You are not logged in.
I've got an Arch build with a samba share. I access the share from a Windows 10 VM, android and apple phones and my other linux machines.
Currently using:
samba 4.16.0-6
smbclient 4.16.0-6
I also use apparmor, and had no issue until the upgrade from 3.0.3-2 -> 3.0.4-1, which included a /etc/apparmor.d/usr.sbin.smbd.pacnew file with some subtle changes, i.e. add local share paths to /etc/apparmor.d/local, as well as now all the "include <abstractions/...> are uncommented.
I've followed the wiki for Permission issues on AppArmor
If I use the new apparmor with this, I can't access the share from any phone or linux machine, i.e
$ smbclient -L hostname -U%shows no shares, however I can still see it from the Windows VM. I can perform saves/deletes from Windows to the share and the changes persist.
If I put apparmor into complain mode for samba
# aa-complain /usr/bin/smbdI can access the shares from everywhere again.
The audit logs don't give much away.
audit[332302]: SYSCALL arch=c000003e syscall=59 success=no exit=-13 a0=3988ea790a0 a1=3988ea79840 a2=3988ea5c190 a3=8 items=0 ppid=332301 pid=332302 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd" exe="/usr/bin/smbd" subj==smbd (enforce) key=(null)
audit[332302]: AVC apparmor="DENIED" operation="exec" profile="smbd" name="/usr/lib/samba/samba/samba-dcerpcd" pid=332302 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Also when I access it from Windows 10 VM, there doesn't appear to be any log whatsoever.
Have I missed something obvious?
Last edited by farmerdave (2022-05-02 09:29:47)
Offline
AppArmor profiles needs updating for samba 4.16. See https://gitlab.com/apparmor/apparmor/-/ … quests/871.
But even after pathing in https://gitlab.com/apparmor/apparmor/-/ … 2461f275e0, https://gitlab.com/apparmor/apparmor/-/ … 230cfbead0 and https://gitlab.com/apparmor/apparmor/-/ … 49d249a493, it will not work because the paths in the samba package differ from the ones in the profiles. It has e.g. /usr/lib/samba/samba/samba-dcerpcd instead of /usr/lib/samba/samba-dcerpcd.
/usr/lib/samba/samba/ doesn't look right to me and I'm guessing it's a packaging bug. If not, then the profiles need additional updating to support Arch package's paths.
I suggest opening a bug report against the apparmor and samba packages (a single bug report against both).
Last edited by nl6720 (2022-05-01 12:03:21)
Offline
AppArmor profiles needs updating for samba 4.16. See https://gitlab.com/apparmor/apparmor/-/ … quests/871.
Thanks, I did update to samba 4.16 at the same time, looks like the issue.
I suggest opening a bug report against the apparmor and samba packages (a single bug report against both).
Bug report now opened. Marking this thread as solved.
Offline
For reference: https://bugs.archlinux.org/task/74614.
Offline