject: Fwd: [apparmor] apparmor & clamav
To: <[email protected]>
Hope this helps the troubleshooting. What do you think?
syslog
Sep 5 09:07:02 zentyal kernel: [77608.395063] audit: type=1400
audit(1567667222.149:32): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=13656
comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
kern log
Sep 5 09:07:02 zentyal kernel: [77608.395063] audit: type=1400
audit(1567667222.149:32): apparmor="DENIED" operation="connect"
profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=13656
comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
samba log
[2019/09/05 07:02:00.093952, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:00.101494, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:00.301221, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:00.301309, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:00.306703, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7164 () exited with status 0
[2019/09/05 07:02:10.104443, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:10.112086, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:10.303645, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:10.303735, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:10.309144, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7169 () exited with status 0
[2019/09/05 07:02:20.115943, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:20.123510, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:20.306510, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:20.306599, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:20.311951, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7174 () exited with status 0
[2019/09/05 07:02:29.978362, 2]
../source4/dsdb/kcc/kcc_periodic.c:710(kccsrv_samba_kcc)
Calling samba_kcc script
[2019/09/05 07:02:30.034350, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:30.042180, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:30.180387, 0]
../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
/usr/sbin/samba_kcc: ldb_wrap open of secrets.ldb
[2019/09/05 07:02:30.195742, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:30.195833, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:30.201464, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7183 () exited with status 0
[2019/09/05 07:02:30.314889, 3]
../lib/util/util_runcmd.c:291(samba_runcmd_io_handler)
samba_runcmd_io_handler: Child /usr/sbin/samba_kcc exited 0
[2019/09/05 07:02:30.314929, 3]
../source4/dsdb/kcc/kcc_periodic.c:695(samba_kcc_done)
Completed samba_kcc OK
[2019/09/05 07:02:40.070125, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:40.077497, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:40.295079, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:40.295164, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:40.300523, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7189 () exited with status 0
[2019/09/05 07:02:50.083237, 3]
../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2019/09/05 07:02:50.090899, 3]
../source4/dsdb/samdb/ldb_modules/schema_load.c:226(dsdb_schema_refresh)
Schema refresh needed 2004 != 2018
[2019/09/05 07:02:50.299324, 3]
../source4/smbd/service_stream.c:65(stream_terminate_connection)
Terminating connection - 'ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT'
[2019/09/05 07:02:50.299422, 2]
../source4/smbd/process_standard.c:473(standard_terminate)
standard_terminate: reason[ldapsrv_call_wait_done: call->wait_recv() -
NT_STATUS_LOCAL_DISCONNECT]
[2019/09/05 07:02:50.304819, 2]
../source4/smbd/process_standard.c:157(standard_child_pipe_handler)
Child 7194 () exited with status 0
---------- Forwarded message ---------
Från: Christian Ehrhardt <[email protected]>
Date: tors 5 sep. 2019 kl 08:10
Subject: Re: [apparmor] apparmor & clamav
To: Seth Arnold <[email protected]>
Cc: <[email protected]>
On Thu, Sep 5, 2019 at 1:11 AM Seth Arnold <[email protected]>
wrote:
>
> On Wed, Sep 04, 2019 at 08:02:56PM +0200, Birger Birger wrote:
> > This looks promising to troubleshoot. Any ideas?
>
> Do you know what winbindd does with this pipe? Are there any local
> configuration changes that would have put this pipe in this directory?
>
> It feels a lot like a new name for the pipes listed in
> <abstractions/winbind>:
>
> /tmp/.winbindd/pipe rw,
> /var/{lib,run}/samba/winbindd_privileged/pipe rw,
>
> Does this sound right? Or is this pipe something different from these?
I think I have seen this deny come up in other cases and never spotted
exactly where it came from.
But I wanted to use this chance and find the base config for it.
It turns out that it is even in the base samba config, and thereby I
agree with Seth that this might be another entry for the abstraction.
Here smb.conf (5)
winbindd socket directory (G)
This setting controls the location of the winbind daemon's socket.
Except within automated test scripts, this should not be
altered, as the client tools (nss_winbind etc) do not honour this
parameter. Client tools must then be advised of the
altered path with the WINBINDD_SOCKET_DIR environment varaible.
Default: winbindd socket directory = /var/run/samba/winbindd
And since /var/run => /run we see the reported deny.
cu
Christian
> Thanks
>
> > > On Sep 4, 2019, at 03:01, Birger Birger via clamav-users <
> > [email protected]> wrote:
> > >
> >
> > From Ubuntu syslog:
> > > Sep 4 08:40:01 zentyal kernel: [345190.998397] audit: type=1400
> > audit(1567579201.044:83): apparmor="DENIED" operation="connect"
> > profile="/usr/bin/freshclam" name="/run/samba/winbindd/pipe" pid=1269
> > comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
>
> --
> AppArmor mailing list
> [email protected]
> Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
