14.02.2016, 09:14, Filip Pytloun kirjoitti:
> Hello,
> 
> we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA
> server for 2 months with no critical issues.
> 
> Using newer freeipa-client was not needed, only sssd update from here,
> because trusty version is buggy:
> https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty
> 
> On server side, it was only needed to fix apparmor policy for bind to
> fix FreeIPA DNS zones:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314

/var/lib/sss* bits belong to the apparmor profile shipped by sssd..
mind removing them from the bind profile and testing this to
/etc/apparmor.d/usr.sbin.sssd instead?

@@ -33,6 +33,7 @@

   /var/lib/sss/* rw,
   /var/lib/sss/db/* rwk,
+  /var/lib/sss/mc/initgroups r,
   /var/lib/sss/pipes/* rw,
   /var/lib/sss/pipes/private/* rw,
   /var/lib/sss/pubconf/* rw,
@@ -42,6 +43,7 @@
   /{,var/}run/sssd.pid rw,

   profile /usr/lib/@{multiarch}/sssd/* {
+    /var/lib/sss/pubconf/krb5.include.d/** rw,
     /var/lib/sss/pubconf/krb5.include.d/ rw,
   }



-- 
t

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to