Hello Bernhard. Thank you for your time.
Bernhard Schmidt <be...@debian.org> writes:
>
>Have you configured /var/lib/samba/bind-dns/named.conf manually by any
>
>chance? On my stretch system this file is in /var/lib/samba/private,
>
>which is whitelisted based on the reports in this bug in the apparmor
>
>policy.
I did not choose the paths or file names for the BIND9_DLZ config files in my
buster test. The configs were created automatically by the Samba AD
provisioning command, and I did not move them.
The default location for the BIND9_DLZ configs in buster is indeed different
from their location in stretch. I don't know why this was changed in the newer
version of Samba (from '/var/lib/samba/private/' to '/var/lib/samba/bind-dns'),
but someone must
have had their reasons.
>
>
>Try adding this into /etc/apparmor.d/local/usr.sbin.named
>
>
>
>/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
>
>/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
>
>/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
>
>
>
>and reload apparmor. Does this help?
Yes. I also had to add the following line to completely silence all the
apparmor="ALLOWED" logs (still running in 'complain' mode) when restarting the
'bind9' service:
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
In addition, I also appended a few additional lines to 'local/usr.sbin.named',
to add the access permissions to buster that correspondingly existed under
stretch (adapted from the "Samba DLZ" section of the 'usr.sbin.named' profile).
In summary: I appended the following lines to
'/etc/apparmor.d/local/usr.sbin.named':
/{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
/{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
/{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
/{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
/var/lib/samba/bind-dns/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/etc/samba/smb.conf r,
So far, my buster Samba AD controller appears to be working correctly with the
'usr.sbin.named' profile in 'complain' mode. I will monitor the logs for a
while to see if any further apparmor-related issues appear during my testing.
Thanks again,
-S.M.
