Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Samba AppArmor profile

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

Ubuntu comes with the AppArmor security module, which provides mandatory access controls. The default AppArmor profile for Samba may need to be adapted to your configuration. More details on using AppArmor can be found in this guide.

There are default AppArmor profiles for /usr/sbin/smbd and /usr/sbin/nmbd, the Samba daemon binaries, as part of the apparmor-profiles package.

Install apparmor-profiles

To install the package, enter the following command from a terminal prompt:

sudo apt install apparmor-profiles apparmor-utils

Note:
This package contains profiles for several other binaries.

AppArmor profile modes

By default, the profiles for smbd and nmbd are set to ‘complain’ mode. In this mode, Samba can work without modifying the profile, and only logs errors or violations. There is no need to add exceptions for the shares, as the smbd service unit takes care of doing that automatically via a helper script.

This is what an ALLOWED message looks like. It means that, were the profile not in complain mode, this action would have been denied instead (formatted into multiple lines here for better visibility):

Jun 30 14:41:09 ubuntu kernel: [  621.478989] audit: 
type=1400 audit(1656600069.123:418):
apparmor="ALLOWED" operation="exec" profile="smbd"
name="/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" pid=4122 comm="smbd"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0
target="smbd//null-/usr/lib/x86_64-linux-gnu/samba/samba-bgqd" 

The alternative to ‘complain’ mode is ‘enforce’ mode, where any operations that violate policy are blocked. To place the profile into enforce mode and reload it, run:

sudo aa-enforce /usr/sbin/smbd
sudo apparmor_parser -r -W -T /etc/apparmor.d/usr.sbin.smbd

It’s advisable to monitor /var/log/syslog for audit entries that contain AppArmor DENIED messages, or /var/log/audit/audit.log if you are running the auditd daemon. Actions blocked by AppArmor may surface as odd or unrelated errors in the application.

Further reading:

  • For more information on how to use AppArmor, including details of the profile modes, the Debian AppArmor guide may be helpful.

This page was last modified 3 months ago. Help improve this document in the forum.