[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Chan Min Wai
dcmwai at gmail.com
Sun Dec 29 02:31:12 MST 2013
Hum, Just had a try with the chroot bind + dlz...
I've bind the chroot /var/lib/samba, and some other directory
copy a few files over etc etc
but still the error message was
samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
Dec 29 17:29:04 localhost named[5292]: generating session key for dynamic
DNS
Dec 29 17:29:04 localhost named[5292]: sizing zone task pool based on 9
zones
Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone' using driver
dlopen
Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to connect to
/var/lib/samba/private/dns/sam.ldb
Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS Zone' failed
Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)
too bad that I don't know what to look for anyway...
On Sat, Dec 28, 2013 at 7:08 AM, Günter Kukkukk <linux at kukkukk.com> wrote:
> Am 27.12.2013 20:37, schrieb Chan Min Wai:
> > Maybe I should try to run chroot bind with symlink from samba.
> >
> > But before that...
> > I'll need to get the chroot bind workning in advance...
> >
> > BRB
> >
>
> By default opensuse also runs ISC bind inside a chroot jail.
> Some months ago i got it working, but at the end it was a whole mess.
> So i would recommend _not_ to run bind inside a chroot jail!
>
> These days there are better hardening tools like selinux and apparmor
> around - which do a similar/better job...
>
> Btw - when running bind with the samba DLZ driver, one can use the
> zone transfer cmd of dig to see all entries inside a specified zone
> in a format similar to the ASCII flat zone files:
>
> dig AXFR your.dns.zone
>
> or by also specifying the dns server:
>
> dig @your_dns_server AXFR your.dns.zone
>
> This cmd should be repeated for all stored zones, and also e.g. the
> reverse ones.
>
> Note that this zone transfer cmd does _not_ work when using the samba
> internal
> dns server! (not implemented)
>
> Cheers, Günter
>
> >
> > On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> > <rowlandpenny at googlemail.com>wrote:
> >
> >> On 27/12/13 13:30, Ricky Nance wrote:
> >>
> >>
> >> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
> >> wrote:
> >>>
> >>> On 27/12/13 03:11, Chan Min Wai wrote:
> >>>>
> >>>> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> >>>> No, it is written in the docs that it is not possible
> >>>> https://wiki.samba.org/index.php/Dns-backend_bind
> >>>>
> >>>> can you find the samba zone files ?
> >>>> Sorry I don't get you.
> >>>>
> >>>>
> >>>
> >>> What I was trying to point out is that you are worrying about nothing,
> >> if you use the bind9 dlz backend, you will not find the zone files
> anywhere
> >> on disk, they are created in memory every time bind is started.
> >>>
> >>> Rowland
> >>
> >> Correct me if i am wrong, but are you sure about that? What are the hard
> >> linked files under private/dns then? They are hard linked to
> >> private/sam.ldb.d IIRC.
> >>
> >> Ricky
> >>
> >> >
> >>>>
> >>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> >> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
> wrote:
> >>>>
> >>>> On 26/12/13 18:48, Chan Min Wai wrote:
> >>>>>
> >>>>> Thank for the info.
> >>>>>
> >>>>> I think it would bigger problem..
> >>>>> If bind is running in a chroot environment...
> >>>>
> >>>> You cannot run bind in a chroot environment with samba4 and bind
> >>>> 9.9, can you find the samba zone files ?
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>>>
> >>>>> Provided that bind would have no access to any of the files under
> >>>>> /var/lib/samba
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
> >>>>> <mailto:steve at steve-ss.com>> wrote:
> >>>>>
> >>>>> I think there is confusion because bind doesn't run as root.
> >>>>> The op has correctly identified the files and directories
> >>>>> within private that bind needs access to. It now only
> >>>>> remains to allow the bind user into private. As the op has
> >>>>> it, only root has access. My argument as to 0755 on private
> >>>>> are based upon a default source build and make install. I
> >>>>> notice that the op has a non default location and so may need
> >>>>> other security measures as we'll. The fact remains that if
> >>>>> you are using bind, then the user running it must have access
> >>>>> to private.
