Hi Current wiki suggestion (https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#Interaction_with_AppArmor_or_SELinux) is to add the following to /etc/apparmor.d/local/usr.sbin.named # Samba4 DLZ and Active Directory Zones (default source installation) /usr/local/samba/lib/** rm, /usr/local/samba/private/dns.keytab r, /usr/local/samba/private/named.conf r, /usr/local/samba/private/dns/** rwk, # Ubuntu /var/tmp/** rwmk, I found I needed to add an extra line for bind to start. /usr/local/samba/etc/smb.conf r, Regards Fred.
On 03/09/15 03:04, Fred Smith wrote:> Hi > > Current wiki suggestion > (https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#Interaction_with_AppArmor_or_SELinux) > is to add the following to /etc/apparmor.d/local/usr.sbin.named > > # Samba4 DLZ and Active Directory Zones (default source installation) > /usr/local/samba/lib/** rm, > /usr/local/samba/private/dns.keytab r, > /usr/local/samba/private/named.conf r, > /usr/local/samba/private/dns/** rwk, > > # Ubuntu > /var/tmp/** rwmk, > > I found I needed to add an extra line for bind to start. > > /usr/local/samba/etc/smb.conf r, > > > Regards > > Fred. >OK, Thanks for posting this, but what distro and version ? Once you post this, I will update the wiki Rowland
Jim Seymour
2015-Sep-03 13:12 UTC
[Samba] AppArmor Rules for Samba AD DC on Ubuntu 14.04 LTS (was: Re: BIND 9.9 apparmor rules with Samba)
Hi All, Through interpreting what the current Wiki article says, plus some trial and error: The following AppArmor rules *appear* to work for a Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS: $ cat /etc/apparmor.d/local/usr.sbin.named # Site-specific additions and overrides for usr.sbin.named. # For more details, please see /etc/apparmor.d/local/README. /dev/urandom w, /usr/lib/i386-linux-gnu/ldb/modules/ldb/** rm, /usr/lib/i386-linux-gnu/samba/** rm, /var/lib/samba/private/dns.keytab r, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, But, mind you: I'm a Samba AD DC and AppArmor n00b, and I don't actually have Samba actually *running*, yet, so caveat emptor :) Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>.
Rowland Penny
2015-Sep-03 14:15 UTC
[Samba] AppArmor Rules for Samba AD DC on Ubuntu 14.04 LTS
On 03/09/15 14:12, Jim Seymour wrote:> Hi All, > > Through interpreting what the current Wiki article says, plus some > trial and error: The following AppArmor rules *appear* to work for a > Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS: > > $ cat /etc/apparmor.d/local/usr.sbin.named > # Site-specific additions and overrides for usr.sbin.named. > # For more details, please see /etc/apparmor.d/local/README. > /dev/urandom w, > /usr/lib/i386-linux-gnu/ldb/modules/ldb/** rm, > /usr/lib/i386-linux-gnu/samba/** rm, > /var/lib/samba/private/dns.keytab r, > /var/lib/samba/private/named.conf r, > /var/lib/samba/private/dns/** rwk, > > But, mind you: I'm a Samba AD DC and AppArmor n00b, and I don't > actually have Samba actually *running*, yet, so caveat emptor :) > > Regards, > JimIf you are still setting up a Samba AD DC, I would recommend turning off apparmor until everything else is working, then turn it back on, you will then only have one thing to debug if there are problems. Rowland