Having problems getting Samba4 and Bind9 working together because of apparmor

server samba bind apparmor
6,069

This is what I've done (after some trial and error):

$ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns.keytab kwr,
  /usr/lib/samba/** m,
  /var/lib/samba/private/dns/** krw,
  /var/tmp/** krw,
  /dev/urandom rw,

$ service apparmor reload

$ service bind9 start

It should work fine then.

Share:
6,069

Related videos on Youtube

Dan
Author by

Dan

Updated on September 18, 2022

Comments

  • Dan
    Dan over 1 year

    So I've been following the Samba4 HOWTO, which has gone reasonably well. The issue I'm having is I can't get BIND9 to restart when the samba configuration is included in /etc/bind/named.conf.local:

    include "/var/lib/samba/private/named.conf";

    But when I try and restart Bind9 with sudo /etc/init.d/bind9 restart I get the error in my logs: 

    Oct 18 20:25:00 xxxx kernel: [  251.397899] type=1400 audit(1350588300.188:16):    
apparmor="DENIED" operation="open" parent=1807 profile="/usr/sbin/named"    
name="/var/lib/samba/private/named.conf" pid=1810 comm="named" requested_mask="r"
denied_mask="r" fsuid=105 ouid=0

    I've got the following rules in /etc/apparmor.d/usr.sbin.named (which I thought were a bit OTT but I've been debugging for hours now)

        /var/lib/samba/ rw,
    /var/lib/samba/* rw,
    /var/lib/samba/private/ rw,
    /var/lib/samba/private/* rw,
    /var/lib/samba/private/dns/ rw,
    /var/lib/samba/private/dns/* rw,

    For completeness, the perms on the offending file are:

        -rw-r--r-- 1 root root  384 Oct 17 11:39 named.conf

    I tried putting apparmor into complain mode, disabling the named profile, and bind9 starts perfectly and Samba works. But as soon as I restart the box, it's broke again, and I'd prefer to understand whats going on then taking bits of the servers's security out to make stuff work.

        ~ sudo aa-complain /usr/sbin/named
    Setting /usr/sbin/named to complain mode.
    ~ sudo /etc/init.d/bind9 restart
    * Stopping domain name service... bind9

    rndc: connect failed: 127.0.0.1#953: connection refused
    ...done.
     * Starting domain name service... bind9
       ...done.

    Any help appreciated.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

why Netty doesn't bind with public IP address & it binds with 127.0.0.1?
DNS configuration problem with BIND9
named.conf or named.conf.local
How to setup DNS Server on Local network
DNS server with Bind9: can't resolve DNS records in forward and reverse zone files
Force Samba to Require Credentials from Windows Client
best ubuntu samba guide
How to set up an entire hard drive as a shared drive in Samba
How to make samba to ask password on every access?
isc_stdio_open '/var/log/bind9/query.log' failed: permission denied