I didn't know about default_client_keytab_name. That's definitely handy,
so no more k5start needed!
Thanks for your explanation, it makes sense. I'll give it a whirl,
because I'll need to add testing instructions to the change that will be
proposed.
** Changed in: openldap (Ubuntu)
Status: Incomplete => Triaged
** Changed in: openldap (Ubuntu)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
Status in openldap package in Ubuntu:
Triaged
Bug description:
Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
permissions to the slapd apparmor profile? I'm getting the following
kinds of errors:
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd"
requested_mask="r" denied_mask="r" fsuid=389 ouid=389
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd"
name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k"
denied_mask="k" fsuid=389 ouid=389
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
