This bug was fixed in the package openldap - 2.6.3+dfsg-1~exp1ubuntu2 --------------- openldap (2.6.3+dfsg-1~exp1ubuntu2) lunar; urgency=medium
* Build the passwd/sha2 contrib module with -fno-strict-aliasing to avoid computing an incorrect SHA256 hash with some versions of the compiler (LP: #2000817): - d/t/{control,sha2-contrib}: test to verify the SHA256 hash produced by passwd/sha2 - d/rules: set -fno-strict-aliasing only when building the passwd/sha2 contrib module * d/t/smbk5pwd: Allow the openldap user to read the Heimdal master key in the smbk5pwd DEP8 test (LP: #2004560) -- Andreas Hasenack <andr...@canonical.com> Fri, 03 Feb 2023 09:33:14 -0300 ** Changed in: openldap (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openldap in Ubuntu. https://bugs.launchpad.net/bugs/2004560 Title: smbk5pwd test fails due to perms (FS and AppArmor) Status in openldap package in Ubuntu: Fix Released Bug description: https://autopkgtest.ubuntu.com/packages/o/openldap/lunar/amd64 autopkgtest [16:06:32]: test smbk5pwd: [----------------------- adding new entry "cn=samba,cn=schema,cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=hdb,cn=schema,cn=config" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "cn=module{0},cn=config" adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcSmbK5PwdEnable> handler exited with 1 autopkgtest [16:06:33]: test smbk5pwd: -----------------------] autopkgtest [16:06:33]: test smbk5pwd: - - - - - - - - - - results - - - - - - - - - - smbk5pwd FAIL non-zero exit status 80 I reproduced this in a container, and the failure is two-fold: a) /var/lib/heimdal-kdc/ is root:root 0700, and the slapd server needs FS read access to the key b) Then the slapd apparmor profile blocks it: [qui fev 2 09:54:02 2023] audit: type=1400 audit(1675342444.436:3242): apparmor="DENIED" operation="open" class="file" namespace="root//lxd-l-dep8_<var-snap-lxd-common-lxd>" profile="/usr/sbin/slapd" name="/var/lib/heimdal-kdc/m-key" pid=1161656 comm="slapd" requested_mask="r" denied_mask="r" fsuid=1000110 ouid=1000000 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/2004560/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp