[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Günter Kukkukk linux at kukkukk.com
Fri Dec 27 16:08:39 MST 2013 

Am 27.12.2013 20:37, schrieb Chan Min Wai:
> Maybe I should try to run chroot bind with symlink from samba.
> 
> But before that...
> I'll need to get the chroot bind workning in advance...
> 
> BRB
> 

By default opensuse also runs ISC bind inside a chroot jail.
Some months ago i got it working, but at the end it was a whole mess.
So i would recommend _not_ to run bind inside a chroot jail!

These days there are better hardening tools like selinux and apparmor
around - which do a similar/better job...

Btw - when running bind with the samba DLZ driver, one can use the
zone transfer cmd of dig to see all entries inside a specified zone
in a format similar to the ASCII flat zone files:

  dig AXFR your.dns.zone

or by also specifying the dns server:

  dig @your_dns_server AXFR your.dns.zone

This cmd should be repeated for all stored zones, and also e.g. the reverse ones.

Note that this zone transfer cmd does _not_ work when using the samba internal
dns server! (not implemented)

Cheers, Günter

> 
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlandpenny at googlemail.com>wrote:
> 
>>  On 27/12/13 13:30, Ricky Nance wrote:
>>
>>
>> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
>> wrote:
>>>
>>> On 27/12/13 03:11, Chan Min Wai wrote:
>>>>
>>>> You cannot run bind in a chroot environment with samba4  and bind 9.9,
>>>> No, it is written in the docs that it is not possible
>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>
>>>> can you find the samba zone files ?
>>>> Sorry I don't get you.
>>>>
>>>>
>>>
>>> What I was trying to point out is that you are worrying about nothing,
>> if you use the bind9 dlz backend, you will not find the zone files anywhere
>> on disk, they are created in memory every time bind is started.
>>>
>>> Rowland
>>
>> Correct me if i am wrong, but are you sure about that? What are the hard
>> linked files under private/dns then? They are hard linked to
>> private/sam.ldb.d IIRC.
>>
>> Ricky
>>
>>  >
>>>>
>>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>
>>>>     On 26/12/13 18:48, Chan Min Wai wrote:
>>>>>
>>>>>     Thank for the info.
>>>>>
>>>>>     I think it would bigger problem..
>>>>>     If bind is running in a chroot environment...
>>>>
>>>>     You cannot run bind in a chroot environment with samba4 and bind
>>>>     9.9, can you find the samba zone files ?
>>>>
>>>>     Rowland
>>>>
>>>>
>>>>>
>>>>>     Provided that bind would have no access to any of the files under
>>>>>     /var/lib/samba
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>     On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
>>>>>     <mailto:steve at steve-ss.com>> wrote:
>>>>>
>>>>>         I think there is confusion because bind doesn't run as root.
>>>>>         The op has correctly identified the files and directories
>>>>>         within private that bind needs access to.  It now only
>>>>>         remains to allow the bind user into private. As the op has
>>>>>         it, only root has access. My argument as to 0755 on private
>>>>>         are based upon a default source build and make install. I
>>>>>         notice that the op has a non default location and so may need
>>>>>         other security measures as we'll. The fact remains that if
>>>>>         you are using bind, then the user running it must have access
>>>>>         to private.
>>>>>         Sorry about the top post. Android limitations.
>>>>>         Steve
>>>>>
>>>>>
>>>>>         Rowland Penny <rowlandpenny at googlemail.com
>>>>>         <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>
>>>>>         >On 26/12/13 15:43, Chan Min Wai wrote:
>>>>>         >> Dear Steve,
>>>>>         >>
>>>>>         >> I think that is bad idea as /var/lib/samba/private was
>>>>>         suppose to hold
>>>>>         >> something private for samba.
>>>>>         >
>>>>>         >Do you mean like the samba DNS zones and the keytab that is
>>>>>         required to
>>>>>         >alter it?
>>>>>         >
>>>>>         >> Like secret information security related LDAP/AD information
>>>>>         >>
>>>>>         >> Putting dns information don't seem to be a good idea.
>>>>>         >> (unless the dns information are part or LDAP or AD)
>>>>>         >
>>>>>         >The samba dns zones are part of AD.
>>>>>         >
>>>>>         >>
>>>>>         >> And I do believes that it should be place to
>>>>>          /var/lib/samba/bind or some
>>>>>         >> other place which private for both of them.
>>>>>         >>
>>>>>         >
>>>>>         >Just where would you put private info like the samba DNS
>>>>>         zones etc.?
>>>>>         >
>>>>>         >If you have any problems about where to store stuff, I
>>>>>         suggest that you
>>>>>         >take it up with the Samba devs.
>>>>>         >
>>>>>         >Rowland
>>>>>         >
>>>>>         >> On Wed, Dec 25, 2013 at 9:17 PM, steve <steve at steve-ss.com
>>>>>         <mailto:steve at steve-ss.com>> wrote:
>>>>>         >>
>>>>>         >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>>>>>         >>>> Dear all,
>>>>>         >>>>
>>>>>         >>>> Would like to ask for input on the following.
>>>>>         >>>> When using with bind 9.9 with dlz module.
>>>>>         >>>> It seem that we would have a permission issue where
>>>>>         names would need to
>>>>>         >>>> have access to
>>>>>         >>>>
>>>>>         >>>> /var/lib/samba/private/ for a few files.
>>>>>         >>>> to be more precise it would be
>>>>>         >>>>
>>>>>         >>>> /var/lib/samba/private/dns (whole folder)
>>>>>         >>>> /var/lib/samba/private/named.conf
>>>>>         >>>> /var/lib/samba/private/named.conf.update
>>>>>         >>>> /var/lib/samba/private/dns.keytab
>>>>>         >>>>
>>>>>         >>>> However as I can see private was 400...
>>>>>         >>>> drwx------+  7 root root    4096 Dec 25 03:34 private
>>>>>         >>> That seems very restrictive. We have a default source build
>>>>>         >>> at /usr/local/samba with:
>>>>>         >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
>>>>>         >>>
>>>>>         >>> That let's everyone in, then named has further access as
>>>>>         you state.
>>>>>         >>> HTH
>>>>>         >>> Steve
>>>>>         >>>
>>>>>         >>>
>>>>>         >>> --
>>>>>         >>> To unsubscribe from this list go to the following URL and
>>>>>         read the
>>>>>         >>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>>>>         >>>
>>>>>         >
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> They are where Samba stores its domain info, they are not the dns zones
>> (and indecently, these should never be altered directly)
>> If I restart bind9, I get this in syslog:
>>
>> samba_dlz: started for DN DC=example,DC=com
>> samba_dlz: starting configure
>> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
>> samba_dlz: configured writeable zone 'example.com'
>> samba_dlz: configured writeable zone '_msdcs.example.com'
>>
>> The three zones never get written to disk (well I cannot find them)
>>
>> Rowland
>>


--

More information about the samba mailing list