[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Steve
steve at steve-ss.com
Thu Dec 26 12:12:24 MST 2013
I wouldn't know where to start in a chroot. That is the default on many distros so it will be interesting to see how they cope with Samba4 as a dc. Unless private goes to jail too maybe? Can you symlink outside a chroot? Better shut up now. Sounds scary.
Steve
Chan Min Wai <dcmwai at gmail.com> wrote:
>Thank for the info.
>
>I think it would bigger problem..
>If bind is running in a chroot environment...
>
>Provided that bind would have no access to any of the files under
>/var/lib/samba
>
>
>
>
>On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com> wrote:
>
>> I think there is confusion because bind doesn't run as root. The op has
>> correctly identified the files and directories within private that bind
>> needs access to. It now only remains to allow the bind user into private.
>> As the op has it, only root has access. My argument as to 0755 on private
>> are based upon a default source build and make install. I notice that the
>> op has a non default location and so may need other security measures as
>> we'll. The fact remains that if you are using bind, then the user running
>> it must have access to private.
>> Sorry about the top post. Android limitations.
>> Steve
>>
>>
>> Rowland Penny <rowlandpenny at googlemail.com> wrote:
>>
>> >On 26/12/13 15:43, Chan Min Wai wrote:
>> >> Dear Steve,
>> >>
>> >> I think that is bad idea as /var/lib/samba/private was suppose to hold
>> >> something private for samba.
>> >
>> >Do you mean like the samba DNS zones and the keytab that is required to
>> >alter it?
>> >
>> >> Like secret information security related LDAP/AD information
>> >>
>> >> Putting dns information don't seem to be a good idea.
>> >> (unless the dns information are part or LDAP or AD)
>> >
>> >The samba dns zones are part of AD.
>> >
>> >>
>> >> And I do believes that it should be place to /var/lib/samba/bind or
>> some
>> >> other place which private for both of them.
>> >>
>> >
>> >Just where would you put private info like the samba DNS zones etc.?
>> >
>> >If you have any problems about where to store stuff, I suggest that you
>> >take it up with the Samba devs.
>> >
>> >Rowland
>> >
>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com> wrote:
>> >>
>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>> >>>> Dear all,
>> >>>>
>> >>>> Would like to ask for input on the following.
>> >>>> When using with bind 9.9 with dlz module.
>> >>>> It seem that we would have a permission issue where names would need
>> to
>> >>>> have access to
>> >>>>
>> >>>> /var/lib/samba/private/ for a few files.
>> >>>> to be more precise it would be
>> >>>>
>> >>>> /var/lib/samba/private/dns (whole folder)
>> >>>> /var/lib/samba/private/named.conf
>> >>>> /var/lib/samba/private/named.conf.update
>> >>>> /var/lib/samba/private/dns.keytab
>> >>>>
>> >>>> However as I can see private was 400...
>> >>>> drwx------+ 7 root root 4096 Dec 25 03:34 private
>> >>> That seems very restrictive. We have a default source build
>> >>> at /usr/local/samba with:
>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
>> >>>
>> >>> That let's everyone in, then named has further access as you state.
>> >>> HTH
>> >>> Steve
>> >>>
>> >>>
>> >>> --
>> >>> To unsubscribe from this list go to the following URL and read the
>> >>> instructions: https://lists.samba.org/mailman/options/samba
>> >>>
>> >
>>
More information about the samba
mailing list