Samba AD and Bind

[Amitay Isaacs]

Hi Andreas,

On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical <
samba-technical at lists.samba.org> wrote:

> Hi Andrew,
>
> we have a bind_dlz module so that Bind can be used as a nameserver. The
> files
> needed by bind (beside the module) are the tsig and config file.
>
> Those are located in the Samba private directory!
>
> Distributions limit the access to the private directory to root and give it
> 0700 as the permissions.
>

> As the 'named' of bind needs to access to those files it wants access to
> the
> private directory but it is not allowed.
>
> I think if an external daemon wants to have access to some samba resources,
> the private directory is the wrong place.
>
> So instead of
>
> ${LOCALSTATEDIR}/lib/samba/private
>
> there should be probably
>
> ${LOCALSTATEDIR}/lib/samba/bind_dns
>
>
> and all the files required by bind should go there. Then we could give
> 'named'
> access to that directory!
>
> named:root with 0770 for the permissions ...
>

It's a good idea to separate the files required for bind.  However, it has
to be done carefully.

For dlz_bind module, provisioning creates a partial copy of samdb with base
and domain
partitions.  But the dns partitions are linked to the dns partitions from
the main samdb.

For named, to be able to access the dns partitions in private directory
(via a link in
the separate bind_dns directory), the private directory needs to have at
least execute
permission for others.  That will indicate that you can change the
permissions for
the private directory to 0751 (or 0701 if you must).

The other option could be to move sam.ldb* out of private/ directory into
it's own
directory.  That way private/ can be 0700.  We still need to manage the
permissions
for sam.ldb* files and the directory they are moved in, so named as the
required access.

Amitay.