Control: tags -1 + moreinfo
Am 29.04.19 um 11:18 schrieb Louis van Belle:
Hi,
> Hello, after a few messages on the samba list we discovered a wrong path in
> the apparmor profiles of ntp.
>
> File : /etc/apparmor.d/usr.sbin.ntpd
> Wrong:
> # samba4 ntp signing socket
> /{,var/}run/samba/ntp_signd/socket rw,
>
> Correct:
> # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba
> /var/lib/samba/ntp_signd r,
> /var/lib/samba/ntp_signd/{,*} rw,
>
> # samba4 winbindd pipe
> /{,var/}run/samba/winbindd r,
> /{,var/}run/samba/winbindd/pipe r,
>
> # samba4 winbindd_privileged pipe ? Needed, not sure here.
> /var/lib/samba/winbindd_privileged r,
> /var/lib/samba/winbindd/pipe r,
>
> please verify the last one, im not a coder, sorry.
> Now, above changes are important to have before the buster release,
> because it could stop the timesync of domain joined pc's.
Thanks for the report.
Could you give us some more details about that testcase? I can see that
the path in the AppArmor profile is wrong, but still I followed
https://wiki.samba.org/index.php/Time_Synchronisation on my personal
Samba AD DC. There is only one Win7 PC joined to it. I could see it
syncing with NTP to the DC. The NTP response had some keying stuff in
it. And I did not see an error on the client in the event log. All that
with an unadjusted AppArmor profile, which means it should have logged a
DENY on the ntp_signd socket.
Bernhard
