[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

steve steve at steve-ss.com
Fri Dec 27 12:47:50 MST 2013


On Sat, 2013-12-28 at 03:37 +0800, Chan Min Wai wrote:
> Maybe I should try to run chroot bind with symlink from samba.
> 

If you have to run chroot bind then just use ordinary files for the
zones, like in the old days. I don't think dlz is going to work because
it needs to access AD which is not in the jail.

> But before that...
> I'll need to get the chroot bind workning in advance...

That's the default on many distros. There's usually a folder
under /var/lib/ or /var/cache/ somewhere that the bind user has write on
for your own zone files.

Good luck
Steve

> 
> BRB
> 
> 
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlandpenny at googlemail.com>wrote:
> 
> >  On 27/12/13 13:30, Ricky Nance wrote:
> >
> >
> > On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
> > wrote:
> > >
> > > On 27/12/13 03:11, Chan Min Wai wrote:
> > >>
> > >> You cannot run bind in a chroot environment with samba4  and bind 9.9,
> > >> No, it is written in the docs that it is not possible
> > >> https://wiki.samba.org/index.php/Dns-backend_bind
> > >>
> > >> can you find the samba zone files ?
> > >> Sorry I don't get you.
> > >>
> > >>
> > >
> > > What I was trying to point out is that you are worrying about nothing,
> > if you use the bind9 dlz backend, you will not find the zone files anywhere
> > on disk, they are created in memory every time bind is started.
> > >
> > > Rowland
> >
> > Correct me if i am wrong, but are you sure about that? What are the hard
> > linked files under private/dns then? They are hard linked to
> > private/sam.ldb.d IIRC.
> >
> > Ricky
> >
> >  >
> > >>
> > >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> > rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
> > >>
> > >>     On 26/12/13 18:48, Chan Min Wai wrote:
> > >>>
> > >>>     Thank for the info.
> > >>>
> > >>>     I think it would bigger problem..
> > >>>     If bind is running in a chroot environment...
> > >>
> > >>     You cannot run bind in a chroot environment with samba4 and bind
> > >>     9.9, can you find the samba zone files ?
> > >>
> > >>     Rowland
> > >>
> > >>
> > >>>
> > >>>     Provided that bind would have no access to any of the files under
> > >>>     /var/lib/samba
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>     On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
> > >>>     <mailto:steve at steve-ss.com>> wrote:
> > >>>
> > >>>         I think there is confusion because bind doesn't run as root.
> > >>>         The op has correctly identified the files and directories
> > >>>         within private that bind needs access to.  It now only
> > >>>         remains to allow the bind user into private. As the op has
> > >>>         it, only root has access. My argument as to 0755 on private
> > >>>         are based upon a default source build and make install. I
> > >>>         notice that the op has a non default location and so may need
> > >>>         other security measures as we'll. The fact remains that if
> > >>>         you are using bind, then the user running it must have access
> > >>>         to private.
> > >>>         Sorry about the top post. Android limitations.
> > >>>         Steve
> > >>>
> > >>>
> > >>>         Rowland Penny <rowlandpenny at googlemail.com
> > >>>         <mailto:rowlandpenny at googlemail.com>> wrote:
> > >>>
> > >>>         >On 26/12/13 15:43, Chan Min Wai wrote:
> > >>>         >> Dear Steve,
> > >>>         >>
> > >>>         >> I think that is bad idea as /var/lib/samba/private was
> > >>>         suppose to hold
> > >>>         >> something private for samba.
> > >>>         >
> > >>>         >Do you mean like the samba DNS zones and the keytab that is
> > >>>         required to
> > >>>         >alter it?
> > >>>         >
> > >>>         >> Like secret information security related LDAP/AD information
> > >>>         >>
> > >>>         >> Putting dns information don't seem to be a good idea.
> > >>>         >> (unless the dns information are part or LDAP or AD)
> > >>>         >
> > >>>         >The samba dns zones are part of AD.
> > >>>         >
> > >>>         >>
> > >>>         >> And I do believes that it should be place to
> > >>>          /var/lib/samba/bind or some
> > >>>         >> other place which private for both of them.
> > >>>         >>
> > >>>         >
> > >>>         >Just where would you put private info like the samba DNS
> > >>>         zones etc.?
> > >>>         >
> > >>>         >If you have any problems about where to store stuff, I
> > >>>         suggest that you
> > >>>         >take it up with the Samba devs.
> > >>>         >
> > >>>         >Rowland
> > >>>         >
> > >>>         >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com
> > >>>         <mailto:steve at steve-ss.com>> wrote:
> > >>>         >>
> > >>>         >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> > >>>         >>>> Dear all,
> > >>>         >>>>
> > >>>         >>>> Would like to ask for input on the following.
> > >>>         >>>> When using with bind 9.9 with dlz module.
> > >>>         >>>> It seem that we would have a permission issue where
> > >>>         names would need to
> > >>>         >>>> have access to
> > >>>         >>>>
> > >>>         >>>> /var/lib/samba/private/ for a few files.
> > >>>         >>>> to be more precise it would be
> > >>>         >>>>
> > >>>         >>>> /var/lib/samba/private/dns (whole folder)
> > >>>         >>>> /var/lib/samba/private/named.conf
> > >>>         >>>> /var/lib/samba/private/named.conf.update
> > >>>         >>>> /var/lib/samba/private/dns.keytab
> > >>>         >>>>
> > >>>         >>>> However as I can see private was 400...
> > >>>         >>>> drwx------+  7 root root    4096 Dec 25 03:34 private
> > >>>         >>> That seems very restrictive. We have a default source build
> > >>>         >>> at /usr/local/samba with:
> > >>>         >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
> > >>>         >>>
> > >>>         >>> That let's everyone in, then named has further access as
> > >>>         you state.
> > >>>         >>> HTH
> > >>>         >>> Steve
> > >>>         >>>
> > >>>         >>>
> > >>>         >>> --
> > >>>         >>> To unsubscribe from this list go to the following URL and
> > >>>         read the
> > >>>         >>> instructions:
> > https://lists.samba.org/mailman/options/samba
> > >>>         >>>
> > >>>         >
> > >>>
> > >>>
> > >>
> > >>
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> >
> > They are where Samba stores its domain info, they are not the dns zones
> > (and indecently, these should never be altered directly)
> > If I restart bind9, I get this in syslog:
> >
> > samba_dlz: started for DN DC=example,DC=com
> > samba_dlz: starting configure
> > samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
> > samba_dlz: configured writeable zone 'example.com'
> > samba_dlz: configured writeable zone '_msdcs.example.com'
> >
> > The three zones never get written to disk (well I cannot find them)
> >
> > Rowland
> >




More information about the samba mailing list