Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#74614 - [apparmor] new profiles needed for samba-4.16

Attached to Project: Arch Linux
Opened by David Farmer (farmerdave) - Monday, 02 May 2022, 09:25 GMT
Last edited by Toolybird (Toolybird) - Thursday, 04 August 2022, 06:05 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To David Runge (dvzrv)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


AppArmor profiles needs updating for samba 4.16. See

Whitelisting shares in /etc/apparmor.d/local/usr.sbin.smbd
no longer sufficient, still receive
"audit[332302]: AVC apparmor="DENIED" operation="exec" profile="smbd" name="/usr/lib/samba/samba/samba-dcerpcd" pid=332302 comm="smbd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0"

Additional info:
apparmor 3.0.4-1
samba 4.16.0-6
"But even after pathing in, and, it will not work because the paths in the samba package ( differ from the ones in the profiles. It has e.g. /usr/lib/samba/samba/samba-dcerpcd instead of /usr/lib/samba/samba-dcerpcd."

Steps to reproduce:
Create a public samba share, whitelist in /etc/apparmor.d/local/usr.sbin.smbd and then attempt to lists public shares on server with
$ smbclient -L hostname -U%
No public shares are visible
This task depends upon

Closed by  Toolybird (Toolybird)
Thursday, 04 August 2022, 06:05 GMT
Reason for closing:  Fixed
Additional comments about closing:  @nl6720 says "Fixed in apparmor 3.0.6-1"
Comment by nl6720 (nl6720) - Tuesday, 03 May 2022, 13:02 GMT
Looks like the weird /usr/lib/samba/samba/ path is because of;a=commitdiff;h=4e174b5a0f42b042f363640d6b02ef6ba4e9883a. That could be adjusted by building samba with `--libexecdir=/usr/lib`.
Comment by Tolga Cakir (tolga9009) - Wednesday, 25 May 2022, 22:33 GMT
I can confirm the bug for a Windows 10 Pro 21H1 Client trying to access \\, which leads to a "Permission denied" error on the client-side and the mentioned audit logs in the bug report on the server-side. The client is still able to access shares directly via \\\Data. The same behavior can be observed under GNOME using gvfs-smb 1.50.1-1 and nautilus 42.1.1-1, where the client will repeatedly ask for the username / password, when trying to access smb://

Disabling apparmor e.g. via aa-teardown solves the issue for both clients. So, I can confirm this seems to be an AppArmor issue. //Edit: putting smbd into complain mode, without completely disabling AppArmor system-wide, also fixes the issues.

Besides the audit entry about samba-dcerpcd's path, I'm also getting another related entry:
Mai 26 00:15:36 ragnarok kernel: audit: type=1400 audit(1653516936.711:405): apparmor="DENIED" operation="rename_src" profile="smbd" name="/var/log/samba/log.smbd" pid=1617 comm="smbd" requested_mask="r" denied_mask="r" fsuid=724828160 ouid=724828160
Comment by nl6720 (nl6720) - Monday, 06 June 2022, 11:25 GMT
AppArmor merged to support the /usr/lib/samba/samba/ paths. Applying all the necessary patches on top of apparmor 3.0.4 is non-trivial, though.
Comment by nl6720 (nl6720) - Monday, 06 June 2022, 11:40 GMT Comment by nl6720 (nl6720) - Tuesday, 05 July 2022, 05:20 GMT
There's no new apparmor release in sight :(
Perhaps it would be best to patch 3.0.4.
Comment by nl6720 (nl6720) - Thursday, 04 August 2022, 05:48 GMT
This is fixed in apparmor 3.0.6-1.