> >>>>> Sorry about the top post. Android limitations.
> >>>>> Steve
> >>>>>
> >>>>>
> >>>>> Rowland Penny <rowlandpenny at googlemail.com
> >>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
> >>>>>
> >>>>> >On 26/12/13 15:43, Chan Min Wai wrote:
> >>>>> >> Dear Steve,
> >>>>> >>
> >>>>> >> I think that is bad idea as /var/lib/samba/private was
> >>>>> suppose to hold
> >>>>> >> something private for samba.
> >>>>> >
> >>>>> >Do you mean like the samba DNS zones and the keytab that is
> >>>>> required to
> >>>>> >alter it?
> >>>>> >
> >>>>> >> Like secret information security related LDAP/AD
> information
> >>>>> >>
> >>>>> >> Putting dns information don't seem to be a good idea.
> >>>>> >> (unless the dns information are part or LDAP or AD)
> >>>>> >
> >>>>> >The samba dns zones are part of AD.
> >>>>> >
> >>>>> >>
> >>>>> >> And I do believes that it should be place to
> >>>>> /var/lib/samba/bind or some
> >>>>> >> other place which private for both of them.
> >>>>> >>
> >>>>> >
> >>>>> >Just where would you put private info like the samba DNS
> >>>>> zones etc.?
> >>>>> >
> >>>>> >If you have any problems about where to store stuff, I
> >>>>> suggest that you
> >>>>> >take it up with the Samba devs.
> >>>>> >
> >>>>> >Rowland
> >>>>> >
> >>>>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <
> steve at steve-ss.com
> >>>>> <mailto:steve at steve-ss.com>> wrote:
> >>>>> >>
> >>>>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> >>>>> >>>> Dear all,
> >>>>> >>>>
> >>>>> >>>> Would like to ask for input on the following.
> >>>>> >>>> When using with bind 9.9 with dlz module.
> >>>>> >>>> It seem that we would have a permission issue where
> >>>>> names would need to
> >>>>> >>>> have access to
> >>>>> >>>>
> >>>>> >>>> /var/lib/samba/private/ for a few files.
> >>>>> >>>> to be more precise it would be
> >>>>> >>>>
> >>>>> >>>> /var/lib/samba/private/dns (whole folder)
> >>>>> >>>> /var/lib/samba/private/named.conf
> >>>>> >>>> /var/lib/samba/private/named.conf.update
> >>>>> >>>> /var/lib/samba/private/dns.keytab
> >>>>> >>>>
> >>>>> >>>> However as I can see private was 400...
> >>>>> >>>> drwx------+ 7 root root 4096 Dec 25 03:34 private
> >>>>> >>> That seems very restrictive. We have a default source
> build
> >>>>> >>> at /usr/local/samba with:
> >>>>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
> >>>>> >>>
> >>>>> >>> That let's everyone in, then named has further access as
> >>>>> you state.
> >>>>> >>> HTH
> >>>>> >>> Steve
> >>>>> >>>
> >>>>> >>>
> >>>>> >>> --
> >>>>> >>> To unsubscribe from this list go to the following URL and
> >>>>> read the
> >>>>> >>> instructions:
> >> https://lists.samba.org/mailman/options/samba
> >>>>> >>>
> >>>>> >
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >> They are where Samba stores its domain info, they are not the dns zones
> >> (and indecently, these should never be altered directly)
> >> If I restart bind9, I get this in syslog:
> >>
> >> samba_dlz: started for DN DC=example,DC=com
> >> samba_dlz: starting configure
> >> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
> >> samba_dlz: configured writeable zone 'example.com'
> >> samba_dlz: configured writeable zone '_msdcs.example.com'
> >>
> >> The three zones never get written to disk (well I cannot find them)
> >>
> >> Rowland
> >>
>
>
> --
>
>
More information about the samba
mailing list