Debian Buster, bind_dlz, and apparmor

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
Last week, Debian testing (Buster) added apparmor to the list of
dependencies for its latest kernel release, apparently because systemd
needs it.  Recently, I noticed my first casualty - bind9 - due to
apparmor failures with bind_dlz.

Here is the initial journalctl results:

Nov 23 10:12:12 debpdc named[16080]: starting BIND 9.10.6-Debian
<id:9d1ea0b> -f -u bind
Nov 23 10:12:12 debpdc named[16080]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--with-python=python3' '--localstatedir=/' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'
Nov 23 10:12:12 debpdc named[16080]: loading configuration from
'/etc/bind/named.conf'
Nov 23 10:12:12 debpdc named[16080]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Nov 23 10:12:12 debpdc audit[16080]: AVC apparmor="DENIED"
operation="file_mmap" profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc named[16080]: dlz_dlopen failed to open library
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' -
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map
segment from shared object
Nov 23 10:12:12 debpdc kernel: audit: type=1400
audit(1511453532.759:44): apparmor="DENIED" operation="file_mmap"
profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=16080
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
Nov 23 10:12:12 debpdc systemd[1]: bind9.service: Failed with result
'exit-code'.


After reading the Samba Wiki and adding the entries to apparmor's bind
file (converting to Debian's paths), the errors have changed to:

Nov 23 11:40:36 debpdc named[20235]: starting BIND 9.10.6-Debian
<id:9d1ea0b> -f -u bind
Nov 23 11:40:36 debpdc named[20235]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--libdir=/usr/lib/x86_64-linux-gnu'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--with-python=python3' '--localstatedir=/' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-gost=no' '--with-openssl=/usr'
'--with-gssapi=/usr' '--with-libjson=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa' '--enable-native-pkcs11'
'--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so'
'--with-randomdev=/dev/urandom' 'CFLAGS=-g -O2
-fdebug-prefix-map=/build/bind9-ISaUWy/bind9-9.10.6+dfsg=.
-fstack-protector-strong -Wformat -Werror=format-security
-fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE
-DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time
-D_FORTIFY_SOURCE=2'
Nov 23 11:40:36 debpdc named[20235]: loading configuration from
'/etc/bind/named.conf'
Nov 23 11:40:36 debpdc named[20235]: reading built-in trusted keys from
file '/etc/bind/bind.keys'
Nov 23 11:40:36 debpdc audit[20235]: AVC apparmor="DENIED"
operation="file_mmap" profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc named[20235]: dlz_dlopen failed to open library
'/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so' -
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so: failed to map
segment from shared object
Nov 23 11:40:36 debpdc kernel: audit: type=1400
audit(1511458836.920:67): apparmor="DENIED" operation="file_mmap"
profile="/usr/sbin/named"
name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=20235
comm="named" requested_mask="m" denied_mask="m" fsuid=109 ouid=0
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Main process exited,
code=exited, status=1/FAILURE
Nov 23 11:40:36 debpdc systemd[1]: bind9.service: Failed with result
'exit-code'.

The one entry that I wasn't totally sure that I converted the path
correctly is this one:

/usr/local/samba/lib/** rm,

I used /var/lib/samba/** as the path.

Knowing next to nothing about apparmor, what is needed to fix this, and
what further info do you need from me?

Thanks,
Dale



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
On Mon, 27 Nov 2017 14:53:32 -0600
Dale Schroeder via samba <[hidden email]> wrote:

> Last week, Debian testing (Buster) added apparmor to the list of
> dependencies for its latest kernel release, apparently because
> systemd needs it.  Recently, I noticed my first casualty - bind9 -
> due to apparmor failures with bind_dlz.
>
> Knowing next to nothing about apparmor, what is needed to fix this,
> and what further info do you need from me?
>
> Thanks,
> Dale

I cannot seem to find a debian kernel that has a dependency on
apparmor, can you provide a link ?

Even if debian is making the kernel depend on apparmor (by the way,
does Linus know about this  ?), this isn't a Samba problem, it is an
apparmor one.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list


On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:

> On Mon, 27 Nov 2017 14:53:32 -0600
> Dale Schroeder via samba <[hidden email]> wrote:
>
>> Last week, Debian testing (Buster) added apparmor to the list of
>> dependencies for its latest kernel release, apparently because
>> systemd needs it.  Recently, I noticed my first casualty - bind9 -
>> due to apparmor failures with bind_dlz.
>>
>> Knowing next to nothing about apparmor, what is needed to fix this,
>> and what further info do you need from me?
>>
>> Thanks,
>> Dale
> I cannot seem to find a debian kernel that has a dependency on
> apparmor, can you provide a link ?
>
> Even if debian is making the kernel depend on apparmor (by the way,
> does Linus know about this  ?), this isn't a Samba problem, it is an
> apparmor one.
>
> Rowland
Rowland,

Thanks for responding.

From
http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog

[ Ben Hutchings ]
   * linux-image: Recommend apparmor, as systemd units with an AppArmor
     profile will fail without it (Closes: #880441)

So, although the word "recommend" implies that one has a choice, in
reality, the kernel upgrade would not proceed without installing apparmor.

I suppose it would be possible to disable, but assuming the systemd
warning is a harbinger of things to come, it seemed best to me to figure
it out now.  I know systemd is not your thing, and I am inclined to
agree; however, Debian sees it otherwise, leaving me to deal with it.

