Hello, Samba 4.2 needs some more permissions for nmbd and winbindd.
To avoid overcomplicated profiles, change abstractions/samba to allow /var/lib/samba/** rwk, (instead of **.tdb rwk) - this change already fixes the nmbd profile. winbindd additionally needs some more write permissions in /etc/samba/ (and also in /var/lib/samba/, which is covered by the abstractions/samba change) References: https://bugzilla.opensuse.org/show_bug.cgi?id=921098 and https://bugzilla.opensuse.org/show_bug.cgi?id=923201 I propose this patch for trunk and 2.9. However, I'd like to keep the /var/lib/samba/ lines in the winbindd profile in 2.9.x to avoid problems if for some reason abstractions/samba isn't updated (*.rpmnew etc.) [ profiles-samba-4.2.diff ] === modified file 'profiles/apparmor.d/abstractions/samba' --- profiles/apparmor.d/abstractions/samba 2014-07-04 10:09:58 +0000 +++ profiles/apparmor.d/abstractions/samba 2015-05-18 19:42:58 +0000 @@ -13,7 +13,7 @@ /usr/share/samba/*.dat r, /usr/share/samba/codepages/{lowcase,upcase,valid}.dat r, /var/cache/samba/ w, - /var/lib/samba/**.tdb rwk, + /var/lib/samba/** rwk, /var/log/samba/cores/ rw, /var/log/samba/cores/** rw, /var/log/samba/log.* w, === modified file 'profiles/apparmor.d/usr.sbin.winbindd' --- profiles/apparmor.d/usr.sbin.winbindd 2014-04-21 20:10:51 +0000 +++ profiles/apparmor.d/usr.sbin.winbindd 2015-05-18 19:45:45 +0000 @@ -10,8 +10,12 @@ capability ipc_lock, capability setuid, + /etc/samba/netlogon_creds_cli.tdb rwk, /etc/samba/passdb.tdb{,.tmp} rwk, /etc/samba/secrets.tdb rwk, + /etc/samba/smbd.tmp/ rw, + /etc/samba/smbd.tmp/msg/ rw, + /etc/samba/smbd.tmp/msg/* rw, @{PROC}/sys/kernel/core_pattern r, /tmp/.winbindd/ w, /tmp/krb5cc_* rwk, @@ -21,9 +25,6 @@ /usr/sbin/winbindd mr, /var/cache/krb5rcache/* rw, /var/cache/samba/*.tdb rwk, - /var/lib/samba/smb_krb5/krb5.conf.* rw, - /var/lib/samba/smb_tmp_krb5.* rw, - /var/lib/samba/winbindd_cache.tdb* rwk, /var/log/samba/log.winbindd rw, /{var/,}run/samba/winbindd.pid rwk, /{var/,}run/samba/winbindd/ rw, Regards, Christian Boltz -- Zu schön um nicht gesiggt zu werden ;-) [Rainer Behrendt in dag°] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor