Having problems getting Samba4 and Bind9 working together because of apparmor
This is what I've done (after some trial and error):
$ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab kwr,
/usr/lib/samba/** m,
/var/lib/samba/private/dns/** krw,
/var/tmp/** krw,
/dev/urandom rw,
$ service apparmor reload
$ service bind9 start
It should work fine then.
Related videos on Youtube
Dan
Updated on September 18, 2022Comments
-
Dan over 1 year
So I've been following the Samba4 HOWTO, which has gone reasonably well. The issue I'm having is I can't get BIND9 to restart when the samba configuration is included in
/etc/bind/named.conf.local
:include "/var/lib/samba/private/named.conf";
But when I try and restart Bind9 with
sudo /etc/init.d/bind9 restart
I get the error in my logs:Oct 18 20:25:00 xxxx kernel: [ 251.397899] type=1400 audit(1350588300.188:16): apparmor="DENIED" operation="open" parent=1807 profile="/usr/sbin/named" name="/var/lib/samba/private/named.conf" pid=1810 comm="named" requested_mask="r" denied_mask="r" fsuid=105 ouid=0
I've got the following rules in
/etc/apparmor.d/usr.sbin.named
(which I thought were a bit OTT but I've been debugging for hours now)/var/lib/samba/ rw, /var/lib/samba/* rw, /var/lib/samba/private/ rw, /var/lib/samba/private/* rw, /var/lib/samba/private/dns/ rw, /var/lib/samba/private/dns/* rw,
For completeness, the perms on the offending file are:
-rw-r--r-- 1 root root 384 Oct 17 11:39 named.conf
I tried putting apparmor into complain mode, disabling the named profile, and bind9 starts perfectly and Samba works. But as soon as I restart the box, it's broke again, and I'd prefer to understand whats going on then taking bits of the servers's security out to make stuff work.
~ sudo aa-complain /usr/sbin/named Setting /usr/sbin/named to complain mode. ~ sudo /etc/init.d/bind9 restart * Stopping domain name service... bind9 rndc: connect failed: 127.0.0.1#953: connection refused ...done. * Starting domain name service... bind9 ...done.
Any help appreciated.