I asked here because there is a wiki section devoted to the topic -
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

Thus far, SELinux has not been forced by Debian.  Regardless, since the
apparmor install, I have not been able to get Bind9 to start if bind_dlz
is enabled.

Thanks again,
Dale


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
On Tue, 28 Nov 2017 08:37:22 -0600
Dale Schroeder via samba <[hidden email]> wrote:

>
>
> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
> > On Mon, 27 Nov 2017 14:53:32 -0600
> > Dale Schroeder via samba <[hidden email]> wrote:
> >
> >> Last week, Debian testing (Buster) added apparmor to the list of
> >> dependencies for its latest kernel release, apparently because
> >> systemd needs it.  Recently, I noticed my first casualty - bind9 -
> >> due to apparmor failures with bind_dlz.
> >>
> >> Knowing next to nothing about apparmor, what is needed to fix this,
> >> and what further info do you need from me?
> >>
> >> Thanks,
> >> Dale
> > I cannot seem to find a debian kernel that has a dependency on
> > apparmor, can you provide a link ?
> >
> > Even if debian is making the kernel depend on apparmor (by the way,
> > does Linus know about this  ?), this isn't a Samba problem, it is an
> > apparmor one.
> >
> > Rowland
> Rowland,
>
> Thanks for responding.
>
> From
> http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>
> [ Ben Hutchings ]
>    * linux-image: Recommend apparmor, as systemd units with an
> AppArmor profile will fail without it (Closes: #880441)
>
> So, although the word "recommend" implies that one has a choice, in
> reality, the kernel upgrade would not proceed without installing
> apparmor.

Then it is a bug, depend means it will be installed, recommend means
what it says, it is recommended to install it, but you do not need to.
 
>
> I suppose it would be possible to disable, but assuming the systemd
> warning is a harbinger of things to come, it seemed best to me to
> figure it out now.  I know systemd is not your thing, and I am
> inclined to agree; however, Debian sees it otherwise, leaving me to
> deal with it.

Easier way out of this, stop using debian and use Devuan instead.

>
> I asked here because there is a wiki section devoted to the topic -
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>
> Thus far, SELinux has not been forced by Debian.  Regardless, since
> the apparmor install, I have not been able to get Bind9 to start if
> bind_dlz is enabled.
>

As I said, apparmor has nothing to do with Samba, the same goes for
selinux and, in my opinion, they should figure out how to work with
Samba, not the other way round. The page on the wiki is supplied as a
service, but Samba has no real way to know if the settings are correct,
it relies on feedback from users.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
On 11/28/2017 9:02 AM, Rowland Penny wrote:

> On Tue, 28 Nov 2017 08:37:22 -0600
> Dale Schroeder via samba <[hidden email]> wrote:
>
>>
>> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>> On Mon, 27 Nov 2017 14:53:32 -0600
>>> Dale Schroeder via samba <[hidden email]> wrote:
>>>
>>>> Last week, Debian testing (Buster) added apparmor to the list of
>>>> dependencies for its latest kernel release, apparently because
>>>> systemd needs it.  Recently, I noticed my first casualty - bind9 -
>>>> due to apparmor failures with bind_dlz.
>>>>
>>>> Knowing next to nothing about apparmor, what is needed to fix this,
>>>> and what further info do you need from me?
>>>>
>>>> Thanks,
>>>> Dale
>>> I cannot seem to find a debian kernel that has a dependency on
>>> apparmor, can you provide a link ?
>>>
>>> Even if debian is making the kernel depend on apparmor (by the way,
>>> does Linus know about this  ?), this isn't a Samba problem, it is an
>>> apparmor one.
>>>
>>> Rowland
>> Rowland,
>>
>> Thanks for responding.
>>
>> From
>> http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>>
>> [ Ben Hutchings ]
>>     * linux-image: Recommend apparmor, as systemd units with an
>> AppArmor profile will fail without it (Closes: #880441)
>>
>> So, although the word "recommend" implies that one has a choice, in
>> reality, the kernel upgrade would not proceed without installing
>> apparmor.
> Then it is a bug, depend means it will be installed, recommend means
> what it says, it is recommended to install it, but you do not need to.
>    
>> I suppose it would be possible to disable, but assuming the systemd
>> warning is a harbinger of things to come, it seemed best to me to
>> figure it out now.  I know systemd is not your thing, and I am
>> inclined to agree; however, Debian sees it otherwise, leaving me to
>> deal with it.
> Easier way out of this, stop using debian and use Devuan instead.
>
>> I asked here because there is a wiki section devoted to the topic -
>> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>>
>> Thus far, SELinux has not been forced by Debian.  Regardless, since
>> the apparmor install, I have not been able to get Bind9 to start if
>> bind_dlz is enabled.
>>
> As I said, apparmor has nothing to do with Samba, the same goes for
> selinux and, in my opinion, they should figure out how to work with
> Samba, not the other way round. The page on the wiki is supplied as a
> service, but Samba has no real way to know if the settings are correct,
> it relies on feedback from users.
>
> Rowland
Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS users
would chime in.  I had previously tried several different incantations
with no luck.  Just now, I found this, taken from
https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404

   /var/lib/samba/private/krb5.conf r,
   /var/lib/samba/private/dns.keytab r,
   /var/lib/samba/private/named.conf r,
   /var/lib/samba/private/dns/** rwk,
   /usr/lib/x86_64-linux-gnu/samba/** m,
   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,

This dated recipe works for me where newer ones did not.  BIND 9.10.6 is
happy again.  YMMV

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
Dale,

Been using Ubuntu server for years in my AD. Discovered a long time ago
that apparmor is not needed for a server. (Someone is probably going to
argue the other that is should be but . . .)

