[Samba] Samba4-AD - named.conf

nc-codewete at netcologne.de nc-codewete at netcologne.de
Mon Feb 14 13:34:57 MST 2011

Hello Matthieu,

here my settings:

chown bind.bind /usr/local/samba/private/dns.keytab;
chown bind.bind /usr/local/samba/private/named.conf;
chmod 644 /usr/local/samba/private/dns.keytab;
chmod 644 /usr/local/samba/private/named.conf;

This was the only changes.

I have checked the logs and found no errors about permissions-problems 
and no other errors.

It's this really a security-problem?

Many thanks


Am 14.02.2011 12:25, schrieb Matthieu Patou:
> On 14/02/2011 12:49, nc-codewete at netcologne.de wrote:
>> Hello Matthieu,
>> I followed exactly the steps of this howto, but when I checked the 
>> named.conf by "using named -d9 -g -c /etc/bind9/named.conf", I got a 
>> the error "failed to acquire accept credentials for 
>> DNS/samba.example.net: GSSAPI error: Major = Unspecified GSS failure. 
>> Minor code may provide more information, Minor = Permission denied.".
>> I had set the owner to bind:bind before I set the permisson 644 and 
>> it wasn't working well.
>> Now it's working all fine and by the way: Samba4 is a great work :o)
>> Also I never used Kerberos before and I'm now happy about this. It's 
>> just great!
> But in the same time you put your security at risk, what is the owner 
> of the bind process (ie. ps axu | grep bind), you should really 
> limitate the right to the bind user (or what ever is it called, also 
> you should check if the bind user has rights to go through the upper 
> directories).
> Matthieu.

More information about the samba mailing list