Hai, We got reports on the samba list of this. See: https://www.spinics.net/lists/samba/msg156739.html
And i verified the user his problem and also noticed the wrong path also, and reported it as fix with the change. You said you did follow the wiki, which part? Is windows in you test case syncing time over AD? Or ntp protocol? Do note, tested on a Ubuntu 18.04 and i verified the paths also on debian 9. These tests are done agains Samba 4.10.2 ubuntu/debian packages from my repo. The PC's get the time always from ad, so that that works is correct, but if the time offsets and it needs to correct it, then you should see the deny message of apparmor. I personaly dont use apparmor, just dont like it, is anoying.. Now you might think, ow ubuntu thats not Debian, well, I use debian as base for all my packaging and testing. Best regards, Louis > -----Oorspronkelijk bericht----- > Van: Bernhard Schmidt [mailto:be...@debian.org] > Verzonden: dinsdag 30 april 2019 10:05 > Aan: Louis van Belle; 928...@bugs.debian.org > Onderwerp: Re: Bug#928168: ntp: Wrong path in apparmor > profile for samba > > Control: tags -1 + moreinfo > > Am 29.04.19 um 11:18 schrieb Louis van Belle: > > Hi, > > > Hello, after a few messages on the samba list we discovered > a wrong path in the apparmor profiles of ntp. > > > > File : /etc/apparmor.d/usr.sbin.ntpd > > Wrong: > > # samba4 ntp signing socket > > /{,var/}run/samba/ntp_signd/socket rw, > > > > Correct: > > # To sign replies to MS-SNTP clients by the smbd daemon > in /var/lib/samba > > /var/lib/samba/ntp_signd r, > > /var/lib/samba/ntp_signd/{,*} rw, > > > > # samba4 winbindd pipe > > /{,var/}run/samba/winbindd r, > > /{,var/}run/samba/winbindd/pipe r, > > > > # samba4 winbindd_privileged pipe ? Needed, not sure here. > > /var/lib/samba/winbindd_privileged r, > > /var/lib/samba/winbindd/pipe r, > > > > please verify the last one, im not a coder, sorry. > > Now, above changes are important to have before the buster release, > > because it could stop the timesync of domain joined pc's. > > Thanks for the report. > > Could you give us some more details about that testcase? I > can see that > the path in the AppArmor profile is wrong, but still I followed > https://wiki.samba.org/index.php/Time_Synchronisation on my personal > Samba AD DC. There is only one Win7 PC joined to it. I could see it > syncing with NTP to the DC. The NTP response had some keying stuff in > it. And I did not see an error on the client in the event > log. All that > with an unadjusted AppArmor profile, which means it should > have logged a > DENY on the ntp_signd socket. > > Bernhard >
