[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 26 09:46:02 MST 2013

On 26/12/13 15:43, Chan Min Wai wrote:
> Dear Steve,
> I think that is bad idea as /var/lib/samba/private was suppose to hold
> something private for samba.

Do you mean like the samba DNS zones and the keytab that is required to 
alter it?

> Like secret information security related LDAP/AD information
> Putting dns information don't seem to be a good idea.
> (unless the dns information are part or LDAP or AD)

The samba dns zones are part of AD.

> And I do believes that it should be place to  /var/lib/samba/bind or some
> other place which private for both of them.

Just where would you put private info like the samba DNS zones etc.?

If you have any problems about where to store stuff, I suggest that you 
take it up with the Samba devs.


> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com> wrote:
>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>>> Dear all,
>>> Would like to ask for input on the following.
>>> When using with bind 9.9 with dlz module.
>>> It seem that we would have a permission issue where names would need to
>>> have access to
>>> /var/lib/samba/private/ for a few files.
>>> to be more precise it would be
>>> /var/lib/samba/private/dns (whole folder)
>>> /var/lib/samba/private/named.conf
>>> /var/lib/samba/private/named.conf.update
>>> /var/lib/samba/private/dns.keytab
>>> However as I can see private was 400...
>>> drwx------+  7 root root    4096 Dec 25 03:34 private
>> That seems very restrictive. We have a default source build
>> at /usr/local/samba with:
>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
>> That let's everyone in, then named has further access as you state.
>> HTH
>> Steve
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list