The latest version of bind9 (1:9.11.5.P4+dfsg-4) still has a problem with its
apparmor profile with respect to the samba BIND9_DLZ use-case. I have submitted
a new bug to address it specifically: https://bugs.debian.org/928398
-S.M.
Steven Monai writes:
>My testing continues with the 'usr.sbin.named' profile in 'complain' mode. I
>will continue to report back here with my findings.
Since my last report, my two test servers, still in "complain" mode, have not
"complained" any further, so I'm fairly confident that the
Steven Monai writes:
>Okay. I have installed the latest bind9 from unstable (1:9.11.5.P4+dfsg-3),
>and have purged my local changes to the 'local/usr.sbin.named' apparmor file.
I neglected to mention that I made the same changes to both of my test domain
controllers, which are named "dc1" and
Bernhard Schmidt writes:
>I have just uploaded 1:9.11.5.P4+dfsg-3 that should incorporate all your
>local changes and also allowed /dev/urandom. I have upgraded my local
>Samba AD DC to Buster with this configuration and it appears to work
>fine, but this is only my personal server.
>
>The
Am 02.04.19 um 18:25 schrieb Steven Monai:
Hi Steven,
>
> So far, my buster Samba AD controller appears to be working correctly
> with the 'usr.sbin.named' profile in 'complain' mode. I will monitor the
> logs for a while to see if any further apparmor-related issues appear
> during my testing.
Bernhard Schmidt writes:
>Any more warnings you experienced?
I'm glad you asked. Since my last message, I have been getting the following
three logs every two or three days:
Apr 11 00:49:41 dc1 kernel: [489173.713080] audit: type=1400
audit(1554968981.353:17): apparmor="ALLOWED"
Am 04.04.19 um 18:16 schrieb Steven Monai:
> *Steven Monai writes:*
> So far, my buster Samba AD controller appears to be working correctly
> with the 'usr.sbin.named' profile in 'complain' mode. I will monitor the
> logs for a while to see if any further apparmor-related issues appear
> during my
Steven Monai writes:
>So far, my buster Samba AD controller appears to be working correctly with the
>'usr.sbin.named' profile in 'complain' mode. I will monitor the logs for a
>while to see if any further apparmor-related issues appear during my testing.
Some new apparmor "complaint" logs
Hello Bernhard. Thank you for your time.
Bernhard Schmidt writes:
>
>Have you configured /var/lib/samba/bind-dns/named.conf manually by any
>
>chance? On my stretch system this file is in /var/lib/samba/private,
>
>which is whitelisted based on the reports in this bug in the apparmor
>
Control: reopen -1
Am 01.04.19 um 23:52 schrieb Steven Monai:
Hi Steve,
> As of now, this bug still affects Buster.
Thanks for reporting. I don't have samba AD with bind9 running on
Buster, your feedback is appreciated.
> When the apparmor profile 'usr.sbin.named' is set to 'enforce' mode
>
Greetings.
As of now, this bug still affects Buster.
I have installed samba (2:4.9.4+dfsg-4), bind9 (1:9.11.5.P4+dfsg-1), and
apparmor (2.13.2-9).
In my testing environment, Samba is configured as an Active Directory
controller, and it is using the BIND_DLZ backend for DNS.
When the apparmor
Hi,
> > /usr/lib/x86_64-linux-gnu/samba/** rm,
> > /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
> > /var/lib/samba/private/dns.keytab r,
> > /var/lib/samba/private/named.conf r,
> > /var/lib/samba/private/dns/** rwk,
> > /etc/smb.conf r,
>
> > ...but obviously
Package: apparmor
Version: 2.11.0-3+deb9u2
Severity: normal
Dear Maintainer,
A piece of replacement kit went in requiring a newer kernel from backports,
which brought in apparmour as a recommend. However in its currently shipping
form this broke the bind DLZ that's used with samba (to host
13 matches
Mail list logo
