Not really -- in this case, all of the packages are pretty much installed at the same time with automated processes.
In #1 above, Ryan Tandy mentions seeing these error messages too -- so I assumed this was a fairly common sort of occurrence. I've been working around this issue by adding a line to /etc/apparmor.d/local/usr.sbin.slapd, and I'm okay with this workaround. I guess I was assuming that the fix would be a simple patch to /etc/apparmor.d/usr.sbin/slapd to permit the socket (i.e. assuming that Kerberos is fairly standard and it seems reasonable to allow a process like slapd to access the socket if it has permissions to do so). Given the amount of complexity that now seems to be involved, I'm reluctant to (even implicitly) ask you guys to spend more time on this. Feel free to pursue this as you want, but definitely don't feel any pressure on my account. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/1472639 Title: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket Status in openldap package in Ubuntu: Incomplete Bug description: The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l .kcm-socket which is used by kerberos: apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd" name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd" requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0 This is as of 2.4.40+dfsg-1ubuntu1. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp