Package: samba Version: 2:4.9.5+dfsg-3 Severity: grave Hi,
I upgraded a DC from stretch to buster, and DNS for AD (via bind9_dlz) started failing in strange ways. (In particular, when I changed the IP address of the DC, samba-tool dns query would return the correct addresses, but actual DNS lookups would return the old ones.) It turns out that upstream, bind9_dlz data has moved from /var/lib/samba/private to /var/lib/samba/bind-dns; however, there's no notice about this anywhere, and the path does not exist in Debian. (Thus, the .conf file in use didn't even mention the BIND 9.11 .so file, much less load it.) Furthermore, if you try to remedy this problem yourself by mkdir-ing the new directory and running samba_dnsupgrade, BIND will no longer start due to AppArmor policies being out of date: [84419.640664] audit: type=1400 audit(1555945763.230:88): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9043 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 [84486.581899] audit: type=1400 audit(1555945830.170:89): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9171 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 Given that AppArmor now seems to be default on in buster, this breaks the functionality completely, even for new installations (not just for upgrades from stretch). I would suppose that postinst needs to check whether BIND9_DLZ is in use, and if so, run samba_upgradedns --dns-backend=BIND9_DLZ and then finally pop up a message saying that the admin will have to change the .conf path in named.conf.local. And the AppArmor profile will need to be fixed. Even after this, I had to run samba_dnsupdate once with --use-samba-tool, and then it would finally run without “dns_tkey_gssnegotiate: TKEY is unacceptable” the next time. -- System Information: Debian Release: buster/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.0.6 (SMP w/40 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages samba depends on: ii adduser 3.118 ii dpkg 1.19.6 ii init-system-helpers 1.56+nmu1 ii libbsd0 0.9.1-2 ii libc6 2.28-8 ii libldb1 2:1.5.1+really1.4.6-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpopt0 1.16-12 ii libpython2.7 2.7.16-2 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtevent0 0.9.37-1 ii libwbclient0 2:4.9.5+dfsg-3 ii lsb-base 10.2019031300 ii procps 2:3.3.15-2 ii python 2.7.16-1 pn python-dnspython <none> pn python-samba <none> ii python2.7 2.7.16-2 pn samba-common <none> pn samba-common-bin <none> ii samba-libs 2:4.9.5+dfsg-3 pn tdb-tools <none> ii update-inetd 4.49 Versions of packages samba recommends: ii attr 1:2.4.48-4 ii logrotate 3.14.0-4 pn samba-dsdb-modules <none> pn samba-vfs-modules <none> Versions of packages samba suggests: pn bind9 <none> pn bind9utils <none> pn ctdb <none> pn ldb-tools <none> ii ntp 1:4.2.8p12+dfsg-4 pn smbldap-tools <none> pn ufw <none> pn winbind <none>
