Ubuntu Version:
Ubuntu 25.04
Desktop Environment (if applicable):
Running xfce
Problem Description:
Users cannot download files via browser running from flatpak (probably snap as well, yet to be tested).
Systemlogs indicate apparmor profile blocking fusermount3 from accessing winbind’s pipe;
probably trying to lookup current user’s identity.
aa-teardown in the session by a sudo user, did not help, and created a new issue where “userns_create” fails.
Relevant System Information:
Users are authenticated from a samba ad dc via pam-winbind and their homes are mounted via nfs with the help of autofs.
Users are added to the system’s security groups via the following entries in /etc/security/groups.conf
*;*;%domain admins;Al0000-2400;plugdev, cdrom, users, adm, dip, sudo
*;*;%domain users;Al0000-2400;plugdev, cdrom, users, dip
Error Messages:
An affected computer in the lab has produced the following errors
linuxdesktop2 kernel: audit: type=1400 audit(1759758042.410:198): apparmor="DENIED" operation="connect" class="file" profile="fusermount3" name="/run/samba/winbindd/pipe" pid=5925 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
linuxdesktop2 kernel: audit: type=1400 audit(1759758042.434:199): apparmor="DENIED" operation="connect" class="file" profile="fusermount3" name="/run/samba/winbindd/pipe" pid=5935 comm="fusermount3" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
linuxdesktop2 xdg-document-portal[5936]: fusermount3: could not determine username
What I’ve Tried:
trying to use “aa-teardown” command resulted in the following error message after trying to run the chromium browser:
linuxdesktop2 kernel: audit: type=1400 audit(1759760001.597:332): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=1855 comm="bwrap" requested="userns_create" denied="userns_create" target="unprivileged_userns"