Do not quote me but, I have read that AppArmor is intended more for a
desktop environment. I have always disabled and then removed AppArmor and
have never had any issues. Of course I am behind a hardware firewall so,
hopefully, no exposure to any unwanted attacks.

All my servers work fine without AppArmor.

As an Ubuntu user, my 2 cents . . .

On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba <
[hidden email]> wrote:

> On 11/28/2017 9:02 AM, Rowland Penny wrote:
>
>> On Tue, 28 Nov 2017 08:37:22 -0600
>> Dale Schroeder via samba <[hidden email]> wrote:
>>
>>
>>> On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>>
>>>> On Mon, 27 Nov 2017 14:53:32 -0600
>>>> Dale Schroeder via samba <[hidden email]> wrote:
>>>>
>>>> Last week, Debian testing (Buster) added apparmor to the list of
>>>>> dependencies for its latest kernel release, apparently because
>>>>> systemd needs it.  Recently, I noticed my first casualty - bind9 -
>>>>> due to apparmor failures with bind_dlz.
>>>>>
>>>>> Knowing next to nothing about apparmor, what is needed to fix this,
>>>>> and what further info do you need from me?
>>>>>
>>>>> Thanks,
>>>>> Dale
>>>>>
>>>> I cannot seem to find a debian kernel that has a dependency on
>>>> apparmor, can you provide a link ?
>>>>
>>>> Even if debian is making the kernel depend on apparmor (by the way,
>>>> does Linus know about this  ?), this isn't a Samba problem, it is an
>>>> apparmor one.
>>>>
>>>> Rowland
>>>>
>>> Rowland,
>>>
>>> Thanks for responding.
>>>
>>> From
>>> http://metadata.ftp-master.debian.org/changelogs/main/l/linu
>>> x/linux_4.13.13-1_changelog
>>>
>>> [ Ben Hutchings ]
>>>     * linux-image: Recommend apparmor, as systemd units with an
>>> AppArmor profile will fail without it (Closes: #880441)
>>>
>>> So, although the word "recommend" implies that one has a choice, in
>>> reality, the kernel upgrade would not proceed without installing
>>> apparmor.
>>>
>> Then it is a bug, depend means it will be installed, recommend means
>> what it says, it is recommended to install it, but you do not need to.
>>
>>
>>> I suppose it would be possible to disable, but assuming the systemd
>>> warning is a harbinger of things to come, it seemed best to me to
>>> figure it out now.  I know systemd is not your thing, and I am
>>> inclined to agree; however, Debian sees it otherwise, leaving me to
>>> deal with it.
>>>
>> Easier way out of this, stop using debian and use Devuan instead.
>>
>> I asked here because there is a wiki section devoted to the topic -
>>> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELi
>>> nux_Integration
>>>
>>> Thus far, SELinux has not been forced by Debian.  Regardless, since
>>> the apparmor install, I have not been able to get Bind9 to start if
>>> bind_dlz is enabled.
>>>
>>> As I said, apparmor has nothing to do with Samba, the same goes for
>> selinux and, in my opinion, they should figure out how to work with
>> Samba, not the other way round. The page on the wiki is supplied as a
>> service, but Samba has no real way to know if the settings are correct,
>> it relies on feedback from users.
>>
>> Rowland
>>
> Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS users would
> chime in.  I had previously tried several different incantations with no
> luck.  Just now, I found this, taken from https://2stech.ca/index.php/li
> nux/linuxtutotials/tutorials/234-samba-active-directory-
> with-bind-dns-backend-on-ubuntu-1404
>
>   /var/lib/samba/private/krb5.conf r,
>   /var/lib/samba/private/dns.keytab r,
>   /var/lib/samba/private/named.conf r,
>   /var/lib/samba/private/dns/** rwk,
>   /usr/lib/x86_64-linux-gnu/samba/** m,
>   /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>
> This dated recipe works for me where newer ones did not.  BIND 9.10.6 is
> happy again.  YMMV
>
> Dale
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--

Thank you.

Bob Wooden

615.885.2846    www.donelsontrophy.com
"Everyone deserves an award!!"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
On 11/28/2017 11:11 AM, Robert Wooden wrote:

