[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Steve steve at steve-ss.com
Thu Dec 26 11:32:27 MST 2013 

I think there is confusion because bind doesn't run as root. The op has correctly identified the files and directories within private that bind needs access to.  It now only remains to allow the bind user into private. As the op has it, only root has access. My argument as to 0755 on private are based upon a default source build and make install. I notice that the op has a non default location and so may need other security measures as we'll. The fact remains that if you are using bind, then the user running it must have access to private.
Sorry about the top post. Android limitations.
Steve


Rowland Penny <rowlandpenny at googlemail.com> wrote:

>On 26/12/13 15:43, Chan Min Wai wrote:
>> Dear Steve,
>>
>> I think that is bad idea as /var/lib/samba/private was suppose to hold
>> something private for samba.
>
>Do you mean like the samba DNS zones and the keytab that is required to 
>alter it?
>
>> Like secret information security related LDAP/AD information
>>
>> Putting dns information don't seem to be a good idea.
>> (unless the dns information are part or LDAP or AD)
>
>The samba dns zones are part of AD.
>
>>
>> And I do believes that it should be place to  /var/lib/samba/bind or some
>> other place which private for both of them.
>>
>
>Just where would you put private info like the samba DNS zones etc.?
>
>If you have any problems about where to store stuff, I suggest that you 
>take it up with the Samba devs.
>
>Rowland
>
>> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com> wrote:
>>
>>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>>>> Dear all,
>>>>
>>>> Would like to ask for input on the following.
>>>> When using with bind 9.9 with dlz module.
>>>> It seem that we would have a permission issue where names would need to
>>>> have access to
>>>>
>>>> /var/lib/samba/private/ for a few files.
>>>> to be more precise it would be
>>>>
>>>> /var/lib/samba/private/dns (whole folder)
>>>> /var/lib/samba/private/named.conf
>>>> /var/lib/samba/private/named.conf.update
>>>> /var/lib/samba/private/dns.keytab
>>>>
>>>> However as I can see private was 400...
>>>> drwx------+  7 root root    4096 Dec 25 03:34 private
>>> That seems very restrictive. We have a default source build
>>> at /usr/local/samba with:
>>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
>>>
>>> That let's everyone in, then named has further access as you state.
>>> HTH
>>> Steve
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>

More information about the samba mailing list