touch-packages team mailing list archive

Thread
Date

[Bug 1472639] Re: apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Kartik Subbarao <subbarao@xxxxxxxxxxxx>
Date: Mon, 27 Jul 2015 17:01:24 -0000
Reply-to: Bug 1472639 <1472639@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I'm not sure if/how exactly I'm using kcm with slapd. I have an
/etc/krb5.keytab and in slapd.conf, I have a sasl-realm parameter
defined. Kerberos authentication actually seems to work okay -- for
example, ldapwhoami -Y GSSAPI works properly. I don't know what else may
or may not be working, but I figured that the error message wasn't a
good thing to see.

Sorry I can't be of more help in isolating why this error is showing up.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1472639

Title:
  apparmor profile denied for kerberos:  /run/.heim_org.h5l.kcm-socket

Status in openldap package in Ubuntu:
  New

Bug description:
  The slapd apparmor profile doesn't allow access to /run/.heim_org.h5l
  .kcm-socket which is used by kerberos:

  apparmor="DENIED" operation="connect" profile="/usr/sbin/slapd"
  name="/run/.heim_org.h5l.kcm-socket" pid=61289 comm="slapd"
  requested_mask="wr" denied_mask="wr" fsuid=389 ouid=0

  This is as of 2.4.40+dfsg-1ubuntu1.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1472639/+subscriptions

References

[Bug 1472639] [NEW] apparmor profile denied for kerberos: /run/.heim_org.h5l.kcm-socket
From: Kartik Subbarao, 2015-07-08