← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #24098

[Bug 1377239] Re: cups-pdf 2.6.1-9 not able to lookup domain user because apparmor profile

  Thread PreviousDate PreviousThread Next 
Okay, step by step:


cups-pdf policy has: #include <abstractions/nameservice>             yes

/etc/apparmor.d/abstractions/nameservice has: #include
<abstractions/winbind>       yes

/etc/apparmor.d/abstractions/winbind has:
/var/{lib,run}/samba/winbindd_privileged/pipe rw,       yes


I am using ubuntu defaults. All apparmor files are unchanged, but it only works when I add following to cups-pdf policy:
           /run/samba/winbindd/pipe rw,




Eventually it's because   /var/run/samba/winbindd_privileged/pipe is not available, but   /var/lib/samba/winbindd_privileged/pipe is.

The permissions on both pipes are the same:
0 srwxrwxrwx 1 root root 0 Okt  3 15:13 /var/lib/samba/winbindd_privileged/pipe
0 srwxrwxrwx 1 root root 0 Okt  3 15:13 /run/samba/winbindd/pipe

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1377239

Title:
  cups-pdf 2.6.1-9 not able to lookup domain user because apparmor
  profile

Status in “cups” package in Ubuntu:
  Incomplete

Bug description:
  I use cups-pdf for years now. But now it's no longer able to lookup
  users from domain.

  lookup user by getent passwd works fine.
  lookup user by wbinfo works fine.
  Login with domain user works fine.
  kinit username works, too.

  But cups-pdf with log level 7 tells: unknown user (admin)
  It's regardless of wether I use UserPrefix MYDOMAIN\ or leave it blank.
  Just the output of the log file differs to: unknown user (MYDOMAIN\admin)

  
  After long time of searching around in all log files I tried to set apparmor profile use.sbin.cupsd to complain mode.

  That fixes my problem.
  But what I have to change in apparmor profile to switch back to enforce mode?

  I don't get any logging by complain, enforce or audit mode in /var/log/syslog.
  It looks like getpwnam or another method used in cups-pdf.c is restricted by apparmor in Ubuntu 14.04.1 LTS.

  
  I use the default cups-pdf.conf and default usr.sbin.cupsd apparmor profile.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1377239/+subscriptions
  Thread PreviousDate PreviousThread Next