[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've long since added the local customization to /etc/apparmor.d/local/usr.sbin.slapd which made the problem go away. It's possible that this workaround isn't needed anymore, I haven't tested that. I just thought I'd share the idea that came to mind in case it might be of interest to anyone who worked on this issue or who might otherwise be interested. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client. It just calls whatever GSSAPI functions provided by the available library. I'm guessing that library consulted /run/.heim_org.h5l.kcm-socket as one of the places to check for cached credentials. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
I don't think that changing the logcheck regexp will help here. The logcheck program doesn't actually prevent messages from being logged to syslog. All it does is scan the existing logs and optionally alert on certain types of messages. The /etc/logcheck/ignore.d.server/libsasl- modules file will prevent logcheck from alerting on certain messages, but the messages are still there in syslog. See the logcheck man page for more info: http://manpages.ubuntu.com/manpages/focal/man8/logcheck.8.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
This happens on 20.04 as well: # lsb_release -d Description:Ubuntu 20.04 LTS # repeat 10 ldapsearch -x -b cn=config > /dev/null # journalctl -n 10 -- Logs begin at Thu 2020-04-23 13:12:44 EDT, end at Wed 2020-07-01 12:20:49 EDT. -- Jul 01 12:20:48 hostname ldapsearch[727817]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727818]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727819]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727820]: DIGEST-MD5 common mech free Jul 01 12:20:48 hostname ldapsearch[727821]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727822]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727823]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727824]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727825]: DIGEST-MD5 common mech free Jul 01 12:20:49 hostname ldapsearch[727826]: DIGEST-MD5 common mech free -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 885525]
I recently discovered this problem and wanted to share a workaround that preserves key parts of my preferred use model: (1) I can press the Delete key on the keyboard, or the delete button in the GUI, to remove mail from my Inbox (or other folders), while preserving them in a folder (All Mail) where messages are not automatically deleted after 30 days. (2) I can periodically purge old messages at a timeframe of my choosing, in a simple way. I'm achieving (1) as follows: In Thunderbird: Account Settings->Server Settings->When I delete a message: "Remove it immediately" "Remove it immediately", in the context of Gmail, doesn't have the same outcome as it might on other conventional IMAP servers. It does set the IMAP "Deleted" flag on the message, but in Gmail, all that effectively does is only remove it from the current folder. The message remains accessible in Gmail's "All Mail" folder. In Gmail: Settings->When I mark a message in IMAP as deleted: "Auto-Expunge on" This just simplifies things for my use case by ensuring that Gmail's actions are immediately synced up with Thunderbird's actions. References: https://support.google.com/mail/answer/77657 https://support.google.com/mail/answer/78755 https://support.google.com/mail/answer/78892 I'm achieving (2) with the following Google Apps Script: https://script.google.com/d/1xWTKAwhyul0SVGYrhWdHSMX1wylsfemcjmrsUX6NwxE1Jzj9_M53uJEG/edit?usp=sharing This script automatically moves messages in "All Mail" older than 3 years into Gmail's Trash folder, where they will be then subject to Gmail's autodeletion policy. It excludes unread messages, Inbox messages, and messages that are in any of my user folders. With Resources->Current project's triggers, I have set this to automatically run every month. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/885525 Title: Deleting a Gmail Message Always Sends Item to [Gmail]/Trash To manage notifications about this bug go to: https://bugs.launchpad.net/thunderbird/+bug/885525/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770489] Re: str/byte mismatches
I resolved this issue last year by upgrading to the 2018.3 package on repo.saltstack.com after it became available: https://github.com/saltstack/salt/issues/47434 https://repo.saltstack.com/py3/ubuntu/18.04/amd64/2018.3/ This issue can be closed. ** Bug watch added: github.com/saltstack/salt/issues #47434 https://github.com/saltstack/salt/issues/47434 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770489 Title: str/byte mismatches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/salt/+bug/1770489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
Cool, thanks Andreas! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
Just to provide some more background, the specific scenarios in my case are syncrepl and a chain overlay. I have lines like this in slapd.conf: syncrepl rid=1 provider=ldap://providerhost starttls=yes bindmethod=sasl saslmech=GSSAPI and this: overlay chain chain-uri ldap://providerhost chain-tls start chain-idassert-bind mode=none starttls=yes bindmethod=sasl saslmech=GSSAPI -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files
