[Samba] BIND 9.9 apparmor rules with Samba

[Fred Smith]

Hi

Current wiki suggestion
(https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#Interaction_with_AppArmor_or_SELinux)
is to add the following to /etc/apparmor.d/local/usr.sbin.named

# Samba4 DLZ and Active Directory Zones (default source installation)
/usr/local/samba/lib/** rm,
/usr/local/samba/private/dns.keytab r,
/usr/local/samba/private/named.conf r,
/usr/local/samba/private/dns/** rwk,

# Ubuntu
/var/tmp/** rwmk,

I found I needed to add an extra line for bind to start.

/usr/local/samba/etc/smb.conf r,


Regards

Fred.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

On 03/09/15 03:04, Fred Smith wrote:
> Hi
>
> Current wiki suggestion
> (https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD#Interaction_with_AppArmor_or_SELinux)
> is to add the following to /etc/apparmor.d/local/usr.sbin.named
>
> # Samba4 DLZ and Active Directory Zones (default source installation)
> /usr/local/samba/lib/** rm,
> /usr/local/samba/private/dns.keytab r,
> /usr/local/samba/private/named.conf r,
> /usr/local/samba/private/dns/** rwk,
>
> # Ubuntu
> /var/tmp/** rwmk,
>
> I found I needed to add an extra line for bind to start.
>
> /usr/local/samba/etc/smb.conf r,
>
>
> Regards
>
> Fred.
>

OK, Thanks for posting this, but what distro and version ?

Once you post this, I will update the wiki

Rowland

[Jim Seymour]

Hi All,

Through interpreting what the current Wiki article says, plus some
trial and error: The following AppArmor rules *appear* to work for a
Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS:

$ cat /etc/apparmor.d/local/usr.sbin.named
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
/dev/urandom w,
/usr/lib/i386-linux-gnu/ldb/modules/ldb/** rm,
/usr/lib/i386-linux-gnu/samba/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,

But, mind you: I'm a Samba AD DC and AppArmor n00b, and I don't
actually have Samba actually *running*, yet, so caveat emptor :)

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

[Rowland Penny]

On 03/09/15 14:12, Jim Seymour wrote:
> Hi All,
>
> Through interpreting what the current Wiki article says, plus some
> trial and error: The following AppArmor rules *appear* to work for a
> Samba AD DC using the stuff from the distro for Ubuntu 14.04 LTS:
>
> $ cat /etc/apparmor.d/local/usr.sbin.named
> # Site-specific additions and overrides for usr.sbin.named.
> # For more details, please see /etc/apparmor.d/local/README.
> /dev/urandom w,
> /usr/lib/i386-linux-gnu/ldb/modules/ldb/** rm,
> /usr/lib/i386-linux-gnu/samba/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk,
>
> But, mind you: I'm a Samba AD DC and AppArmor n00b, and I don't
> actually have Samba actually *running*, yet, so caveat emptor :)
>
> Regards,
> Jim

If you are still setting up a Samba AD DC, I would recommend turning off
apparmor until everything else is working, then turn it back on, you
will then only have one thing to debug if there are problems.

Rowland