[apparmor] [patch] Samba profile updates for ActiveDirectory / Kerberos
Seth Arnold
seth.arnold at canonical.com
Tue Aug 29 01:38:53 UTC 2017
On Tue, Aug 22, 2017 at 11:14:59PM +0200, Christian Boltz wrote:
> > Is the sss/ms/initgroups change intentional?
>
> Yes, this is intentional - I did the profile updates (on an INVIS server)
> myself ;-)
>
> > Should that go into abstractions/nameservice instead?
>
> What about "maybe"? ;-) This was the first time I've seen access to
> sss/ms/initgroups. I don't really know what it does, so I prefered to
> only allow it in the smbd profile.
>
> If you think it makes sense for abstractions/nameservice, I can change
> the patch ;-)
This would be wonderful, thanks. The 'initgroups' interface exists to
support the getgrouplist(3) function as described by nsswitch.conf(5). So
if a site is using sss then probably more than just Samba will need this.
Acked-by: Seth Arnold <seth.arnold at canonical.com> for the 'old' patch
minus the initgroups, and the offered new patch of the initgroups in
abstractions/nameservice. :)
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170828/1581a950/attachment.pgp>
More information about the AppArmor
mailing list