> Dale,
>
> Been using Ubuntu server for years in my AD. Discovered a long time
> ago that apparmor is not needed for a server. (Someone is probably
> going to argue the other that is should be but . . .)
>
> Do not quote me but, I have read that AppArmor is intended more for a
> desktop environment. I have always disabled and then removed AppArmor
> and have never had any issues. Of course I am behind a hardware
> firewall so, hopefully, no exposure to any unwanted attacks.
>
> All my servers work fine without AppArmor.
>
> As an Ubuntu user, my 2 cents . . .
>
> On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On 11/28/2017 9:02 AM, Rowland Penny wrote:
>
>         On Tue, 28 Nov 2017 08:37:22 -0600
>         Dale Schroeder via samba <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>
>             On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>
>                 On Mon, 27 Nov 2017 14:53:32 -0600
>                 Dale Schroeder via samba <[hidden email]
>                 <mailto:[hidden email]>> wrote:
>
>                     Last week, Debian testing (Buster) added apparmor
>                     to the list of
>                     dependencies for its latest kernel release,
>                     apparently because
>                     systemd needs it.  Recently, I noticed my first
>                     casualty - bind9 -
>                     due to apparmor failures with bind_dlz.
>
>                     Knowing next to nothing about apparmor, what is
>                     needed to fix this,
>                     and what further info do you need from me?
>
>                     Thanks,
>                     Dale
>
>                 I cannot seem to find a debian kernel that has a
>                 dependency on
>                 apparmor, can you provide a link ?
>
>                 Even if debian is making the kernel depend on apparmor
>                 (by the way,
>                 does Linus know about this  ?), this isn't a Samba
>                 problem, it is an
>                 apparmor one.
>
>                 Rowland
>
>             Rowland,
>
>             Thanks for responding.
>
>             From
>             http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>             <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
>
>             [ Ben Hutchings ]
>                 * linux-image: Recommend apparmor, as systemd units
>             with an
>             AppArmor profile will fail without it (Closes: #880441)
>
>             So, although the word "recommend" implies that one has a
>             choice, in
>             reality, the kernel upgrade would not proceed without
>             installing
>             apparmor.
>
>         Then it is a bug, depend means it will be installed, recommend
>         means
>         what it says, it is recommended to install it, but you do not
>         need to.
>
>             I suppose it would be possible to disable, but assuming
>             the systemd
>             warning is a harbinger of things to come, it seemed best
>             to me to
>             figure it out now.  I know systemd is not your thing, and I am
>             inclined to agree; however, Debian sees it otherwise,
>             leaving me to
>             deal with it.
>
>         Easier way out of this, stop using debian and use Devuan instead.
>
>             I asked here because there is a wiki section devoted to
>             the topic -
>             https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>             <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>
>             Thus far, SELinux has not been forced by Debian.
>             Regardless, since
>             the apparmor install, I have not been able to get Bind9 to
>             start if
>             bind_dlz is enabled.
>
>         As I said, apparmor has nothing to do with Samba, the same
>         goes for
>         selinux and, in my opinion, they should figure out how to work
>         with
>         Samba, not the other way round. The page on the wiki is
>         supplied as a
>         service, but Samba has no real way to know if the settings are
>         correct,
>         it relies on feedback from users.
>
>         Rowland
>
>     Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
>     users would chime in.  I had previously tried several different
>     incantations with no luck.  Just now, I found this, taken from
>     https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
>     <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
>
>       /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
>       /var/lib/samba/private/dns.keytab r,
>       /var/lib/samba/private/named.conf r,
>       /var/lib/samba/private/dns/** rwk,
>       /usr/lib/x86_64-linux-gnu/samba/** m,
>       /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>
>     This dated recipe works for me where newer ones did not. BIND
>     9.10.6 is happy again.  YMMV
>
>     Dale
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>
>
>
>
> --
> Thank you. Bob Wooden
>
> 615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>
>
> "Everyone deserves an award!!"
Bob,

I agree with everything you say and would rather not have it, but if
Debian's kernel maintainers are correct in that more systemd service
files will require apparmor, what other choice do I have but to learn
it?  I am not sure why Debian has decided to follow the systemd/apparmor
path, but I guess I get to go along for the ride. If it becomes to
onerous, I may have to do as you did and remove it.  BTW, the apparmor
file for ntp worked out of the box, no modifications on my part required.

Thanks,
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
On Tue, 28 Nov 2017 11:24:58 -0600
Dale Schroeder <[hidden email]> wrote:

