[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Chan Min Wai dcmwai at gmail.com
Thu Dec 26 11:48:32 MST 2013


Thank for the info.

I think it would bigger problem..
If bind is running in a chroot environment...

Provided that bind would have no access to any of the files under
/var/lib/samba




On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com> wrote:

> I think there is confusion because bind doesn't run as root. The op has
> correctly identified the files and directories within private that bind
> needs access to.  It now only remains to allow the bind user into private.
> As the op has it, only root has access. My argument as to 0755 on private
> are based upon a default source build and make install. I notice that the
> op has a non default location and so may need other security measures as
> we'll. The fact remains that if you are using bind, then the user running
> it must have access to private.
> Sorry about the top post. Android limitations.
> Steve
>
>
> Rowland Penny <rowlandpenny at googlemail.com> wrote:
>
> >On 26/12/13 15:43, Chan Min Wai wrote:
> >> Dear Steve,
> >>
> >> I think that is bad idea as /var/lib/samba/private was suppose to hold
> >> something private for samba.
> >
> >Do you mean like the samba DNS zones and the keytab that is required to
> >alter it?
> >
> >> Like secret information security related LDAP/AD information
> >>
> >> Putting dns information don't seem to be a good idea.
> >> (unless the dns information are part or LDAP or AD)
> >
> >The samba dns zones are part of AD.
> >
> >>
> >> And I do believes that it should be place to  /var/lib/samba/bind or
> some
> >> other place which private for both of them.
> >>
> >
> >Just where would you put private info like the samba DNS zones etc.?
> >
> >If you have any problems about where to store stuff, I suggest that you
> >take it up with the Samba devs.
> >
> >Rowland
> >
> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com> wrote:
> >>
> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> >>>> Dear all,
> >>>>
> >>>> Would like to ask for input on the following.
> >>>> When using with bind 9.9 with dlz module.
> >>>> It seem that we would have a permission issue where names would need
> to
> >>>> have access to
> >>>>
> >>>> /var/lib/samba/private/ for a few files.
> >>>> to be more precise it would be
> >>>>
> >>>> /var/lib/samba/private/dns (whole folder)
> >>>> /var/lib/samba/private/named.conf
> >>>> /var/lib/samba/private/named.conf.update
> >>>> /var/lib/samba/private/dns.keytab
> >>>>
> >>>> However as I can see private was 400...
> >>>> drwx------+  7 root root    4096 Dec 25 03:34 private
> >>> That seems very restrictive. We have a default source build
> >>> at /usr/local/samba with:
> >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
> >>>
> >>> That let's everyone in, then named has further access as you state.
> >>> HTH
> >>> Steve
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >
>


More information about the samba mailing list