[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2020-10-03 Thread Launchpad Bug Tracker
[Expired for openldap (Ubuntu) because there has been no activity for 60 days.] ** Changed in: openldap (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2020-08-04 Thread Kartik Subbarao
Hi Lucas, I'm not running that version of slapd or Ubuntu anymore. I've long since added the local customization to /etc/apparmor.d/local/usr.sbin.slapd which made the problem go away. It's possible that this workaround isn't needed anymore, I haven't tested that. I just thought I'd share the

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2020-08-04 Thread Lucas Kanashiro
Hi Kartik, Are you still facing this issue? Which Ubuntu release are you using? Do you have the steps to reproduce the failure now? TIA! ** Changed in: openldap (Ubuntu) Assignee: Ryan Harper (raharper) => (unassigned) -- You received this bug notification because you are a member of

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2020-08-03 Thread Kartik Subbarao
While working on something else recently, I got a hunch for what might have been happening here. I had configured syncrepl on this server to use GSSAPI (saslmech=GSSAPI) to authenticate to its provider server. In this role, slapd ignores the keytab file and behaves like an ordinary GSSAPI client.

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2017-06-08 Thread Kartik Subbarao
No worries Christian. As far as issues caused by unpredictable complex interactions go, this one is fairly benign :-) I'm fine with the workaround -- it's just one more line that gets programmatically added to a config file that has to be customized anyway. And who knows, it may well have been

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2017-06-08 Thread ChristianEhrhardt
Hi, this bug was dormant for a long time. We have to face it that due to the complexity, the lack of an (easy) recreation and the fact that there is a workaround via modifying the apparmor profiles likely nothing gets changed - unless somebody in the community steps up and does so. Yet as I

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2016-07-20 Thread Kartik Subbarao
Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes. In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence. I've been working around this issue by adding a line

Re: [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2016-07-20 Thread Ryan Harper
Do you have a specific guide or sequence you followed? 1. apt-get install slapd krb5* heimdal-kdc .. etc? And then the various config changes applied? I'll keep digging. On Wed, Jul 20, 2016 at 11:31 AM, Kartik Subbarao wrote: > Hi Ryan, > > Thanks for looking into

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2016-07-20 Thread Kartik Subbarao
Hi Ryan, Thanks for looking into this. Unfortunately I don't have much to add to my earlier response in this thread. Here are the only kerberos-related types of lines that I have in slapd.conf: authz-regexp uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2016-07-19 Thread Ryan Harper
Hi, >From what I can tell, looking at the existing slapd apparmor profile, it does not include access to the kcm socket in /run as you say. However, I've yet to discover how to have slapd attempt to access this particular socket. I've examined a number of Kerberos + OpenLDAP setups and there's

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2016-06-07 Thread Robie Basak
** Changed in: openldap (Ubuntu) Assignee: (unassigned) => Ryan Harper (raharper) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos:

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-27 Thread Kartik Subbarao
I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-27 Thread Kartik Subbarao
I'm not sure if/how exactly I'm using kcm with slapd. I have an /etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter defined. Kerberos authentication actually seems to work okay -- for example, ldapwhoami -Y GSSAPI works properly. I don't know what else may or may not be working, but

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-24 Thread Ryan Tandy
Hi Kartik, To help me reproduce and verify this, can you describe your setup where slapd stores its credentials in the KCM? I'm asking because I do see these denials, but they don't appear to affect operation with a keytab, and I haven't been able to get slapd to work without a keytab. I'm

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-24 Thread Ryan Tandy
Hi Kartik, To help me reproduce and verify this, can you describe your setup where slapd stores its credentials in the KCM? I'm asking because I do see these denials, but they don't appear to affect operation with a keytab, and I haven't been able to get slapd to work without a keytab. I'm

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-10 Thread Robie Basak
** Tags added: apparmor ** Changed in: openldap (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos:

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

2015-07-10 Thread Robie Basak
** Tags added: apparmor ** Changed in: openldap (Ubuntu) Importance: Undecided = High -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for