> On 11/28/2017 11:11 AM, Robert Wooden wrote:
> > Dale,
> >
> > Been using Ubuntu server for years in my AD. Discovered a long time
> > ago that apparmor is not needed for a server. (Someone is probably
> > going to argue the other that is should be but . . .)
> >
> > Do not quote me but, I have read that AppArmor is intended more for
> > a desktop environment. I have always disabled and then removed
> > AppArmor and have never had any issues. Of course I am behind a
> > hardware firewall so, hopefully, no exposure to any unwanted
> > attacks.
> >
> > All my servers work fine without AppArmor.
> >
> > As an Ubuntu user, my 2 cents . . .
> >
> > On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
> > <[hidden email] <mailto:[hidden email]>> wrote:
> >
> >     On 11/28/2017 9:02 AM, Rowland Penny wrote:
> >
> >         On Tue, 28 Nov 2017 08:37:22 -0600
> >         Dale Schroeder via samba <[hidden email]
> >         <mailto:[hidden email]>> wrote:
> >
> >
> >             On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
> >
> >                 On Mon, 27 Nov 2017 14:53:32 -0600
> >                 Dale Schroeder via samba <[hidden email]
> >                 <mailto:[hidden email]>> wrote:
> >
> >                     Last week, Debian testing (Buster) added
> > apparmor to the list of
> >                     dependencies for its latest kernel release,
> >                     apparently because
> >                     systemd needs it.  Recently, I noticed my first
> >                     casualty - bind9 -
> >                     due to apparmor failures with bind_dlz.
> >
> >                     Knowing next to nothing about apparmor, what is
> >                     needed to fix this,
> >                     and what further info do you need from me?
> >
> >                     Thanks,
> >                     Dale
> >
> >                 I cannot seem to find a debian kernel that has a
> >                 dependency on
> >                 apparmor, can you provide a link ?
> >
> >                 Even if debian is making the kernel depend on
> > apparmor (by the way,
> >                 does Linus know about this  ?), this isn't a Samba
> >                 problem, it is an
> >                 apparmor one.
> >
> >                 Rowland
> >
> >             Rowland,
> >
> >             Thanks for responding.
> >
> >             From
> >             http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
> >             <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
> >
> >             [ Ben Hutchings ]
> >                 * linux-image: Recommend apparmor, as systemd units
> >             with an
> >             AppArmor profile will fail without it (Closes: #880441)
> >
> >             So, although the word "recommend" implies that one has a
> >             choice, in
> >             reality, the kernel upgrade would not proceed without
> >             installing
> >             apparmor.
> >
> >         Then it is a bug, depend means it will be installed,
> > recommend means
> >         what it says, it is recommended to install it, but you do
> > not need to.
> >
> >             I suppose it would be possible to disable, but assuming
> >             the systemd
> >             warning is a harbinger of things to come, it seemed best
> >             to me to
> >             figure it out now.  I know systemd is not your thing,
> > and I am inclined to agree; however, Debian sees it otherwise,
> >             leaving me to
> >             deal with it.
> >
> >         Easier way out of this, stop using debian and use Devuan
> > instead.
> >
> >             I asked here because there is a wiki section devoted to
> >             the topic -
> >             https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
> >             <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
> >
> >             Thus far, SELinux has not been forced by Debian.
> >             Regardless, since
> >             the apparmor install, I have not been able to get Bind9
> > to start if
> >             bind_dlz is enabled.
> >
> >         As I said, apparmor has nothing to do with Samba, the same
> >         goes for
> >         selinux and, in my opinion, they should figure out how to
> > work with
> >         Samba, not the other way round. The page on the wiki is
> >         supplied as a
> >         service, but Samba has no real way to know if the settings
> > are correct,
> >         it relies on feedback from users.
> >
> >         Rowland
> >
> >     Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
> >     users would chime in.  I had previously tried several different
> >     incantations with no luck.  Just now, I found this, taken from
> >     https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
> >     <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
> >
> >       /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
> >       /var/lib/samba/private/dns.keytab r,
> >       /var/lib/samba/private/named.conf r,
> >       /var/lib/samba/private/dns/** rwk,
> >       /usr/lib/x86_64-linux-gnu/samba/** m,
> >       /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
> >
> >     This dated recipe works for me where newer ones did not. BIND
> >     9.10.6 is happy again.  YMMV
> >
> >     Dale
> >
> >     --
> >     To unsubscribe from this list go to the following URL and read
> > the instructions: https://lists.samba.org/mailman/options/samba
> >     <https://lists.samba.org/mailman/options/samba>
> >
> >
> >
> >
> > --
> > Thank you. Bob Wooden
> >
> > 615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>
> >
> > "Everyone deserves an award!!"
> Bob,
>
> I agree with everything you say and would rather not have it, but if
> Debian's kernel maintainers are correct in that more systemd service
> files will require apparmor, what other choice do I have but to learn
> it?  I am not sure why Debian has decided to follow the
> systemd/apparmor path, but I guess I get to go along for the ride. If
> it becomes to onerous, I may have to do as you did and remove it.
> BTW, the apparmor file for ntp worked out of the box, no
> modifications on my part required.
>
> Thanks,
> Dale

The problem is that debian has fixed only half of the problem, yes
recommend apparmor by all means, but they also need to fix systemd
units to NOT fail if apparmor isn't installed, after all, apparmor is a
'recommend' and not a 'dependency'. If some systemd units fail if
apparmor isn't installed, then this is, undoubtedly, a bug.

Mind you, all of this is irrelevant to me, I do not use systemd ;-)
 
Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hai, 
Normaly i kick in sooner but im in bed fit by flu. :-( 


You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also.
debian wiki or ubuntu wiki shows how. 


But why are you using buster, imo really not safe,  if you wany a 4.7 for stretch use my apt.


When im better i can have a look into your problem more closely.


greetz


Louis..
(mobile)



Op 28 nov. 2017 om 18:26 heeft Dale Schroeder via samba <[hidden email]> het volgende geschreven:


On 11/28/2017 11:11 AM, Robert Wooden wrote:
Dale,

Been using Ubuntu server for years in my AD. Discovered a long time
ago that apparmor is not needed for a server. (Someone is probably
going to argue the other that is should be but . . .)

Do not quote me but, I have read that AppArmor is intended more for a
desktop environment. I have always disabled and then removed AppArmor
and have never had any issues. Of course I am behind a hardware
firewall so, hopefully, no exposure to any unwanted attacks.

All my servers work fine without AppArmor.

As an Ubuntu user, my 2 cents . . .

On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
<[hidden email] <mailto:[hidden email]>> wrote:

   On 11/28/2017 9:02 AM, Rowland Penny wrote:

       On Tue, 28 Nov 2017 08:37:22 -0600
       Dale Schroeder via samba <[hidden email]
       <mailto:[hidden email]>> wrote:


           On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:

               On Mon, 27 Nov 2017 14:53:32 -0600
               Dale Schroeder via samba <[hidden email]
               <mailto:[hidden email]>> wrote:

                   Last week, Debian testing (Buster) added apparmor
                   to the list of
                   dependencies for its latest kernel release,
                   apparently because
                   systemd needs it.  Recently, I noticed my first
                   casualty - bind9 -
                   due to apparmor failures with bind_dlz.

