[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
steve
steve at steve-ss.com
Fri Dec 27 12:47:50 MST 2013
On Sat, 2013-12-28 at 03:37 +0800, Chan Min Wai wrote:
> Maybe I should try to run chroot bind with symlink from samba.
>
If you have to run chroot bind then just use ordinary files for the
zones, like in the old days. I don't think dlz is going to work because
it needs to access AD which is not in the jail.
> But before that...
> I'll need to get the chroot bind workning in advance...
That's the default on many distros. There's usually a folder
under /var/lib/ or /var/cache/ somewhere that the bind user has write on
for your own zone files.
Good luck
Steve
>
> BRB
>
>
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlandpenny at googlemail.com>wrote:
>
> > On 27/12/13 13:30, Ricky Nance wrote:
> >
> >
> > On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
> > wrote:
> > >
> > > On 27/12/13 03:11, Chan Min Wai wrote:
> > >>
> > >> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> > >> No, it is written in the docs that it is not possible
> > >> https://wiki.samba.org/index.php/Dns-backend_bind
> > >>
> > >> can you find the samba zone files ?
> > >> Sorry I don't get you.
> > >>
> > >>
> > >
> > > What I was trying to point out is that you are worrying about nothing,
> > if you use the bind9 dlz backend, you will not find the zone files anywhere
> > on disk, they are created in memory every time bind is started.
> > >
> > > Rowland
> >
> > Correct me if i am wrong, but are you sure about that? What are the hard
> > linked files under private/dns then? They are hard linked to
> > private/sam.ldb.d IIRC.
> >
> > Ricky
> >
> > >
> > >>
> > >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> > rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
> > >>
> > >> On 26/12/13 18:48, Chan Min Wai wrote:
> > >>>
> > >>> Thank for the info.
> > >>>
> > >>> I think it would bigger problem..
> > >>> If bind is running in a chroot environment...
> > >>
> > >> You cannot run bind in a chroot environment with samba4 and bind
> > >> 9.9, can you find the samba zone files ?
> > >>
> > >> Rowland
> > >>
> > >>
> > >>>
> > >>> Provided that bind would have no access to any of the files under
> > >>> /var/lib/samba
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
> > >>> <mailto:steve at steve-ss.com>> wrote:
> > >>>
> > >>> I think there is confusion because bind doesn't run as root.
> > >>> The op has correctly identified the files and directories
> > >>> within private that bind needs access to. It now only
> > >>> remains to allow the bind user into private. As the op has
> > >>> it, only root has access. My argument as to 0755 on private
> > >>> are based upon a default source build and make install. I
> > >>> notice that the op has a non default location and so may need
> > >>> other security measures as we'll. The fact remains that if
> > >>> you are using bind, then the user running it must have access
> > >>> to private.
> > >>> Sorry about the top post. Android limitations.
> > >>> Steve
> > >>>
> > >>>
> > >>> Rowland Penny <rowlandpenny at googlemail.com
> > >>> <mailto:rowlandpenny at googlemail.com>> wrote:
> > >>>
> > >>> >On 26/12/13 15:43, Chan Min Wai wrote:
> > >>> >> Dear Steve,
> > >>> >>
> > >>> >> I think that is bad idea as /var/lib/samba/private was
> > >>> suppose to hold
> > >>> >> something private for samba.
> > >>> >
> > >>> >Do you mean like the samba DNS zones and the keytab that is
> > >>> required to
> > >>> >alter it?
> > >>> >
> > >>> >> Like secret information security related LDAP/AD information
> > >>> >>
> > >>> >> Putting dns information don't seem to be a good idea.
> > >>> >> (unless the dns information are part or LDAP or AD)
> > >>> >
> > >>> >The samba dns zones are part of AD.
> > >>> >
> > >>> >>
> > >>> >> And I do believes that it should be place to
> > >>> /var/lib/samba/bind or some
> > >>> >> other place which private for both of them.
> > >>> >>
> > >>> >
> > >>> >Just where would you put private info like the samba DNS
> > >>> zones etc.?
> > >>> >
> > >>> >If you have any problems about where to store stuff, I
> > >>> suggest that you
> > >>> >take it up with the Samba devs.
> > >>> >
> > >>> >Rowland
> > >>> >
> > >>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com
> > >>> <mailto:steve at steve-ss.com>> wrote:
> > >>> >>
> > >>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> > >>> >>>> Dear all,
> > >>> >>>>
> > >>> >>>> Would like to ask for input on the following.
> > >>> >>>> When using with bind 9.9 with dlz module.
> > >>> >>>> It seem that we would have a permission issue where
> > >>> names would need to
> > >>> >>>> have access to
> > >>> >>>>
> > >>> >>>> /var/lib/samba/private/ for a few files.
> > >>> >>>> to be more precise it would be
> > >>> >>>>
> > >>> >>>> /var/lib/samba/private/dns (whole folder)
> > >>> >>>> /var/lib/samba/private/named.conf
> > >>> >>>> /var/lib/samba/private/named.conf.update
> > >>> >>>> /var/lib/samba/private/dns.keytab
> > >>> >>>>
> > >>> >>>> However as I can see private was 400...
> > >>> >>>> drwx------+ 7 root root 4096 Dec 25 03:34 private
> > >>> >>> That seems very restrictive. We have a default source build
> > >>> >>> at /usr/local/samba with:
> > >>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
> > >>> >>>
> > >>> >>> That let's everyone in, then named has further access as
> > >>> you state.
> > >>> >>> HTH
> > >>> >>> Steve
> > >>> >>>
> > >>> >>>
> > >>> >>> --
> > >>> >>> To unsubscribe from this list go to the following URL and
> > >>> read the
> > >>> >>> instructions:
> > https://lists.samba.org/mailman/options/samba
> > >>> >>>
> > >>> >
> > >>>
> > >>>
> > >>
> > >>
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> >
> > They are where Samba stores its domain info, they are not the dns zones
> > (and indecently, these should never be altered directly)
> > If I restart bind9, I get this in syslog:
> >
> > samba_dlz: started for DN DC=example,DC=com
> > samba_dlz: starting configure
> > samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
> > samba_dlz: configured writeable zone 'example.com'
> > samba_dlz: configured writeable zone '_msdcs.example.com'
> >
> > The three zones never get written to disk (well I cannot find them)
> >
> > Rowland
> >
More information about the samba
mailing list