When starting smbd/ nmbd with AppArmor enabled, creation of directories and files is denied. The rules in default profile enable it for /{,var/}run/samba/** whereas current package tries to write in /{,var/}run/lock/samba/**. In addition /{,var/}run/lock/samba/names.tdb rwk is necessary, to write database. Current (default) profile doesn't allow the latter at all (not matched by any of the patterns). Reproducible: Always Steps to Reproduce: 1. emerge apparmor + samba 2. enable apparmor (default profile) 3. start samba Actual Results: Samba fails to start, nmbd and smbd are not allowed to write to lock-directories. Expected Results: Samba starts successfully Copying the last blocks regarding lock-directories and adding /lock as level is sufficient.
Created attachment 573824 [details] emerge --info
In my case also smbXsrv_version_global.tdb was blocked: AVC apparmor="DENIED" operation="mknod" profile="smbd" name="/run/lock/samba/smbXsrv_version_global.tdb" pid=314283 comm="smbd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Replacing the suggested /{,var/}run/lock/samba/names.tdb rwk with /{,var/}run/lock/samba/*.tdb rwk was sufficient here to launch smb.service. I am running net-fs/samba-4.11.6-r2 with use flags "acl ads client cups ldap pam python system-mitkrb5 systemd winbind".
*** This bug has been marked as a duplicate of bug 723316 ***