Samba AD and Bind

[Andrew Bartlett]

On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> Hi Andrew,
> 
> we have a bind_dlz module so that Bind can be used as a nameserver. The files 
> needed by bind (beside the module) are the tsig and config file.
> 
> Those are located in the Samba private directory!
> 
> Distributions limit the access to the private directory to root and give it 
> 0700 as the permissions.

This is the key I think.  Upstream that hasn't had 0700 protection ever
(for reasons I never understood at the time).  If distributors think
that is a good idea we should get that upstream, otherwise things like
this will keep happening. 

One other note in this space is that I have an upcoming work item to
have 'samba' run as non-root after binding to the sockets.  This will
complicate things here a little, so I just wanted to mention that in
advance.

For that, I'll find out much, much more about the real challenges once
I start coding :-)

Andrew Bartlett

> As the 'named' of bind needs to access to those files it wants access to the 
> private directory but it is not allowed.
> 
> I think if an external daemon wants to have access to some samba resources, 
> the private directory is the wrong place.
> 
> So instead of
> 
> ${LOCALSTATEDIR}/lib/samba/private
> 
> there should be probably
> 
> ${LOCALSTATEDIR}/lib/samba/bind_dns

That seems reasonable. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba