touch-packages team mailing list archive

Thread
Date

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Ryan Tandy <1472639@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Jul 2015 18:48:42 -0000
Reply-to: Bug 1472639 <1472639@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi Kartik,

To help me reproduce and verify this, can you describe your setup where
slapd stores its credentials in the KCM?

I'm asking because I do see these denials, but they don't appear to
affect operation with a keytab, and I haven't been able to get slapd to
work without a keytab. I'm guessing I might be missing an option to
kinit (thereby caching insufficient credentials), or something.

(I can cache my own credentials in the KCM, and auth with those, just
fine.)

Or from a different angle: does your setup work properly if you aa-
complain slapd?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1472639

Title:
  apparmor profile denied for kerberos:  /run/.heim_org.h5l.kcm-socket

Status in openldap package in Ubuntu:
  New

Bug description:
  The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
  .kcm-socket which is used by kerberos:

  apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd"
  name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd"
  requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0

  This is as of 2.4.40+dfsg-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions

References

[Bug 1472639] [NEW] apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
From: Kartik Subbarao, 2015-07-08