Samba AD and Bind
Andrew Bartlett
abartlet at samba.org
Tue Aug 8 10:01:32 UTC 2017
On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> we have a bind_dlz module so that Bind can be used as a nameserver. The files
> needed by bind (beside the module) are the tsig and config file.
>
> Those are located in the Samba private directory!
>
> Distributions limit the access to the private directory to root and give it
> 0700 as the permissions.
This is the key I think. Upstream that hasn't had 0700 protection ever
(for reasons I never understood at the time). If distributors think
that is a good idea we should get that upstream, otherwise things like
this will keep happening.
One other note in this space is that I have an upcoming work item to
have 'samba' run as non-root after binding to the sockets. This will
complicate things here a little, so I just wanted to mention that in
advance.
For that, I'll find out much, much more about the real challenges once
I start coding :-)
Andrew Bartlett
> As the 'named' of bind needs to access to those files it wants access to the
> private directory but it is not allowed.
>
> I think if an external daemon wants to have access to some samba resources,
> the private directory is the wrong place.
>
> So instead of
>
> ${LOCALSTATEDIR}/lib/samba/private
>
> there should be probably
>
> ${LOCALSTATEDIR}/lib/samba/bind_dns
That seems reasonable.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list