Comment 9 for bug 1719354

The net_admin denial is probably caused by a bug in systemd, see https://bugzilla.opensuse.org/show_bug.cgi?id=991901 and https://github.com/systemd/systemd/pull/10085
I'd recommend not to allow that capability in the nmbd profile, and instead apply the patch to systemd.

Write permissions to /run/systemd/notify look like a valid issue, I just opened
https://gitlab.com/apparmor/apparmor/merge_requests/236 for that.