[Touch-packages] [Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

Tue, 19 Jul 2016 13:31:35 -0700 

Hi,

>From what I can tell, looking at the existing slapd apparmor profile, it
does not include access to the kcm socket in /run as you say.  However,
I've yet to discover how to have slapd attempt to access this particular
socket.

I've examined a number of Kerberos + OpenLDAP setups and there's no easy
answer on how to setup and configure this combination and certainly no
indication which one of those would trigger such an access.

Is there any additional information you can provide to help narrow down
what possible configuration is needed and which command or action would
trigger?

I'll start reading the LDAP server code to see if I can understand a bit
more what the KDC socket is doing but in the mean time, I'd like as much
detail as possible.

Note, the version mentioned 2.4.40 appeared between vivid and wily
releases;  Trusty has 2.4.31 and Xenial/Yakkety are at 2.4.42.

If possible, it would be useful to know if this can be reproduced on
Xenial or Yakkety; or if it's only on the older releases (Trusty and
Precise would be affected).

** Changed in: openldap (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1472639

Title:
  apparmor profile denied for kerberos:  /run/.heim_org.h5l.kcm-socket

Status in openldap package in Ubuntu:
  Incomplete

Bug description:
  The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
  .kcm-socket which is used by kerberos:

  apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd"
  name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd"
  requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0

  This is as of 2.4.40+dfsg-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to