                   Knowing next to nothing about apparmor, what is
                   needed to fix this,
                   and what further info do you need from me?

                   Thanks,
                   Dale

               I cannot seem to find a debian kernel that has a
               dependency on
               apparmor, can you provide a link ?

               Even if debian is making the kernel depend on apparmor
               (by the way,
               does Linus know about this  ?), this isn't a Samba
               problem, it is an
               apparmor one.

               Rowland

           Rowland,

           Thanks for responding.

           From
           http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
           <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>

           [ Ben Hutchings ]
               * linux-image: Recommend apparmor, as systemd units
           with an
           AppArmor profile will fail without it (Closes: #880441)

           So, although the word "recommend" implies that one has a
           choice, in
           reality, the kernel upgrade would not proceed without
           installing
           apparmor.

       Then it is a bug, depend means it will be installed, recommend
       means
       what it says, it is recommended to install it, but you do not
       need to.

           I suppose it would be possible to disable, but assuming
           the systemd
           warning is a harbinger of things to come, it seemed best
           to me to
           figure it out now.  I know systemd is not your thing, and I am
           inclined to agree; however, Debian sees it otherwise,
           leaving me to
           deal with it.

       Easier way out of this, stop using debian and use Devuan instead.

           I asked here because there is a wiki section devoted to
           the topic -
           https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
           <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>

           Thus far, SELinux has not been forced by Debian.
           Regardless, since
           the apparmor install, I have not been able to get Bind9 to
           start if
           bind_dlz is enabled.

       As I said, apparmor has nothing to do with Samba, the same
       goes for
       selinux and, in my opinion, they should figure out how to work
       with
       Samba, not the other way round. The page on the wiki is
       supplied as a
       service, but Samba has no real way to know if the settings are
       correct,
       it relies on feedback from users.

       Rowland

   Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
   users would chime in.  I had previously tried several different
   incantations with no luck.  Just now, I found this, taken from
   https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
   <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>

     /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
     /var/lib/samba/private/dns.keytab r,
     /var/lib/samba/private/named.conf r,
     /var/lib/samba/private/dns/** rwk,
     /usr/lib/x86_64-linux-gnu/samba/** m,
     /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,

   This dated recipe works for me where newer ones did not. BIND
   9.10.6 is happy again.  YMMV

   Dale

   --
   To unsubscribe from this list go to the following URL and read the
   instructions: https://lists.samba.org/mailman/options/samba
   <https://lists.samba.org/mailman/options/samba>




--
Thank you. Bob Wooden

615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>

"Everyone deserves an award!!"
Bob,

I agree with everything you say and would rather not have it, but if
Debian's kernel maintainers are correct in that more systemd service
files will require apparmor, what other choice do I have but to learn
it?  I am not sure why Debian has decided to follow the systemd/apparmor
path, but I guess I get to go along for the ride. If it becomes to
onerous, I may have to do as you did and remove it.  BTW, the apparmor
file for ntp worked out of the box, no modifications on my part required.

Thanks,
Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 11/28/2017 11:56 AM, Rowland Penny via samba wrote:

