[Bug 930280] [NEW] AppArmor profile for named prevents reading of samba4 zone and keytab

Brendan Powers brendan at resara.com
Fri Feb 10 17:22:26 UTC 2012

Public bug reported:

Release Description:	Ubuntu precise (development branch)
Release:	12.04
Package: bind9
Version: 1:9.8.1.dfsg.P1-2

The AppArmor profile for named prevents bind9 from reading zone and
ketab files generated by samba4. When samba4 is provisioned, it
generates several template files. These files include configuration and
zone information. Keytab files for DNS update signing are also
generated. Generally, a user will configure bind9 to include these files
from withing their existing bind configuration in /etc/bind/. However,
the AppArmor profile for named prevents this. Adding the lines below to
/etc/apparmor.d/usr.sbin.named should resolve this problem.

  /var/lib/samba/private/dns/* rw,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/named.conf.update r,
  /var/lib/samba/private/dns.keytab rk,
  /var/tmp/* rw,

The first line allows bind9 to read the zone files generated by samba4.
The write flag is specified because bind9 may need to update the zone
upon a client DNS update request. The second and third lines allow bind9
to read the configuration and update information for domains generated
by samba4. The fourth line allows bind9 to read and lock the samba4 DNS
keytab file. This file allows bind9 to authenticate against the samba4
domain for signed DNS update requests. The last line allows bind9 to
wire some temporary files needed to track DNS updates.

** Affects: bind9 (Ubuntu)
     Importance: Undecided
         Status: New

You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to bind9 in Ubuntu.

  AppArmor profile for named prevents reading of samba4 zone and keytab

To manage notifications about this bug go to:

More information about the Ubuntu-server-bugs mailing list