The client.keytab path is standard functionality provided by libkrb5.so in Ubuntu 18.04. Here is the relevant documentation: http://manpages.ubuntu.com/manpages/bionic/man5/krb5.conf.5.html default_client_keytab_name This relation specifies the name of the default keytab for obtaining client credentials. The default is FILE:/etc/krb5/user/%{euid}/client.keytab.This relation is subject to parameter expansion (see below). New in release 1.11. It gets invoked by slapd when GSSAPI is specified as the sasl mechanism (e.g. with syncrepl). This was added as a feature to libkrb5 to streamline the process of automated authentication, so that people don't have to set up cron jobs to periodically run kinit. Regarding /tmp/krb5cc_*, that is the standard location for the credential cache file created by the kinit process. In this case, the equivalent of "kinit -k /etc/krb5/user/389/client.keytab" is done by slapd, leading to /tmp/krb5cc_389 being created. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1783183] [NEW] apparmor profile denied for kerberos client keytab and credential cache files
Public bug reported: Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate permissions to the slapd apparmor profile? I'm getting the following kinds of errors: apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd" requested_mask="r" denied_mask="r" fsuid=389 ouid=389 apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k" denied_mask="k" fsuid=389 ouid=389 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: apparmor kerberos keytab -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1783183 Title: apparmor profile denied for kerberos client keytab and credential cache files To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1773237] Re: 18.04 build?
Thanks for the pointer Hans. I read through the thread and can appreciate the reasoning for removing this package. ** Changed in: libcrypt-gpg-perl (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1773237 Title: 18.04 build? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypt-gpg-perl/+bug/1773237/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1773238] Re: 18.04 build?
Thanks for the information Hans. I took a closer look and it turns out that this package is no longer a dependency for my use case, which is consistent with the above :-) ** Changed in: openslp-dfsg (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1773238 Title: 18.04 build? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openslp-dfsg/+bug/1773238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1773238] [NEW] 18.04 build?
Public bug reported: This package doesn't seem to be available on 18.04. Any chance of getting it built? (Or is there a particular reason why it wasn't built?) ** Affects: openslp-dfsg (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1773238 Title: 18.04 build? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openslp-dfsg/+bug/1773238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1773237] [NEW] 18.04 build?
Public bug reported: This package doesn't seem to be available on 18.04. Any chance of getting it built? (Or is there a particular reason why it wasn't built?) ** Affects: libcrypt-gpg-perl (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1773237 Title: 18.04 build? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcrypt-gpg-perl/+bug/1773237/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1772995] [NEW] /etc/logrotate.d/zabbix-agent uses invoke-rc.d command, not in cron path
Public bug reported: /etc/logrotate.d/zabbix-agent has the following postrotate line: [ -e /var/run/zabbix/zabbix_agentd.pid ] && invoke-rc.d zabbix-agent force-reload >/dev/null There are a couple of issues with this: 1) When logrotate is invoked from cron, this doesn't work since invoke- rc.d (located in /usr/sbin) isn't in the default CRON path (/usr/bin:/bin). 2) invoke-rc.d uses the old-style init.d commands instead of systemd I'd suggest the following fix: [ -e /var/run/zabbix/zabbix_agentd.pid ] && systemctl restart zabbix- agent systemctl is in /bin, which is in cron's path. Also, the command doesn't seem to generate any output so the output redirection can be removed. ** Affects: zabbix (Ubuntu) Importance: Undecided Status: New ** Tags: cron logrotate systemd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1772995 Title: /etc/logrotate.d/zabbix-agent uses invoke-rc.d command, not in cron path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/zabbix/+bug/1772995/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1770489] [NEW] str/byte mismatches
Public bug reported: I'm running into python3-related str/byte mismatch errors with 2017.7.4+dfsg1-1, like this: Jinja error: a bytes-like object is required, not 'str' Reading the 2018.3.0 release notes, it looks like a number of these errors are fixed in that release: https://docs.saltstack.com/en/latest/topics/releases/2018.3.0.html Would it be possible to get a 2018.3.0 package built for Ubuntu 18.04? ** Affects: salt (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1770489 Title: str/byte mismatches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/salt/+bug/1770489/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
