Samba AD and Bind

Andrew Bartlett abartlet at
Tue Aug 8 10:01:32 UTC 2017

On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> Hi Andrew,
> we have a bind_dlz module so that Bind can be used as a nameserver. The files 
> needed by bind (beside the module) are the tsig and config file.
> Those are located in the Samba private directory!
> Distributions limit the access to the private directory to root and give it 
> 0700 as the permissions.

This is the key I think.  Upstream that hasn't had 0700 protection ever
(for reasons I never understood at the time).  If distributors think
that is a good idea we should get that upstream, otherwise things like
this will keep happening. 

One other note in this space is that I have an upcoming work item to
have 'samba' run as non-root after binding to the sockets.  This will
complicate things here a little, so I just wanted to mention that in

For that, I'll find out much, much more about the real challenges once
I start coding :-)

Andrew Bartlett

> As the 'named' of bind needs to access to those files it wants access to the 
> private directory but it is not allowed.
> I think if an external daemon wants to have access to some samba resources, 
> the private directory is the wrong place.
> So instead of
> ${LOCALSTATEDIR}/lib/samba/private
> there should be probably
> ${LOCALSTATEDIR}/lib/samba/bind_dns

That seems reasonable. 

Andrew Bartlett
Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list