cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile

Bug #1377239 reported by Christian
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cups (Ubuntu)

Bug Description

I use cups-pdf for years now. But now it's no longer able to lookup users from domain.

lookup user by getent passwd works fine.
lookup user by wbinfo works fine.
Login with domain user works fine.
kinit username works, too.

But cups-pdf with log level 7 tells: unknown user (admin)
It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank.
Just the output of the log file differs to: unknown user (MYDOMAIN\admin)

After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode.

That fixes my problem.
But what I have to change in apparmor profile to switch back to enforce mode?

I don't get any logging by complain, enforce or audit mode in /var/log/syslog.
It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS.

I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you paste the output of:
$ grep DEN /var/log/syslog

at the time of the denial?

affects: cups-pdf (Ubuntu) → cups (Ubuntu)
Changed in cups (Ubuntu):
status: New → Incomplete
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Since you put this into complain mode, there may be more entries needed that might have been logged with ALLOWED -- can you grep for those, too, please?

Revision history for this message
Christian (c-vielhauer) wrote :

@Jamie: To get output from "grep DEN /var/log/syslog" I set to enforce mode:

Oct 4 11:41:31 fs kernel: [135831.687728] type=1400 audit(1412415691.115:6372889): apparmor="DENIED" operation="connect" profile="/usr/lib/cups/backend/cups-pdf" name="/run/samba/winbindd/pipe" pid=19253 comm="cups-pdf" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Attached log-output with complain mode is from: tail -f /var/log/syslog /var/log/cups/*_log

I solved it adding following line to cups-pdf section:
/run/samba/winbindd/pipe rw,

Is this correct?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Christian, yes, add this to your profile (in the cups-pdf section):
/run/samba/winbindd/pipe rw,

then do this:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you perform the above and confirm if it fixes it for you? Also, the cups-pdf policy has:
  #include <abstractions/nameservice>

and /etc/apparmor.d/abstractions/nameservice has:
  #include <abstractions/winbind>

and /etc/apparmor.d/abstractions/winbind has:
  /var/{lib,run}/samba/winbindd_privileged/pipe rw,

did you set the path for to /run/samba/winbindd/pipe or are you using Ubuntu defaults?

Revision history for this message
Christian (c-vielhauer) wrote :

Okay, step by step:

cups-pdf policy has: #include <abstractions/nameservice> yes

/etc/apparmor.d/abstractions/nameservice has: #include <abstractions/winbind> yes

/etc/apparmor.d/abstractions/winbind has: /var/{lib,run}/samba/winbindd_privileged/pipe rw, yes

I am using ubuntu defaults. All apparmor files are unchanged, but it only works when I add following to cups-pdf policy:
           /run/samba/winbindd/pipe rw,

Eventually it's because /var/run/samba/winbindd_privileged/pipe is not available, but /var/lib/samba/winbindd_privileged/pipe is.

The permissions on both pipes are the same:
0 srwxrwxrwx 1 root root 0 Okt 3 15:13 /var/lib/samba/winbindd_privileged/pipe
0 srwxrwxrwx 1 root root 0 Okt 3 15:13 /run/samba/winbindd/pipe

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for cups (Ubuntu) because there has been no activity for 60 days.]

Changed in cups (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.