[PATCH] Create a 'binddns dir' for files used by the bind_dlz module and named

Jeremy Allison jra at samba.org
Thu Aug 24 00:18:28 UTC 2017 

On Thu, Aug 24, 2017 at 11:48:27AM +1200, Andrew Bartlett via samba-technical wrote:
> On Thu, 2017-08-24 at 11:29 +1200, Andrew Bartlett via samba-technical
> wrote:
> > On Thu, 2017-08-24 at 08:38 +1200, Andrew Bartlett via samba-
> > technical
> > wrote:
> > > On Wed, 2017-08-23 at 16:27 +0200, Andreas Schneider via samba-
> > > technical wrote:
> > > > Hi,
> > > > 
> > > > we have an issue that the files for bind are stored in the
> > > > private
> > > > directory. 
> > > > Distributions package the private directory normally with 0700
> > > > permissions. So 
> > > > 'named' of bind is not able to access the directory.
> > > > 
> > > > We should have a seperate directory where bind is allowed to
> > > > enter
> > > > for 
> > > > security reasons!
> > > > 
> > > > The attached patchset adds a 'binddns dir' parameter which
> > > > normally
> > > > ends up 
> > > > with /var/lib/samba/bind-dns as the directory. The changes are
> > > > fully 
> > > > backwards-compatible and the installation can be upgraded using 
> > > > samba_upgradedns. Then the old files are removed!
> > > > 
> > > > 
> > > > We need this for Samba 4.7!
> > > 
> > > I like it.  Thanks for taking care not to break our upgrades.
> > > 
> > > I'll review more carefully and push when I get to work.
> > 
> > Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> > 
> > Pushed!
> 
> This failed with:
> 
> [2(6)/2192 at 0s] samba.tests.docs
> UNEXPECTED(failure):
> samba.tests.docs.samba.tests.docs.SmbDotConfTests.test_default_s3(none)
> REASON: Exception: Exception: Traceback (most recent call last):
>   File
> "/memdisk/abartlet/a/b601740/samba/bin/python/samba/tests/docs.py",
> line 158, in test_default_s3
>     self._test_default(['bin/testparm'])
>   File
> "/memdisk/abartlet/a/b601740/samba/bin/python/samba/tests/docs.py",
> line 206, in _test_default
>     "Parameters that do not have matching defaults:"))
> AssertionError: Parameters that do not have matching defaults:
> 
>     binddns dir
>       Expected: /m/abartlet/a/b601740/prefix/samba/var/lib
>       Got:
> 
> Sorry,

Yeah, in patch #6 there also needs to be a:

$ git diff
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d5b1c56e21e..42e579efcfd 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -550,6 +550,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
                         get_dyn_SMB_PASSWD_FILE());
        lpcfg_string_set(Globals.ctx, &Globals.private_dir,
                         get_dyn_PRIVATE_DIR());
+       lpcfg_string_set(Globals.ctx, &Globals.binddns_dir,
+                        get_dyn_BINDDNS_DIR());
 
        /* use the new 'hash2' method by default, with a prefix of 1 */
        lpcfg_string_set(Globals.ctx, &Globals.mangling_method, "hash2");

added I think...

More information about the samba-technical mailing list