apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
Bug #1472639 reported by
Kartik Subbarao
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openldap (Ubuntu) |
Expired
|
High
|
Unassigned |
Bug Description
The slapd apparmor profile doesn't allow access to /run/.heim_
apparmor="DENIED" operation="connect" profile=
This is as of 2.4.40+
tags: | added: apparmor |
Changed in openldap (Ubuntu): | |
importance: | Undecided → High |
Changed in openldap (Ubuntu): | |
assignee: | nobody → Ryan Harper (raharper) |
To post a comment you must log in.
Hi Kartik,
To help me reproduce and verify this, can you describe your setup where slapd stores its credentials in the KCM?
I'm asking because I do see these denials, but they don't appear to affect operation with a keytab, and I haven't been able to get slapd to work without a keytab. I'm guessing I might be missing an option to kinit (thereby caching insufficient credentials), or something.
(I can cache my own credentials in the KCM, and auth with those, just fine.)
Or from a different angle: does your setup work properly if you aa-complain slapd?