No worries Christian. As far as issues caused by unpredictable complex interactions go, this one is fairly benign :-) I'm fine with the workaround -- it's just one more line that gets programmatically added to a config file that has to be customized anyway. And who knows, it may well have been resolved by now in newer versions of openldap and kerberos. In any case, I appreciate your empathy -- if only I could channel it to the maintainers of other software where I've reported bugs that are far more painful to deal with :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1654416] Re: Requesting 2.4.44 build which includes fix for ITS#8185
Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1654416 Title: Requesting 2.4.44 build which includes fix for ITS#8185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1654416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1654416] Re: Requesting 2.4.44 build which includes fix for ITS#8185
Understood, thanks for the responses Ryan and Hans. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1654416 Title: Requesting 2.4.44 build which includes fix for ITS#8185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1654416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1654416] [NEW] Requesting 2.4.44 build which includes fix for ITS#8185
Public bug reported: I reported ITS#8185 to OpenLDAP which was fixed in the 2.4.43 release. There have been no OpenLDAP releases since 2.4.44 in February 2016, so it looks like things have been stable for a while. I'd like to request a refreshed slapd package for 2.4.44 (the most recent slapd package available on Ubuntu is 2.4.42 which dates back to August 2015). This would help me remove a manual workaround for the ITS#8185 issue, and users would also benefit from the number of fixes in 2.4.43 and 2.4.44. http://www.openldap.org/software/release/changes.html purging stale pwdFailureTime attributes: http://www.openldap.org/its/index.cgi/Software%20Enhancements?id=8185;selectid=8185 ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1654416 Title: Requesting 2.4.44 build which includes fix for ITS#8185 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1654416/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes. In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence. I've been working around this issue by adding a line to /etc/apparmor.d/local/usr.sbin.slapd, and I'm okay with this workaround. I guess I was assuming that the fix would be a simple patch to /etc/apparmor.d/usr.sbin/slapd to permit the socket (i.e. assuming that Kerberos is fairly standard and it seems reasonable to allow a process like slapd to access the socket if it has permissions to do so). Given the amount of complexity that now seems to be involved, I'm reluctant to (even implicitly) ask you guys to spend more time on this. Feel free to pursue this as you want, but definitely don't feel any pressure on my account. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Hi Ryan, Thanks for looking into this. Unfortunately I don't have much to add to my earlier response in this thread. Here are the only kerberos-related types of lines that I have in slapd.conf: authz-regexp uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth ldap:///dc=example,dc=com??sub?(exampleKrb5PrincipalName=$1@$2) sasl-realm EXAMPLE.COM sasl-secprops minssf=0 As I mentioned before, I do have an /etc/krb5.keytab. ldapwhoami -Y GSSAPI works fine. I don't know precisely how slapd ends up using kcm. slapd is linked with libheimbase.so.1, so presumably it ends up calling some heimdal library function that ends up accessing that socket. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but I figured that the error message wasn't a good thing to see. Sorry I can't be of more help in isolating why this error is showing up. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but I figured that the error message wasn't a good thing to see. Sorry I can't be of more help in isolating why this error is showing up. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1472639] [NEW] apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Public bug reported: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor=DENIED operation=connect profile=/usr/sbin/slapd name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd requested_mask=wr denied_mask=wr fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1472639] [NEW] apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Public bug reported: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor=DENIED operation=connect profile=/usr/sbin/slapd name=/run/.heim_org.h5l.kcm-socket pid=61289 comm=slapd requested_mask=wr denied_mask=wr fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] Re: off-by-one in LDIF length
This bug can be closed out now in favor of just building a new package for 2.4.41, since that release is now available and includes the fix: http://www.openldap.org/software/release/changes.html -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] Re: off-by-one in LDIF length
