You are not logged in.
I'm using Linux more than two years. I have started Arch about 8 months ago. Likewise, I fall in love with it. I have learned so much from Arch Wiki and Forums. But, I am still unable to solve one problem.
I'm using samba share for sharing between pc and android mobile, and I love it. It has problem with Apparmor. My samba version is 4.16.4. I need to teardown Apparmor for the usage of SAMBA. How will I solve it.
My testparm result:------------------------------------------------------------------------------------------
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
dns proxy = No
log file = /var/log/samba/log.%m
max log size = 50
server role = standalone server
server string = Samba Server
workgroup = MYGROUP
idmap config * : backend = tdb
[homes]
comment = Home Directories
read only = No
[printers]
browseable = No
comment = All Printers
path = /usr/spool/samba
printable = Yes
Apparmor status:------------------------------------------------------------------------------------------------------------
apparmor module is loaded.
60 profiles are loaded.
60 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-director
dovecot-doveadm-server
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-replicator
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
winbindd
zgrep
zgrep//helper
zgrep//sed
0 profiles are in complain mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
5 processes have profiles defined.
5 processes are in enforce mode.
/usr/bin/avahi-daemon (537) avahi-daemon
/usr/bin/avahi-daemon (545) avahi-daemon
/usr/bin/smbd (1293) smbd
/usr/bin/smbd (1296) smbd
/usr/bin/smbd (1297) smbd
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
0 processes are in kill mode.
Audit log:---------------------------------------------------------------------------------------------------------
type=AVC msg=audit(1662175595.240:251): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=13491 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0FSUID="root" OUID="root"
SAMBA client result when Apparmor is in enforce mode:------------------------------------------------------------------------------------------
smbclient -L localhost
Password for [MYGROUP\suman]:
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
SAMBA client result after Apparmor teardown:------------------------------------------------------------------------------------------
smbclient -L localhost
Password for [MYGROUP\suman]:
Sharename Type Comment
--------- ---- -------
homes Disk Home Directories
IPC$ IPC IPC Service (Samba Server)
suman Disk Home Directories
SMB1 disabled -- no workgroup available
Last edited by SumanM (2022-09-03 14:30:35)
Offline
Ever since Samba 4.16 got released, it doesn't play nicely with AppArmor under Arch. Haven't found a proper fix, but setting samba to complain mode instead of enforce works as a temporary workaround. This way, you don't have to completely disable AppArmor system-wide, but only for these specific components. Please note, I didn't dive deep into this, so use it at your own risk.
sudo aa-complain samba-dcerpcd
sudo aa-complain samba-rpcd
sudo aa-complain samba-rpcd-classic
Last edited by tolga9009 (2022-09-04 21:13:13)
Offline
Thanks for your reply.
Offline
I just ran into this same issue today. The apparmor profiles for Samba are indeed a bit off and no longer work with 4.16. If you don't want to completely disable protections for Samba, you can add exceptions for the things apparmor is complaining about. I've filed a bug here with some workarounds to get it working: https://bugs.archlinux.org/task/76992
Offline