[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Rowland Penny
rowlandpenny at googlemail.com
Fri Dec 27 13:34:09 MST 2013
On 27/12/13 19:37, Chan Min Wai wrote:
> Maybe I should try to run chroot bind with symlink from samba.
>
> But before that...
> I'll need to get the chroot bind workning in advance...
>
> BRB
>
>
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
> On 27/12/13 13:30, Ricky Nance wrote:
>>
>>
>> On Dec 27, 2013 5:39 AM, "Rowland Penny"
>> <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>> wrote:
>> >
>> > On 27/12/13 03:11, Chan Min Wai wrote:
>> >>
>> >> You cannot run bind in a chroot environment with samba4 and
>> bind 9.9,
>> >> No, it is written in the docs that it is not possible
>> >> https://wiki.samba.org/index.php/Dns-backend_bind
>> >>
>> >> can you find the samba zone files ?
>> >> Sorry I don't get you.
>> >>
>> >>
>> >
>> > What I was trying to point out is that you are worrying about
>> nothing, if you use the bind9 dlz backend, you will not find the
>> zone files anywhere on disk, they are created in memory every
>> time bind is started.
>> >
>> > Rowland
>>
>> Correct me if i am wrong, but are you sure about that? What are
>> the hard linked files under private/dns then? They are hard
>> linked to private/sam.ldb.d IIRC.
>>
>> Ricky
>>
>> >
>> >>
>> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>
>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>> wrote:
>> >>
>> >> On 26/12/13 18:48, Chan Min Wai wrote:
>> >>>
>> >>> Thank for the info.
>> >>>
>> >>> I think it would bigger problem..
>> >>> If bind is running in a chroot environment...
>> >>
>> >> You cannot run bind in a chroot environment with samba4
>> and bind
>> >> 9.9, can you find the samba zone files ?
>> >>
>> >> Rowland
>> >>
>> >>
>> >>>
>> >>> Provided that bind would have no access to any of the
>> files under
>> >>> /var/lib/samba
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve
>> <steve at steve-ss.com <mailto:steve at steve-ss.com>
>> >>> <mailto:steve at steve-ss.com <mailto:steve at steve-ss.com>>>
>> wrote:
>> >>>
>> >>> I think there is confusion because bind doesn't run
>> as root.
>> >>> The op has correctly identified the files and directories
>> >>> within private that bind needs access to. It now only
>> >>> remains to allow the bind user into private. As the
>> op has
>> >>> it, only root has access. My argument as to 0755 on
>> private
>> >>> are based upon a default source build and make install. I
>> >>> notice that the op has a non default location and so
>> may need
>> >>> other security measures as we'll. The fact remains
>> that if
>> >>> you are using bind, then the user running it must
>> have access
>> >>> to private.
>> >>> Sorry about the top post. Android limitations.
>> >>> Steve
>> >>>
>> >>>
>> >>> Rowland Penny <rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>
>> >>> <mailto:rowlandpenny at googlemail.com
>> <mailto:rowlandpenny at googlemail.com>>> wrote:
>> >>>
>> >>> >On 26/12/13 15:43, Chan Min Wai wrote:
>> >>> >> Dear Steve,
>> >>> >>
>> >>> >> I think that is bad idea as /var/lib/samba/private was
>> >>> suppose to hold
>> >>> >> something private for samba.
>> >>> >
>> >>> >Do you mean like the samba DNS zones and the keytab
>> that is
>> >>> required to
>> >>> >alter it?
>> >>> >
>> >>> >> Like secret information security related LDAP/AD
>> information
>> >>> >>
>> >>> >> Putting dns information don't seem to be a good idea.
>> >>> >> (unless the dns information are part or LDAP or AD)
>> >>> >
>> >>> >The samba dns zones are part of AD.
>> >>> >
>> >>> >>
>> >>> >> And I do believes that it should be place to
>> >>> /var/lib/samba/bind or some
>> >>> >> other place which private for both of them.
>> >>> >>
>> >>> >
>> >>> >Just where would you put private info like the samba DNS
>> >>> zones etc.?
>> >>> >
>> >>> >If you have any problems about where to store stuff, I
>> >>> suggest that you
>> >>> >take it up with the Samba devs.
>> >>> >
>> >>> >Rowland
>> >>> >
>> >>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve
>> <steve at steve-ss.com <mailto:steve at steve-ss.com>
>> >>> <mailto:steve at steve-ss.com
>> <mailto:steve at steve-ss.com>>> wrote:
>> >>> >>
>> >>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai
>> wrote:
>> >>> >>>> Dear all,
>> >>> >>>>
>> >>> >>>> Would like to ask for input on the following.
>> >>> >>>> When using with bind 9.9 with dlz module.
>> >>> >>>> It seem that we would have a permission issue where
>> >>> names would need to
>> >>> >>>> have access to
>> >>> >>>>
>> >>> >>>> /var/lib/samba/private/ for a few files.
>> >>> >>>> to be more precise it would be
>> >>> >>>>
>> >>> >>>> /var/lib/samba/private/dns (whole folder)
>> >>> >>>> /var/lib/samba/private/named.conf
>> >>> >>>> /var/lib/samba/private/named.conf.update
>> >>> >>>> /var/lib/samba/private/dns.keytab
>> >>> >>>>
>> >>> >>>> However as I can see private was 400...
>> >>> >>>> drwx------+ 7 root root 4096 Dec 25 03:34
>> private
>> >>> >>> That seems very restrictive. We have a default
>> source build
>> >>> >>> at /usr/local/samba with:
>> >>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
>> >>> >>>
>> >>> >>> That let's everyone in, then named has further
>> access as
>> >>> you state.
>> >>> >>> HTH
>> >>> >>> Steve
>> >>> >>>
>> >>> >>>
>> >>> >>> --
>> >>> >>> To unsubscribe from this list go to the following
>> URL and
>> >>> read the
>> >>> >>> instructions:
>> https://lists.samba.org/mailman/options/samba
>> >>> >>>
>> >>> >
>> >>>
>> >>>
>> >>
>> >>
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>>
> They are where Samba stores its domain info, they are not the dns
> zones (and indecently, these should never be altered directly)
> If I restart bind9, I get this in syslog:
>
> samba_dlz: started for DN DC=example,DC=com
> samba_dlz: starting configure
> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
> samba_dlz: configured writeable zone 'example.com
> <http://example.com>'
> samba_dlz: configured writeable zone '_msdcs.example.com
> <http://msdcs.example.com>'
>
> The three zones never get written to disk (well I cannot find them)
>
> Rowland
>
>
Hi, just what part of 'you cannot run bind in a chroot with samba 4' do
you not understand ???
It just will not work, forget it and move on.
Rowland
More information about the samba
mailing list