This bug can be closed out now in favor of just building a new package for 2.4.41, since that release is now available and includes the fix: http://www.openldap.org/software/release/changes.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471831] [NEW] Requesting a package for 2.4.41
Public bug reported: OpenLDAP version 2.4.41 is now available, and includes the bugfix for the issue I reported in bug #1461276, as well as many other bugfixes. Requesting an Ubuntu package for this release. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1471831 Title: Requesting a package for 2.4.41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1471831/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1471831] [NEW] Requesting a package for 2.4.41
Public bug reported: OpenLDAP version 2.4.41 is now available, and includes the bugfix for the issue I reported in bug #1461276, as well as many other bugfixes. Requesting an Ubuntu package for this release. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1471831 Title: Requesting a package for 2.4.41 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1471831/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] Re: off-by-one in LDIF length
Any response on this? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1461276] Re: off-by-one in LDIF length
Any response on this? -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] Re: off-by-one in LDIF length
I have run both 2.4.31 and 2.4.40 for a few days, and have only experienced this type of slapd crash with 2.4.40. That by itself isn't conclusive though, since memory corruption errors can be sensitive in how they manifest. Looking at the code briefly, I see that the same off- by-one error in include/ldif.h is present in the 2.4.31 code (as well as 2.4.28), so the potential for the bug to be expressed is likely there in the earlier versions as well. I hedge with likely because it seems that there have been many changes made to this part of the code recently, and I've seen that just reading it briefly can be misleading when drawing firm conclusions. The most conservative approach would be just to patch 2.4.40 for now, unless/until people report this bug in earlier versions. A more aggressive approach would be to patch 2.4.31 and 2.4.28 and wait for people to report other things breaking in the earlier versions. As an aside -- I'm actually building/running the 2.4.40 package on 14.04, not on Wily -- and I have verified that adding the patch to the package build fixes the bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] Re: off-by-one in LDIF length
I have run both 2.4.31 and 2.4.40 for a few days, and have only experienced this type of slapd crash with 2.4.40. That by itself isn't conclusive though, since memory corruption errors can be sensitive in how they manifest. Looking at the code briefly, I see that the same off- by-one error in include/ldif.h is present in the 2.4.31 code (as well as 2.4.28), so the potential for the bug to be expressed is likely there in the earlier versions as well. I hedge with likely because it seems that there have been many changes made to this part of the code recently, and I've seen that just reading it briefly can be misleading when drawing firm conclusions. The most conservative approach would be just to patch 2.4.40 for now, unless/until people report this bug in earlier versions. A more aggressive approach would be to patch 2.4.31 and 2.4.28 and wait for people to report other things breaking in the earlier versions. As an aside -- I'm actually building/running the 2.4.40 package on 14.04, not on Wily -- and I have verified that adding the patch to the package build fixes the bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: off-by-one in LDIF length To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1292400] Re: task systemd-udevd:1906 blocked for more than 120 seconds.
Does anyone know the current status of this -- is a revised patch still in the works? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1292400 Title: task systemd-udevd:1906 blocked for more than 120 seconds. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1292400/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1461276] [NEW] Requesting ITS#8003 inclusion in 2.4.40 package
Public bug reported: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: crash slapd -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: Requesting ITS#8003 inclusion in 2.4.40 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1461276] [NEW] Requesting ITS#8003 inclusion in 2.4.40 package
Public bug reported: Would it be possible to include the patch for ITS#8003 in the next build of the 2.4.40 package? http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=c8353f7acdec4a42f537b0d475aaae005ba72363 It fixes a bug that causes slapd to crash when the audit log is enabled and a large base64-encoded attribute is printed. ** Affects: openldap (Ubuntu) Importance: Undecided Status: New ** Tags: crash slapd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1461276 Title: Requesting ITS#8003 inclusion in 2.4.40 package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1461276/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs