My change was already applied in bind9 (1:9.10.3.dfsg.P2-4) experimental; urgency=medium
I don't know if it could be shipped by sssd package as the policy is for usr.bin.named binary. On 2016/02/22 07:11, Timo Aaltonen wrote: > 14.02.2016, 09:14, Filip Pytloun kirjoitti: > > Hello, > > > > we are using Ubuntu 14.04 on FreeIPA clients and Ubuntu 16.04 on FreeIPA > > server for 2 months with no critical issues. > > > > Using newer freeipa-client was not needed, only sssd update from here, > > because trusty version is buggy: > > https://launchpad.net/~sssd/+archive/ubuntu/updates?field.series_filter=trusty > > > > On server side, it was only needed to fix apparmor policy for bind to > > fix FreeIPA DNS zones: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814314 > > /var/lib/sss* bits belong to the apparmor profile shipped by sssd.. > mind removing them from the bind profile and testing this to > /etc/apparmor.d/usr.sbin.sssd instead? > > @@ -33,6 +33,7 @@ > > /var/lib/sss/* rw, > /var/lib/sss/db/* rwk, > + /var/lib/sss/mc/initgroups r, > /var/lib/sss/pipes/* rw, > /var/lib/sss/pipes/private/* rw, > /var/lib/sss/pubconf/* rw, > @@ -42,6 +43,7 @@ > /{,var/}run/sssd.pid rw, > > profile /usr/lib/@{multiarch}/sssd/* { > + /var/lib/sss/pubconf/krb5.include.d/** rw, > /var/lib/sss/pubconf/krb5.include.d/ rw, > } > > > > -- > t
signature.asc
Description: Digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
