"/etc/krb5/user/389/client.keytab" feels like a local modification you
made, to store keytab files somewhere under /etc/krb5. I suggest you add
an apparmor exception in /etc/apparmor.d/local/usr.sbin.slapd.
Unless I'm wrong and that directory is being used as a standard location
by some package. Please let me know which is the case.
As to the /tpm/krb5cc_389 file, can you elaborate on the scenario that
led to this behavior? Why is slapd trying to read that ticket cache
file? Maybe because it failed to read the keytab file?
** Changed in: openldap (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1783183
Title:
apparmor profile denied for kerberos client keytab and credential
cache files
Status in openldap package in Ubuntu:
Incomplete
Bug description:
Can we get /etc/krb5/** and /tmp/krb5cc_* added with the appropriate
permissions to the slapd apparmor profile? I'm getting the following
kinds of errors:
apparmor="DENIED" operation="open" profile="/usr/sbin/slapd"
name="/etc/krb5/user/389/client.keytab" pid=19080 comm="slapd"
requested_mask="r" denied_mask="r" fsuid=389 ouid=389
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/slapd"
name="/tmp/krb5cc_389" pid=19080 comm="slapd" requested_mask="k"
denied_mask="k" fsuid=389 ouid=389
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1783183/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
