Ubuntu
samba4 package

Please integrate Samba 4 with bind9 package

Bug #975973 reported by Leo Richard Comerford
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
bind9 (Debian)
Confirmed
Unknown
bind9 (Ubuntu)
Triaged
Wishlist
Unassigned
samba4 (Debian)
Confirmed
Unknown
samba4 (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

I am attempting to install Samba 4 using version 4.0.0~alpha18.dfsg1-4 of samba4 on Ubuntu 12.04 beta 2 for x86-64. Installing the samba4 package, or running /usr/share/samba/setup/provision at any other time, does not configure DNS for samba4, but it does generate an example BIND configuration file at /var/lib/samba/private/named.conf (by default). The official Samba 4 HOWTO http://wiki.samba.org/index.php/Samba4/HOWTO suggests activating this configuration by adding the line

include "/var/lib/samba/private/named.conf";

to /etc/bind/named.conf.local . (Actually it gives a different path, but this seems to be the correct one for samba4 alpha18 on Ubuntu 12.04.) However (as anticipated in the HOWTO) this causes Apparmor problems on Ubuntu - bind will refuse to restart, and an apparmor refusal report for /usr/sbin/named will show up in /var/log/syslog.

sudo aa-complain /usr/sbin/named

allowed bind to restart and run, leaving the following apparmor reports to appear in my /var/log/syslog over the first few seconds after bind's restart:

apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/gensec/krb5.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/asq.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/ldap.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_results.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/paged_searches.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/rdn_name.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/ldb/acl.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_mmap" parent=10564 profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/ldb/aclread.so" pid=10567 comm="named" requested_mask="m" denied_mask="m" fsuid=103 ouid=0

all appeared once, while these two messages

apparmor="ALLOWED" operation="file_lock" parent=1 profile="/usr/sbin/named" name="/var/lib/samba/private/dns/sam.ldb" pid=10566 comm="named" requested_mask="k" denied_mask="k" fsuid=103 ouid=0
apparmor="ALLOWED" operation="file_lock" parent=1 profile="/usr/sbin/named" name="/var/lib/samba/private/dns/sam.ldb.d/CN=SCHEMA,CN=CONFIGURATION,DC=IRISHTOWN,DC=LOCALONLY,DC=RVCOMERFORD,DC=IE.ldb" pid=10566 comm="named" requested_mask="k" denied_mask="k" fsuid=103 ouid=0

appeared several times.

As a workaround, adding the following to /etc/apparmor.d/usr.sbin.named (inside the /usr/sbin/named { ... } curly brackets, of course) seems to work, allowing named to run while in Apparmor refusal mode:

  # samba4
  /var/lib/samba/** rwmk,
  /usr/lib/x86_64-linux-gnu/samba/** rwmk,
  /usr/lib/x86_64-linux-gnu/ldb/** rwmk,

No doubt the proper Apparmor permissions change would be a lot narrower than this. I'm also not certain if these changes are sufficient to allow named to run without Apparmor problems once Windows clients start causing dynamic DNS updates.

Revision history for this message
Leo Richard Comerford (lrc1) wrote :

Just to add: one thing I have confirmed is that the test DNS requests suggested by the Samba 4 HOWTO,

host -t SRV _ldap._tcp.samdom.example.com.
host -t SRV _kerberos._udp.samdom.example.com.
host -t A samba.samdom.example.com.

do succeed without /var/log/syslog warnings once the /etc/apparmor.d/usr.sbin.named changes are in place (and then Apparmor has been restarted with

sudo /etc/init.d/apparmor reload

. )

Jelmer Vernooij (jelmer)
summary: - bind9 config changes for samba4 cause apparmor profile conflicts
+ integrate with bind package
Changed in samba4 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Jelmer Vernooij (jelmer) wrote : Re: integrate with bind package

Ideally we should have provision generate /etc/samba/named.conf.samba or something alone those lines instead; this would make it unnecessary to provide custom apparmor rules for the configuration file. It would be nice if bind provided some sort of mechanism that allowed external applications to install custom configuration files

Also marking as affecting bind, as there is AFAIK not yet any support in bind to allow other packages to extend its configuration, and since the usr.sbin.named apparmor profile lives in the bind9 package.

James Page (james-page)
Changed in bind9 (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
Thomas Hood (jdthood)
summary: - integrate with bind package
+ samba4: integrate with bind package
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Hi Thomas, why the prefix? This is already associated with the samba4 package.

summary: - samba4: integrate with bind package
+ integrate with bind package
Bug Watch Updater (bug-watch-updater)
Changed in bind9 (Debian):
status: Unknown → Confirmed
Changed in samba4 (Debian):
status: Unknown → Confirmed
Revision history for this message
Thomas Hood (jdthood) wrote :

> Hi Thomas, why the prefix

Because if I am looking at the list of bind9 bugs it isn't obvious from the title what bind is supposed to be integrated with. :)

summary: - integrate with bind package
+ Please integrate Samba 4 with bind9 package
Revision history for this message
Patrick Hibbs (codebase7) wrote :

As this seems the best place to put it, samba version 4.3.11+dfsg-0ubuntu0.16.04.1 adds a new file /var/lib/samba/private/named.conf.update to bind's config when using the BIND9_FLATFILE config.

According to the sample named.conf generated by samba's domain provisioning command, it's an empty file that's populated at runtime by samba for defining what domain controllers can issue a DNS record update to bind, and what records they are permitted to update.

By default, bind's access to this file is also blocked by apparmor.

When using the BIND9_DLZ config, apparmor still blocks access to the /var/lib/samba/private/named.conf file, in additon to the /var/lib/samba/private/dns/sam.ldb file. Fixing apparmor allows bind and samba to work as intended.

According to https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

the BIND9_FLATFILE config option is unsupported and will be removed in a future release of samba, which means only BIND9_DLZ will work at that point. The reason I bring it up, is that bug#127184 wants to put bind into a chroot, which will currently break BIND9_DLZ as it requires access to samba's libraries and database files. (As per: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End ) As such currently this bug would be in opposition to bug#127184 unless both samba and bind were placed in the same chroot.

Revision history for this message
Patrick Hibbs (codebase7) wrote :

Apparmor is also blocking read access from named to /var/lib/samba/private/dns.keytab.

[40953.694755] audit: type=1400 audit(1482362368.332:17): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab" pid=5334 comm="named" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.