[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
[Expired for cups (Ubuntu) because there has been no activity for 60 days.] ** Changed in: cups (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in cups package in Ubuntu: Expired Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
Okay, step by step: cups-pdf policy has: #include abstractions/nameservice yes /etc/apparmor.d/abstractions/nameservice has: #include abstractions/winbind yes /etc/apparmor.d/abstractions/winbind has: /var/{lib,run}/samba/winbindd_privileged/pipe rw, yes I am using ubuntu defaults. All apparmor files are unchanged, but it only works when I add following to cups-pdf policy: /run/samba/winbindd/pipe rw, Eventually it's because /var/run/samba/winbindd_privileged/pipe is not available, but /var/lib/samba/winbindd_privileged/pipe is. The permissions on both pipes are the same: 0 srwxrwxrwx 1 root root 0 Okt 3 15:13 /var/lib/samba/winbindd_privileged/pipe 0 srwxrwxrwx 1 root root 0 Okt 3 15:13 /run/samba/winbindd/pipe -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
Christian, yes, add this to your profile (in the cups-pdf section): /run/samba/winbindd/pipe rw, then do this: $ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
Can you perform the above and confirm if it fixes it for you? Also, the cups-pdf policy has: #include abstractions/nameservice and /etc/apparmor.d/abstractions/nameservice has: #include abstractions/winbind and /etc/apparmor.d/abstractions/winbind has: /var/{lib,run}/samba/winbindd_privileged/pipe rw, did you set the path for to /run/samba/winbindd/pipe or are you using Ubuntu defaults? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
@Jamie: To get output from grep DEN /var/log/syslog I set to enforce mode: 3x Oct 4 11:41:31 fs kernel: [135831.687728] type=1400 audit(1412415691.115:6372889): apparmor=DENIED operation=connect profile=/usr/lib/cups/backend/cups-pdf name=/run/samba/winbindd/pipe pid=19253 comm=cups-pdf requested_mask=rw denied_mask=rw fsuid=0 ouid=0 Attached log-output with complain mode is from: tail -f /var/log/syslog /var/log/cups/*_log I solved it adding following line to cups-pdf section: /run/samba/winbindd/pipe rw, Is this correct? ** Attachment added: log_complainMode.txt https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+attachment/4224433/+files/log_complainMode.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
Can you paste the output of: $ grep DEN /var/log/syslog at the time of the denial? ** Package changed: cups-pdf (Ubuntu) = cups (Ubuntu) ** Changed in: cups (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile
Since you put this into complain mode, there may be more entries needed that might have been logged with ALLOWED -- can you grep for those, too, please? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cups in Ubuntu. https://bugs.launchpad.net/bugs/1377239 Title: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile Status in “cups” package in Ubuntu: Incomplete Bug description: I use cups-pdf for years now. But now it's no longer able to lookup users from domain. lookup user by getent passwd works fine. lookup user by wbinfo works fine. Login with domain user works fine. kinit username works, too. But cups-pdf with log level 7 tells: unknown user (admin) It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank. Just the output of the log file differs to: unknown user (MYDOMAIN\admin) After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode. That fixes my problem. But what I have to change in apparmor profile to switch back to enforce mode? I don't get any logging by complain, enforce or audit mode in /var/log/syslog. It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS. I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp