[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files

Andreas Hasenack Fri, 16 Nov 2018 10:42:01 -0800

trusty verification

reproducing the bug:
slapd:
  Installed: 2.4.31-1+nmu2ubuntu8.4
  Candidate: 2.4.31-1+nmu2ubuntu8.4
  Version table:
 *** 2.4.31-1+nmu2ubuntu8.4 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages


As soon as the consumer is setup, the provider logs the attempted replication:
Nov 16 18:24:12 trusty-provider slapd[3414]: conn=1004 fd=19 ACCEPT from 
IP=10.0.100.46:58678 (IP=0.0.0.0:389)
Nov 16 18:24:12 trusty-provider slapd[3414]: conn=1004 op=0 UNBIND
Nov 16 18:24:12 trusty-provider slapd[3414]: conn=1004 fd=19 closed

Consumer logs that it was a failure:
Nov 16 18:24:12 trusty-consumer slapd[3408]: slap_client_connect: 
URI=ldap://trusty-provider.lxd ldap_sasl_interactive_bind_s failed (-2)
Nov 16 18:24:12 trusty-consumer slapd[3408]: do_syncrepl: rid=001 rc -1 retrying

Host logs apparmor denied message:
[sex nov 16 16:24:11 2018] audit: type=1400 audit(1542392652.079:1015): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-trusty-consumer_<var-lib-lxd>" profile="/usr/sbin/slapd" 
name="/etc/krb5/user/106/client.keytab" pid=22261 comm="slapd" 
requested_mask="r" denied_mask="r" fsuid=165642 ouid=165536

Updating the openldap packages on the consumer:
root@trusty-consumer:~# apt-cache policy slapd
slapd:
  Installed: 2.4.31-1+nmu2ubuntu8.5
  Candidate: 2.4.31-1+nmu2ubuntu8.5
  Version table:
 *** 2.4.31-1+nmu2ubuntu8.5 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 
Packages


Provider logs the replication:
Nov 16 18:26:15 trusty-provider slapd[3414]: conn=1007 op=2 BIND 
authcid="consumer" authzid="consumer"
Nov 16 18:26:15 trusty-provider slapd[3414]: conn=1007 op=2 BIND 
dn="uid=consumer,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
Nov 16 18:26:15 trusty-provider slapd[3414]: conn=1007 op=2 RESULT tag=97 err=0 
text=
Nov 16 18:26:15 trusty-provider slapd[3414]: conn=1007 op=3 SRCH base="dc=lxd" 
scope=2 deref=0 filter="(objectClass=*)"
Nov 16 18:26:15 trusty-provider slapd[3414]: conn=1007 op=3 SRCH attr=* +

Consumer has kerberos ticket:
-rw-------  1 openldap openldap 1903 Nov 16 18:26 krb5cc_106


Trusty verification succeeded.

** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1783183

Title:
  apparmor profile denied for kerberos client keytab and credential
  cache files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files

Reply via email to