Samba AD and Bind
Andreas Schneider
asn at samba.org
Tue Aug 8 10:22:10 UTC 2017
On Tuesday, 8 August 2017 12:01:32 CEST Andrew Bartlett via samba-technical
wrote:
> On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> > Hi Andrew,
> >
> > we have a bind_dlz module so that Bind can be used as a nameserver. The
> > files needed by bind (beside the module) are the tsig and config file.
> >
> > Those are located in the Samba private directory!
> >
> > Distributions limit the access to the private directory to root and give
> > it
> > 0700 as the permissions.
>
> This is the key I think. Upstream that hasn't had 0700 protection ever
> (for reasons I never understood at the time). If distributors think
> that is a good idea we should get that upstream, otherwise things like
> this will keep happening.
Yes, I would also like to change it to 0700.
>
> > As the 'named' of bind needs to access to those files it wants access to
> > the private directory but it is not allowed.
> >
> > I think if an external daemon wants to have access to some samba
> > resources,
> > the private directory is the wrong place.
> >
> > So instead of
> >
> > ${LOCALSTATEDIR}/lib/samba/private
> >
> > there should be probably
> >
> > ${LOCALSTATEDIR}/lib/samba/bind_dns
>
> That seems reasonable.
Ok, I will implement it that way. We should have that fixed in 4.7.
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list