> On Tue, 28 Nov 2017 11:24:58 -0600
> Dale Schroeder <[hidden email]> wrote:
>
>> On 11/28/2017 11:11 AM, Robert Wooden wrote:
>>> Dale,
>>>
>>> Been using Ubuntu server for years in my AD. Discovered a long time
>>> ago that apparmor is not needed for a server. (Someone is probably
>>> going to argue the other that is should be but . . .)
>>>
>>> Do not quote me but, I have read that AppArmor is intended more for
>>> a desktop environment. I have always disabled and then removed
>>> AppArmor and have never had any issues. Of course I am behind a
>>> hardware firewall so, hopefully, no exposure to any unwanted
>>> attacks.
>>>
>>> All my servers work fine without AppArmor.
>>>
>>> As an Ubuntu user, my 2 cents . . .
>>>
>>> On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
>>> <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>      On 11/28/2017 9:02 AM, Rowland Penny wrote:
>>>
>>>          On Tue, 28 Nov 2017 08:37:22 -0600
>>>          Dale Schroeder via samba <[hidden email]
>>>          <mailto:[hidden email]>> wrote:
>>>
>>>
>>>              On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>>>
>>>                  On Mon, 27 Nov 2017 14:53:32 -0600
>>>                  Dale Schroeder via samba <[hidden email]
>>>                  <mailto:[hidden email]>> wrote:
>>>
>>>                      Last week, Debian testing (Buster) added
>>> apparmor to the list of
>>>                      dependencies for its latest kernel release,
>>>                      apparently because
>>>                      systemd needs it.  Recently, I noticed my first
>>>                      casualty - bind9 -
>>>                      due to apparmor failures with bind_dlz.
>>>
>>>                      Knowing next to nothing about apparmor, what is
>>>                      needed to fix this,
>>>                      and what further info do you need from me?
>>>
>>>                      Thanks,
>>>                      Dale
>>>
>>>                  I cannot seem to find a debian kernel that has a
>>>                  dependency on
>>>                  apparmor, can you provide a link ?
>>>
>>>                  Even if debian is making the kernel depend on
>>> apparmor (by the way,
>>>                  does Linus know about this  ?), this isn't a Samba
>>>                  problem, it is an
>>>                  apparmor one.
>>>
>>>                  Rowland
>>>
>>>              Rowland,
>>>
>>>              Thanks for responding.
>>>
>>>              From
>>>              http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>>>              <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
>>>
>>>              [ Ben Hutchings ]
>>>                  * linux-image: Recommend apparmor, as systemd units
>>>              with an
>>>              AppArmor profile will fail without it (Closes: #880441)
>>>
>>>              So, although the word "recommend" implies that one has a
>>>              choice, in
>>>              reality, the kernel upgrade would not proceed without
>>>              installing
>>>              apparmor.
>>>
>>>          Then it is a bug, depend means it will be installed,
>>> recommend means
>>>          what it says, it is recommended to install it, but you do
>>> not need to.
>>>
>>>              I suppose it would be possible to disable, but assuming
>>>              the systemd
>>>              warning is a harbinger of things to come, it seemed best
>>>              to me to
>>>              figure it out now.  I know systemd is not your thing,
>>> and I am inclined to agree; however, Debian sees it otherwise,
>>>              leaving me to
>>>              deal with it.
>>>
>>>          Easier way out of this, stop using debian and use Devuan
>>> instead.
>>>
>>>              I asked here because there is a wiki section devoted to
>>>              the topic -
>>>              https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>>>              <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>>>
>>>              Thus far, SELinux has not been forced by Debian.
>>>              Regardless, since
>>>              the apparmor install, I have not been able to get Bind9
>>> to start if
>>>              bind_dlz is enabled.
>>>
>>>          As I said, apparmor has nothing to do with Samba, the same
>>>          goes for
>>>          selinux and, in my opinion, they should figure out how to
>>> work with
>>>          Samba, not the other way round. The page on the wiki is
>>>          supplied as a
>>>          service, but Samba has no real way to know if the settings
>>> are correct,
>>>          it relies on feedback from users.
>>>
>>>          Rowland
>>>
>>>      Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
>>>      users would chime in.  I had previously tried several different
>>>      incantations with no luck.  Just now, I found this, taken from
>>>      https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
>>>      <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
>>>
>>>        /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
>>>        /var/lib/samba/private/dns.keytab r,
>>>        /var/lib/samba/private/named.conf r,
>>>        /var/lib/samba/private/dns/** rwk,
>>>        /usr/lib/x86_64-linux-gnu/samba/** m,
>>>        /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>>>
>>>      This dated recipe works for me where newer ones did not. BIND
>>>      9.10.6 is happy again.  YMMV
>>>
>>>      Dale
>>>
>>>      --
>>>      To unsubscribe from this list go to the following URL and read
>>> the instructions: https://lists.samba.org/mailman/options/samba
>>>      <https://lists.samba.org/mailman/options/samba>
>>>
>>>
>>>
>>>
>>> --
>>> Thank you. Bob Wooden
>>>
>>> 615.885.2846www.donelsontrophy.com <http://www.donelsontrophy.com>
>>>
>>> "Everyone deserves an award!!"
>> Bob,
>>
>> I agree with everything you say and would rather not have it, but if
>> Debian's kernel maintainers are correct in that more systemd service
>> files will require apparmor, what other choice do I have but to learn
>> it?  I am not sure why Debian has decided to follow the
>> systemd/apparmor path, but I guess I get to go along for the ride. If
>> it becomes too onerous, I may have to do as you did and remove it.
>> BTW, the apparmor file for ntp worked out of the box, no
>> modifications on my part required.
>>
>> Thanks,
>> Dale
> The problem is that debian has fixed only half of the problem, yes
> recommend apparmor by all means, but they also need to fix systemd
> units to NOT fail if apparmor isn't installed, after all, apparmor is a
> 'recommend' and not a 'dependency'. If some systemd units fail if
> apparmor isn't installed, then this is, undoubtedly, a bug.
>
> Mind you, all of this is irrelevant to me, I do not use systemd ;-)
>  
> Rowland
>  
>
You're a lucky guy, Roland. ;-) I've been burned several different times
with different aspects of systemd, even prior to apparmor.

You are absolutely correct in that the released systemd units should all
work from the beginning.  I hope that it gets more reliable; time will tell.

Dale


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 28 Nov 2017 19:07:57 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai, 
> Normaly i kick in sooner but im in bed fit by flu. :-( 

Sorry to hear that, hope you get well soon.

>
>
> You have to add the bind paths to the apparmor profile, or disable
> apparmor in total, just dont remove it, should work also. debian wiki
> or ubuntu wiki shows how. 

It should work if apparmor is installed, disabled, or even if it is
removed, demanding that apparmor must be installed is a bug.

>
>
> But why are you using buster, imo really not safe,  if you wany a 4.7
> for stretch use my apt.

I think he was just testing things, at least I hope so, using something
called 'testing' in production is bound to end in tears.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Debian Buster, bind_dlz, and apparmor

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 11/28/2017 12:07 PM, L.P.H. van Belle via samba wrote:

> Hai,
> Normaly i kick in sooner but im in bed fit by flu. :-(
>
>
> You have to add the bind paths to the apparmor profile, or disable apparmor in total, just dont remove it, should work also.
> debian wiki or ubuntu wiki shows how.
>
>
> But why are you using buster, imo really not safe,  if you wany a 4.7 for stretch use my apt.
>
>
> When im better i can have a look into your problem more closely.
>
>
> greetz
>
>
> Louis..
> (mobile)
Hi Louis,

Sorry to hear you're not feeling well.  I hope it resolves soon.

