Public bug reported: Release Description: Ubuntu precise (development branch) Release: 12.04 Package: bind9 Version: 1:9.8.1.dfsg.P1-2
The AppArmor profile for named prevents bind9 from reading zone and ketab files generated by samba4. When samba4 is provisioned, it generates several template files. These files include configuration and zone information. Keytab files for DNS update signing are also generated. Generally, a user will configure bind9 to include these files from withing their existing bind configuration in /etc/bind/. However, the AppArmor profile for named prevents this. Adding the lines below to /etc/apparmor.d/usr.sbin.named should resolve this problem. /var/lib/samba/private/dns/* rw, /var/lib/samba/private/named.conf r, /var/lib/samba/private/named.conf.update r, /var/lib/samba/private/dns.keytab rk, /var/tmp/* rw, The first line allows bind9 to read the zone files generated by samba4. The write flag is specified because bind9 may need to update the zone upon a client DNS update request. The second and third lines allow bind9 to read the configuration and update information for domains generated by samba4. The fourth line allows bind9 to read and lock the samba4 DNS keytab file. This file allows bind9 to authenticate against the samba4 domain for signed DNS update requests. The last line allows bind9 to wire some temporary files needed to track DNS updates. ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/930280 Title: AppArmor profile for named prevents reading of samba4 zone and keytab To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/930280/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs