Public bug reported:
The sssd nss module tries to read cached data from
/var/lib/sss/mc/{group,passwd} as described in #1056391. In addition to
this, it seems that if cached data is not found, the module tries to
connect to the sssd daemon via socket at /var/lib/sss/pipes/nss.
My system is configured to get user and group data from Active Directory
through sssd. When CUPS is configured to use an AD group, it won't start
because it can't resolve the group due to AppArmor enforced profile:
For example:
# grep SystemGroup /etc/cups/cups-files.conf
SystemGroup "Domain Users"
# cupsd -t
"/etc/cups/cups-files.conf" contains errors.
# strace cupsd -t |& grep sss
open("/lib/x86_64-linux-gnu/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 5
open("/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = 5
connect(6, {sa_family=AF_LOCAL, sun_path="/var/lib/sss/pipes/nss"}, 110) = -1
EACCES (Permission denied)
# dmesg
[...] apparmor="DENIED" operation="connect" parent=25848
profile="/usr/sbin/cupsd" name="/var/lib/sss/pipes/nss" pid=25852 comm="cupsd"
requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
# ls -l /var/lib/sss/pipes/
total 4
srw-rw-rw- 1 root root 0 Dec 27 15:51 nss
srw-rw-rw- 1 root root 0 Dec 27 15:51 pam
drwxr-xr-x 2 root root 4096 Dec 27 15:51 private
My problem can be fixed by allowing read/write access to the nss socket
(perhaps pam should be allowed too for some other applications):
===
/etc/apparmor.d/abstractions# diff -u nameservice.orig nameservice
--- nameservice.orig 2013-12-27 18:51:05.167782858 +0200
+++ nameservice 2013-12-27 18:58:18.335803822 +0200
@@ -24,6 +24,7 @@
# When using sssd, the passwd and group files are stored in an alternate path
/var/lib/sss/mc/group r,
/var/lib/sss/mc/passwd r,
+ /var/lib/sss/pipes/nss rw,
/etc/resolv.conf r,
# on systems using resolvconf, /etc/resolv.conf is a symlink to
===
(Actually, I don't see why this kind of data is not provided by the sssd
package itself)
# service apparmor reload
[...]
# cupsd -t
"/etc/cups/cups-files.conf" is OK.
"/etc/cups/cupsd.conf" is OK.
# strace cupsd -t |& grep sss
open("/lib/x86_64-linux-gnu/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 5
open("/var/lib/sss/mc/group", O_RDONLY|O_CLOEXEC) = 5
connect(6, {sa_family=AF_LOCAL, sun_path="/var/lib/sss/pipes/nss"}, 110) = 0
Tested on Ubuntu 13.10:
apparmor 2.8.0-0ubuntu31.1
cups 1.7.0~rc1-0ubuntu5.1
sssd 1.11.1-0ubuntu1
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1264548
Title:
nameservice abstraction denies access to sssd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1264548/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
