[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Ricky Nance ricky.nance at gmail.com
Fri Dec 27 06:30:51 MST 2013 

On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
wrote:
>
> On 27/12/13 03:11, Chan Min Wai wrote:
>>
>> You cannot run bind in a chroot environment with samba4  and bind 9.9,
>> No, it is written in the docs that it is not possible
>> https://wiki.samba.org/index.php/Dns-backend_bind
>>
>> can you find the samba zone files ?
>> Sorry I don't get you.
>>
>>
>
> What I was trying to point out is that you are worrying about nothing, if
you use the bind9 dlz backend, you will not find the zone files anywhere on
disk, they are created in memory every time bind is started.
>
> Rowland

Correct me if i am wrong, but are you sure about that? What are the hard
linked files under private/dns then? They are hard linked to
private/sam.ldb.d IIRC.

Ricky

>
>>
>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>     On 26/12/13 18:48, Chan Min Wai wrote:
>>>
>>>     Thank for the info.
>>>
>>>     I think it would bigger problem..
>>>     If bind is running in a chroot environment...
>>
>>     You cannot run bind in a chroot environment with samba4 and bind
>>     9.9, can you find the samba zone files ?
>>
>>     Rowland
>>
>>
>>>
>>>     Provided that bind would have no access to any of the files under
>>>     /var/lib/samba
>>>
>>>
>>>
>>>
>>>     On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
>>>     <mailto:steve at steve-ss.com>> wrote:
>>>
>>>         I think there is confusion because bind doesn't run as root.
>>>         The op has correctly identified the files and directories
>>>         within private that bind needs access to.  It now only
>>>         remains to allow the bind user into private. As the op has
>>>         it, only root has access. My argument as to 0755 on private
>>>         are based upon a default source build and make install. I
>>>         notice that the op has a non default location and so may need
>>>         other security measures as we'll. The fact remains that if
>>>         you are using bind, then the user running it must have access
>>>         to private.
>>>         Sorry about the top post. Android limitations.
>>>         Steve
>>>
>>>
>>>         Rowland Penny <rowlandpenny at googlemail.com
>>>         <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>>         >On 26/12/13 15:43, Chan Min Wai wrote:
>>>         >> Dear Steve,
>>>         >>
>>>         >> I think that is bad idea as /var/lib/samba/private was
>>>         suppose to hold
>>>         >> something private for samba.
>>>         >
>>>         >Do you mean like the samba DNS zones and the keytab that is
>>>         required to
>>>         >alter it?
>>>         >
>>>         >> Like secret information security related LDAP/AD information
>>>         >>
>>>         >> Putting dns information don't seem to be a good idea.
>>>         >> (unless the dns information are part or LDAP or AD)
>>>         >
>>>         >The samba dns zones are part of AD.
>>>         >
>>>         >>
>>>         >> And I do believes that it should be place to
>>>          /var/lib/samba/bind or some
>>>         >> other place which private for both of them.
>>>         >>
>>>         >
>>>         >Just where would you put private info like the samba DNS
>>>         zones etc.?
>>>         >
>>>         >If you have any problems about where to store stuff, I
>>>         suggest that you
>>>         >take it up with the Samba devs.
>>>         >
>>>         >Rowland
>>>         >
>>>         >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com
>>>         <mailto:steve at steve-ss.com>> wrote:
>>>         >>
>>>         >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>>>         >>>> Dear all,
>>>         >>>>
>>>         >>>> Would like to ask for input on the following.
>>>         >>>> When using with bind 9.9 with dlz module.
>>>         >>>> It seem that we would have a permission issue where
>>>         names would need to
>>>         >>>> have access to
>>>         >>>>
>>>         >>>> /var/lib/samba/private/ for a few files.
>>>         >>>> to be more precise it would be
>>>         >>>>
>>>         >>>> /var/lib/samba/private/dns (whole folder)
>>>         >>>> /var/lib/samba/private/named.conf
>>>         >>>> /var/lib/samba/private/named.conf.update
>>>         >>>> /var/lib/samba/private/dns.keytab
>>>         >>>>
>>>         >>>> However as I can see private was 400...
>>>         >>>> drwx------+  7 root root    4096 Dec 25 03:34 private
>>>         >>> That seems very restrictive. We have a default source build
>>>         >>> at /usr/local/samba with:
>>>         >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
>>>         >>>
>>>         >>> That let's everyone in, then named has further access as
>>>         you state.
>>>         >>> HTH
>>>         >>> Steve
>>>         >>>
>>>         >>>
>>>         >>> --
>>>         >>> To unsubscribe from this list go to the following URL and
>>>         read the
>>>         >>> instructions: https://lists.samba.org/mailman/options/samba
>>>         >>>
>>>         >
>>>
>>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list