On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:> On Mon, 27 Nov 2017 14:53:32 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> Last week, Debian testing (Buster) added apparmor to the list of >> dependencies for its latest kernel release, apparently because >> systemd needs it. Recently, I noticed my first casualty - bind9 - >> due to apparmor failures with bind_dlz. >> >> Knowing next to nothing about apparmor, what is needed to fix this, >> and what further info do you need from me? >> >> Thanks, >> Dale > I cannot seem to find a debian kernel that has a dependency on > apparmor, can you provide a link ? > > Even if debian is making the kernel depend on apparmor (by the way, > does Linus know about this ?), this isn't a Samba problem, it is an > apparmor one. > > RowlandRowland, Thanks for responding. From http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog [ Ben Hutchings ] * linux-image: Recommend apparmor, as systemd units with an AppArmor profile will fail without it (Closes: #880441) So, although the word "recommend" implies that one has a choice, in reality, the kernel upgrade would not proceed without installing apparmor. I suppose it would be possible to disable, but assuming the systemd warning is a harbinger of things to come, it seemed best to me to figure it out now. I know systemd is not your thing, and I am inclined to agree; however, Debian sees it otherwise, leaving me to deal with it. I asked here because there is a wiki section devoted to the topic - https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration Thus far, SELinux has not been forced by Debian. Regardless, since the apparmor install, I have not been able to get Bind9 to start if bind_dlz is enabled. Thanks again, Dale
On Tue, 28 Nov 2017 08:37:22 -0600 Dale Schroeder via samba <samba at lists.samba.org> wrote:> > > On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: > > On Mon, 27 Nov 2017 14:53:32 -0600 > > Dale Schroeder via samba <samba at lists.samba.org> wrote: > > > >> Last week, Debian testing (Buster) added apparmor to the list of > >> dependencies for its latest kernel release, apparently because > >> systemd needs it. Recently, I noticed my first casualty - bind9 - > >> due to apparmor failures with bind_dlz. > >> > >> Knowing next to nothing about apparmor, what is needed to fix this, > >> and what further info do you need from me? > >> > >> Thanks, > >> Dale > > I cannot seem to find a debian kernel that has a dependency on > > apparmor, can you provide a link ? > > > > Even if debian is making the kernel depend on apparmor (by the way, > > does Linus know about this ?), this isn't a Samba problem, it is an > > apparmor one. > > > > Rowland > Rowland, > > Thanks for responding. > > From > http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog > > [ Ben Hutchings ] > * linux-image: Recommend apparmor, as systemd units with an > AppArmor profile will fail without it (Closes: #880441) > > So, although the word "recommend" implies that one has a choice, in > reality, the kernel upgrade would not proceed without installing > apparmor.Then it is a bug, depend means it will be installed, recommend means what it says, it is recommended to install it, but you do not need to.> > I suppose it would be possible to disable, but assuming the systemd > warning is a harbinger of things to come, it seemed best to me to > figure it out now. I know systemd is not your thing, and I am > inclined to agree; however, Debian sees it otherwise, leaving me to > deal with it.Easier way out of this, stop using debian and use Devuan instead.> > I asked here because there is a wiki section devoted to the topic - > https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration > > Thus far, SELinux has not been forced by Debian. Regardless, since > the apparmor install, I have not been able to get Bind9 to start if > bind_dlz is enabled. >As I said, apparmor has nothing to do with Samba, the same goes for selinux and, in my opinion, they should figure out how to work with Samba, not the other way round. The page on the wiki is supplied as a service, but Samba has no real way to know if the settings are correct, it relies on feedback from users. Rowland
On 11/28/2017 9:02 AM, Rowland Penny wrote:> On Tue, 28 Nov 2017 08:37:22 -0600 > Dale Schroeder via samba <samba at lists.samba.org> wrote: > >> >> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote: >>> On Mon, 27 Nov 2017 14:53:32 -0600 >>> Dale Schroeder via samba <samba at lists.samba.org> wrote: >>> >>>> Last week, Debian testing (Buster) added apparmor to the list of >>>> dependencies for its latest kernel release, apparently because >>>> systemd needs it. Recently, I noticed my first casualty - bind9 - >>>> due to apparmor failures with bind_dlz. >>>> >>>> Knowing next to nothing about apparmor, what is needed to fix this, >>>> and what further info do you need from me? >>>> >>>> Thanks, >>>> Dale >>> I cannot seem to find a debian kernel that has a dependency on >>> apparmor, can you provide a link ? >>> >>> Even if debian is making the kernel depend on apparmor (by the way, >>> does Linus know about this ?), this isn't a Samba problem, it is an >>> apparmor one. >>> >>> Rowland >> Rowland, >> >> Thanks for responding. >> >> From >> http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog >> >> [ Ben Hutchings ] >> * linux-image: Recommend apparmor, as systemd units with an >> AppArmor profile will fail without it (Closes: #880441) >> >> So, although the word "recommend" implies that one has a choice, in >> reality, the kernel upgrade would not proceed without installing >> apparmor. > Then it is a bug, depend means it will be installed, recommend means > what it says, it is recommended to install it, but you do not need to. > >> I suppose it would be possible to disable, but assuming the systemd >> warning is a harbinger of things to come, it seemed best to me to >> figure it out now. I know systemd is not your thing, and I am >> inclined to agree; however, Debian sees it otherwise, leaving me to >> deal with it. > Easier way out of this, stop using debian and use Devuan instead. > >> I asked here because there is a wiki section devoted to the topic - >> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration >> >> Thus far, SELinux has not been forced by Debian. Regardless, since >> the apparmor install, I have not been able to get Bind9 to start if >> bind_dlz is enabled. >> > As I said, apparmor has nothing to do with Samba, the same goes for > selinux and, in my opinion, they should figure out how to work with > Samba, not the other way round. The page on the wiki is supplied as a > service, but Samba has no real way to know if the settings are correct, > it relies on feedback from users. > > RowlandLikewise, I had hoped some of the Ubuntu or Red Hat-derived OS users would chime in. I had previously tried several different incantations with no luck. Just now, I found this, taken from https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404 /var/lib/samba/private/krb5.conf r, /var/lib/samba/private/dns.keytab r, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, /usr/lib/x86_64-linux-gnu/samba/** m, /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m, This dated recipe works for me where newer ones did not. BIND 9.10.6 is happy again. YMMV Dale