Public bug reported:
https://autopkgtest.ubuntu.com/packages/o/openldap/lunar/amd64
autopkgtest [16:06:32]: test smbk5pwd: [-----------------------
adding new entry "cn=samba,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=hdb,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcSmbK5PwdEnable> handler exited with 1
autopkgtest [16:06:33]: test smbk5pwd: -----------------------]
autopkgtest [16:06:33]: test smbk5pwd: - - - - - - - - - - results - - - - - -
- - - -
smbk5pwd FAIL non-zero exit status 80
I reproduced this in a container, and the failure is two-fold:
a) /var/lib/heimdal-kdc/ is root:root 0700, and the slapd server needs
FS read access to the key
b) Then the slapd apparmor profile blocks it:
[qui fev 2 09:54:02 2023] audit: type=1400 audit(1675342444.436:3242):
apparmor="DENIED" operation="open" class="file"
namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/slapd" name="/var/lib/heimdal-kdc/m-key" pid=1161656
comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000
** Affects: openldap (Ubuntu)
Importance: Undecided
Status: New
** Tags: update-excuse
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/2004560
Title:
smbk5pwd test fails due to perms (FS and AppArmor)
Status in openldap package in Ubuntu:
New
Bug description:
https://autopkgtest.ubuntu.com/packages/o/openldap/lunar/amd64
autopkgtest [16:06:32]: test smbk5pwd: [-----------------------
adding new entry "cn=samba,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=hdb,cn=schema,cn=config"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"
adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcSmbK5PwdEnable> handler exited with 1
autopkgtest [16:06:33]: test smbk5pwd: -----------------------]
autopkgtest [16:06:33]: test smbk5pwd: - - - - - - - - - - results - - - - -
- - - - -
smbk5pwd FAIL non-zero exit status 80
I reproduced this in a container, and the failure is two-fold:
a) /var/lib/heimdal-kdc/ is root:root 0700, and the slapd server needs
FS read access to the key
b) Then the slapd apparmor profile blocks it:
[qui fev 2 09:54:02 2023] audit: type=1400 audit(1675342444.436:3242):
apparmor="DENIED" operation="open" class="file"
namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>"
profile="/usr/sbin/slapd" name="/var/lib/heimdal-kdc/m-key" pid=1161656
comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2004560/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
