[Bug 1783183] Re: apparmor profile denied for kerberos client keytab and credential cache files

[Andreas Hasenack]

Bionic verification


Reproducing the bug with:
root@bionic-consumer:~# apt-cache policy slapd
slapd:
  Installed: 2.4.45+dfsg-1ubuntu1
  Candidate: 2.4.45+dfsg-1ubuntu1
  Version table:
 *** 2.4.45+dfsg-1ubuntu1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages


Provider logs as soon as the consumer finished setup, showing replication 
attempt that didn't complete:
Nov 16 16:40:30 bionic-provider slapd[1710]: conn=1004 fd=12 ACCEPT from 
IP=10.0.100.14:34322 (IP=0.0.0.0:389)
Nov 16 16:40:30 bionic-provider slapd[1710]: conn=1004 op=0 UNBIND
Nov 16 16:40:30 bionic-provider slapd[1710]: conn=1004 fd=12 closed

Host logs showing apparmor denied messages:
[sex nov 16 14:40:29 2018] audit: type=1400 audit(1542386430.603:919): 
apparmor="DENIED" operation="open" 
namespace="root//lxd-bionic-consumer_<var-lib-lxd>" profile="/usr/sbin/slapd" 
name="/etc/krb5/user/111/client.keytab" pid=17456 comm="slapd" 
requested_mask="r" denied_mask="r" fsuid=165647 ouid=165536


Updating the consumer's packages:
root@bionic-consumer:~# apt-cache policy slapd
slapd:
  Installed: 2.4.45+dfsg-1ubuntu1.1
  Candidate: 2.4.45+dfsg-1ubuntu1.1
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.1 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 
Packages

Replication attempt succeeded (provider's logs):
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=2 BIND dn="" 
method=163
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=2 BIND 
authcid="consumer" authzid="consumer"
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=2 BIND 
dn="uid=consumer,cn=gssapi,cn=auth" mech=GSSAPI sasl_ssf=56 ssf=56
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=2 RESULT tag=97 err=0 
text=
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=3 SRCH base="dc=lxd" 
scope=2 deref=0 filter="(objectClass=*)"
Nov 16 16:42:42 bionic-provider slapd[1710]: conn=1007 op=3 SRCH attr=* +

Consumer has kerberos ticket in /tmp:
-rw-------  1 openldap openldap 1903 Nov 16 16:42 krb5cc_111


Bionic verification succeeded.

** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1783183

Title:
  apparmor profile denied for kerberos client keytab and credential
  cache files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs