Apparmor prevents locking of /var/tmp/krb5* file for slapd

Bug #1934390 reported by Sami hulkko
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Kerbeross5 with LDAP backed and GSSAPI connectivity fails due the Apparmor profile for slapd that doesn't include possibility to give read and lock rights to slapd process.

Error on kern.log:

Jul 1 20:20:12 auth kernel: [ 875.743303] audit: type=1400 audit(1625160012.372:1191): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd" name="/var/tmp/krb5_130.rcache2" pid=1559 comm="slapd" requested_mask="k" denied_mask="k" fsuid=130 ouid=130

This kerberos profile is most likely needed for connectivity to open-ldap server due the fact that GSSAPI is used.

A quick fix is to add:
/var/tmp/krb5* rk,

into:
/etc/apparmor.d/local/usr.sbin.slapd

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.