[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Rowland Penny
rowlandpenny at googlemail.com
Thu Dec 26 12:51:43 MST 2013
On 26/12/13 18:48, Chan Min Wai wrote:
> Thank for the info.
>
> I think it would bigger problem..
> If bind is running in a chroot environment...
You cannot run bind in a chroot environment with samba4 and bind 9.9,
can you find the samba zone files ?
Rowland
>
> Provided that bind would have no access to any of the files under
> /var/lib/samba
>
>
>
>
> On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
> <mailto:steve at steve-ss.com>> wrote:
>
> I think there is confusion because bind doesn't run as root. The
> op has correctly identified the files and directories within
> private that bind needs access to. It now only remains to allow
> the bind user into private. As the op has it, only root has
> access. My argument as to 0755 on private are based upon a default
> source build and make install. I notice that the op has a non
> default location and so may need other security measures as we'll.
> The fact remains that if you are using bind, then the user running
> it must have access to private.
> Sorry about the top post. Android limitations.
> Steve
>
>
> Rowland Penny <rowlandpenny at googlemail.com
> <mailto:rowlandpenny at googlemail.com>> wrote:
>
> >On 26/12/13 15:43, Chan Min Wai wrote:
> >> Dear Steve,
> >>
> >> I think that is bad idea as /var/lib/samba/private was suppose
> to hold
> >> something private for samba.
> >
> >Do you mean like the samba DNS zones and the keytab that is
> required to
> >alter it?
> >
> >> Like secret information security related LDAP/AD information
> >>
> >> Putting dns information don't seem to be a good idea.
> >> (unless the dns information are part or LDAP or AD)
> >
> >The samba dns zones are part of AD.
> >
> >>
> >> And I do believes that it should be place to
> /var/lib/samba/bind or some
> >> other place which private for both of them.
> >>
> >
> >Just where would you put private info like the samba DNS zones etc.?
> >
> >If you have any problems about where to store stuff, I suggest
> that you
> >take it up with the Samba devs.
> >
> >Rowland
> >
> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com
> <mailto:steve at steve-ss.com>> wrote:
> >>
> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> >>>> Dear all,
> >>>>
> >>>> Would like to ask for input on the following.
> >>>> When using with bind 9.9 with dlz module.
> >>>> It seem that we would have a permission issue where names
> would need to
> >>>> have access to
> >>>>
> >>>> /var/lib/samba/private/ for a few files.
> >>>> to be more precise it would be
> >>>>
> >>>> /var/lib/samba/private/dns (whole folder)
> >>>> /var/lib/samba/private/named.conf
> >>>> /var/lib/samba/private/named.conf.update
> >>>> /var/lib/samba/private/dns.keytab
> >>>>
> >>>> However as I can see private was 400...
> >>>> drwx------+ 7 root root 4096 Dec 25 03:34 private
> >>> That seems very restrictive. We have a default source build
> >>> at /usr/local/samba with:
> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
> >>>
> >>> That let's everyone in, then named has further access as you
> state.
> >>> HTH
> >>> Steve
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >
>
>
More information about the samba
mailing list