I finally got a working apparmor config for bind_dlz and Samba; it's
toward the bottom of this thread.

As far as using Buster is concerned, I've found that most things work OK
using Debian testing.  So, what I do is use it at home and on other
nonessential systems.  This allows me to learn the things that break
from an upgrade (like this one) one at a time, rather than having to
figure all of them out during a full upgrade.  I am forewarned and
forearmed.  In this case, I took an NT domain through the classic
upgrade process and worked out those problems, only to be derailed by
apparmor.  (Unrelated to Samba, but the MySQL to MariaDB upgrade has not
gone well at all, but I digress......)

Dale


>
>
>
> Op 28 nov. 2017 om 18:26 heeft Dale Schroeder via samba <[hidden email]> het volgende geschreven:
>
>
> On 11/28/2017 11:11 AM, Robert Wooden wrote:
> Dale,
>
> Been using Ubuntu server for years in my AD. Discovered a long time
> ago that apparmor is not needed for a server. (Someone is probably
> going to argue the other that is should be but . . .)
>
> Do not quote me but, I have read that AppArmor is intended more for a
> desktop environment. I have always disabled and then removed AppArmor
> and have never had any issues. Of course I am behind a hardware
> firewall so, hopefully, no exposure to any unwanted attacks.
>
> All my servers work fine without AppArmor.
>
> As an Ubuntu user, my 2 cents . . .
>
> On Tue, Nov 28, 2017 at 10:55 AM, Dale Schroeder via samba
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On 11/28/2017 9:02 AM, Rowland Penny wrote:
>
>         On Tue, 28 Nov 2017 08:37:22 -0600
>         Dale Schroeder via samba <[hidden email]
>         <mailto:[hidden email]>> wrote:
>
>
>             On 11/28/2017 2:38 AM, Rowland Penny via samba wrote:
>
>                 On Mon, 27 Nov 2017 14:53:32 -0600
>                 Dale Schroeder via samba <[hidden email]
>                 <mailto:[hidden email]>> wrote:
>
>                     Last week, Debian testing (Buster) added apparmor
>                     to the list of
>                     dependencies for its latest kernel release,
>                     apparently because
>                     systemd needs it.  Recently, I noticed my first
>                     casualty - bind9 -
>                     due to apparmor failures with bind_dlz.
>
>                     Knowing next to nothing about apparmor, what is
>                     needed to fix this,
>                     and what further info do you need from me?
>
>                     Thanks,
>                     Dale
>
>                 I cannot seem to find a debian kernel that has a
>                 dependency on
>                 apparmor, can you provide a link ?
>
>                 Even if debian is making the kernel depend on apparmor
>                 (by the way,
>                 does Linus know about this  ?), this isn't a Samba
>                 problem, it is an
>                 apparmor one.
>
>                 Rowland
>
>             Rowland,
>
>             Thanks for responding.
>
>             From
>             http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog
>             <http://metadata.ftp-master.debian.org/changelogs/main/l/linux/linux_4.13.13-1_changelog>
>
>             [ Ben Hutchings ]
>                 * linux-image: Recommend apparmor, as systemd units
>             with an
>             AppArmor profile will fail without it (Closes: #880441)
>
>             So, although the word "recommend" implies that one has a
>             choice, in
>             reality, the kernel upgrade would not proceed without
>             installing
>             apparmor.
>
>         Then it is a bug, depend means it will be installed, recommend
>         means
>         what it says, it is recommended to install it, but you do not
>         need to.
>
>             I suppose it would be possible to disable, but assuming
>             the systemd
>             warning is a harbinger of things to come, it seemed best
>             to me to
>             figure it out now.  I know systemd is not your thing, and I am
>             inclined to agree; however, Debian sees it otherwise,
>             leaving me to
>             deal with it.
>
>         Easier way out of this, stop using debian and use Devuan instead.
>
>             I asked here because there is a wiki section devoted to
>             the topic -
>             https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>             <https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration>
>
>             Thus far, SELinux has not been forced by Debian.
>             Regardless, since
>             the apparmor install, I have not been able to get Bind9 to
>             start if
>             bind_dlz is enabled.
>
>         As I said, apparmor has nothing to do with Samba, the same
>         goes for
>         selinux and, in my opinion, they should figure out how to work
>         with
>         Samba, not the other way round. The page on the wiki is
>         supplied as a
>         service, but Samba has no real way to know if the settings are
>         correct,
>         it relies on feedback from users.
>
>         Rowland
>
>     Likewise, I had hoped some of the Ubuntu or Red Hat-derived OS
>     users would chime in.  I had previously tried several different
>     incantations with no luck.  Just now, I found this, taken from
>     https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404
>     <https://2stech.ca/index.php/linux/linuxtutotials/tutorials/234-samba-active-directory-with-bind-dns-backend-on-ubuntu-1404>
>
>       /var/lib/samba/private/krb5.co <http://krb5.co>nf r,
>       /var/lib/samba/private/dns.keytab r,
>       /var/lib/samba/private/named.conf r,
>       /var/lib/samba/private/dns/** rwk,
>       /usr/lib/x86_64-linux-gnu/samba/** m,
>       /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** m,
>
>     This dated recipe works for me where newer ones did not. BIND
>     9.10.6 is happy again.  YMMV
>
>     Dale
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>     <https://lists.samba.org/mailman/options/samba>
>
>
>
>



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba