Samba AD and Bind
Amitay Isaacs
amitay at gmail.com
Tue Aug 8 05:35:25 UTC 2017
On Tue, Aug 8, 2017 at 2:33 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2017-08-08 at 12:50 +1000, Amitay Isaacs via samba-technical
> wrote:
> > Hi Andreas,
> >
> > On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical
> > <
> > samba-technical at lists.samba.org> wrote:
> >
> > > Hi Andrew,
> > >
> > > we have a bind_dlz module so that Bind can be used as a nameserver.
> > > The
> > > files
> > > needed by bind (beside the module) are the tsig and config file.
> > >
> > > Those are located in the Samba private directory!
> > >
> > > Distributions limit the access to the private directory to root and
> > > give it
> > > 0700 as the permissions.
> > >
> > > As the 'named' of bind needs to access to those files it wants
> > > access to
> > > the
> > > private directory but it is not allowed.
> > >
> > > I think if an external daemon wants to have access to some samba
> > > resources,
> > > the private directory is the wrong place.
> > >
> > > So instead of
> > >
> > > ${LOCALSTATEDIR}/lib/samba/private
> > >
> > > there should be probably
> > >
> > > ${LOCALSTATEDIR}/lib/samba/bind_dns
> > >
> > >
> > > and all the files required by bind should go there. Then we could
> > > give
> > > 'named'
> > > access to that directory!
> > >
> > > named:root with 0770 for the permissions ...
> > >
> >
> > It's a good idea to separate the files required for bind. However,
> > it has
> > to be done carefully.
> >
> > For dlz_bind module, provisioning creates a partial copy of samdb
> > with base
> > and domain
> > partitions. But the dns partitions are linked to the dns partitions
> > from
> > the main samdb.
> >
> > For named, to be able to access the dns partitions in private
> > directory
> > (via a link in
> > the separate bind_dns directory), the private directory needs to have
> > at
> > least execute
> > permission for others. That will indicate that you can change the
> > permissions for
> > the private directory to 0751 (or 0701 if you must).
>
> Is that correct? One of the tricks used here is the hard link, rather
> than a soft (symbolic) link, which should avoid that.
>
Yes, that's correct. I forgot about the hard links.
We can have private/ directory with 0700 permissions with root:root
ownership
and bind_dns/ directory with 0770 (or similar) with named:named ownership.
> > The other option could be to move sam.ldb* out of private/ directory
> > into
> > it's own
> > directory. That way private/ can be 0700. We still need to manage
> > the
> > permissions
> > for sam.ldb* files and the directory they are moved in, so named as
> > the
> > required access.
>
> I hope we can avoid that, but we should be clearer about what is
> private enough to be in there, and even what private means. 'private
> to samba scratch space' vs 'confidential data', as the two have been
> conflated on the AD DC.
>
Looks like the original idea will work, so we don't have to worry about
taking samdb out of private/ directory.
Amitay.
More information about the samba-technical
mailing list