[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Chan Min Wai dcmwai at gmail.com
Sun Dec 29 02:31:12 MST 2013


Hum, Just had a try with the chroot bind + dlz...

I've bind the chroot /var/lib/samba, and some other directory
copy a few files over etc etc

but still the error message was
samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb

Dec 29 17:29:04 localhost named[5292]: generating session key for dynamic
DNS
Dec 29 17:29:04 localhost named[5292]: sizing zone task pool based on 9
zones
Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone' using driver
dlopen
Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to connect to
/var/lib/samba/private/dns/sam.ldb
Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS Zone' failed
Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)

too bad that I don't know what to look for anyway...


On Sat, Dec 28, 2013 at 7:08 AM, Günter Kukkukk <linux at kukkukk.com> wrote:

> Am 27.12.2013 20:37, schrieb Chan Min Wai:
> > Maybe I should try to run chroot bind with symlink from samba.
> >
> > But before that...
> > I'll need to get the chroot bind workning in advance...
> >
> > BRB
> >
>
> By default opensuse also runs ISC bind inside a chroot jail.
> Some months ago i got it working, but at the end it was a whole mess.
> So i would recommend _not_ to run bind inside a chroot jail!
>
> These days there are better hardening tools like selinux and apparmor
> around - which do a similar/better job...
>
> Btw - when running bind with the samba DLZ driver, one can use the
> zone transfer cmd of dig to see all entries inside a specified zone
> in a format similar to the ASCII flat zone files:
>
>   dig AXFR your.dns.zone
>
> or by also specifying the dns server:
>
>   dig @your_dns_server AXFR your.dns.zone
>
> This cmd should be repeated for all stored zones, and also e.g. the
> reverse ones.
>
> Note that this zone transfer cmd does _not_ work when using the samba
> internal
> dns server! (not implemented)
>
> Cheers, Günter
>
> >
> > On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> > <rowlandpenny at googlemail.com>wrote:
> >
> >>  On 27/12/13 13:30, Ricky Nance wrote:
> >>
> >>
> >> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
> >> wrote:
> >>>
> >>> On 27/12/13 03:11, Chan Min Wai wrote:
> >>>>
> >>>> You cannot run bind in a chroot environment with samba4  and bind 9.9,
> >>>> No, it is written in the docs that it is not possible
> >>>> https://wiki.samba.org/index.php/Dns-backend_bind
> >>>>
> >>>> can you find the samba zone files ?
> >>>> Sorry I don't get you.
> >>>>
> >>>>
> >>>
> >>> What I was trying to point out is that you are worrying about nothing,
> >> if you use the bind9 dlz backend, you will not find the zone files
> anywhere
> >> on disk, they are created in memory every time bind is started.
> >>>
> >>> Rowland
> >>
> >> Correct me if i am wrong, but are you sure about that? What are the hard
> >> linked files under private/dns then? They are hard linked to
> >> private/sam.ldb.d IIRC.
> >>
> >> Ricky
> >>
> >>  >
> >>>>
> >>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> >> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
> wrote:
> >>>>
> >>>>     On 26/12/13 18:48, Chan Min Wai wrote:
> >>>>>
> >>>>>     Thank for the info.
> >>>>>
> >>>>>     I think it would bigger problem..
> >>>>>     If bind is running in a chroot environment...
> >>>>
> >>>>     You cannot run bind in a chroot environment with samba4 and bind
> >>>>     9.9, can you find the samba zone files ?
> >>>>
> >>>>     Rowland
> >>>>
> >>>>
> >>>>>
> >>>>>     Provided that bind would have no access to any of the files under
> >>>>>     /var/lib/samba
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>     On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
> >>>>>     <mailto:steve at steve-ss.com>> wrote:
> >>>>>
> >>>>>         I think there is confusion because bind doesn't run as root.
> >>>>>         The op has correctly identified the files and directories
> >>>>>         within private that bind needs access to.  It now only
> >>>>>         remains to allow the bind user into private. As the op has
> >>>>>         it, only root has access. My argument as to 0755 on private
> >>>>>         are based upon a default source build and make install. I
> >>>>>         notice that the op has a non default location and so may need
> >>>>>         other security measures as we'll. The fact remains that if
> >>>>>         you are using bind, then the user running it must have access
> >>>>>         to private.
> >>>>>         Sorry about the top post. Android limitations.
> >>>>>         Steve
> >>>>>
> >>>>>
> >>>>>         Rowland Penny <rowlandpenny at googlemail.com
> >>>>>         <mailto:rowlandpenny at googlemail.com>> wrote:
> >>>>>
> >>>>>         >On 26/12/13 15:43, Chan Min Wai wrote:
> >>>>>         >> Dear Steve,
> >>>>>         >>
> >>>>>         >> I think that is bad idea as /var/lib/samba/private was
> >>>>>         suppose to hold
> >>>>>         >> something private for samba.
> >>>>>         >
> >>>>>         >Do you mean like the samba DNS zones and the keytab that is
> >>>>>         required to
> >>>>>         >alter it?
> >>>>>         >
> >>>>>         >> Like secret information security related LDAP/AD
> information
> >>>>>         >>
> >>>>>         >> Putting dns information don't seem to be a good idea.
> >>>>>         >> (unless the dns information are part or LDAP or AD)
> >>>>>         >
> >>>>>         >The samba dns zones are part of AD.
> >>>>>         >
> >>>>>         >>
> >>>>>         >> And I do believes that it should be place to
> >>>>>          /var/lib/samba/bind or some
> >>>>>         >> other place which private for both of them.
> >>>>>         >>
> >>>>>         >
> >>>>>         >Just where would you put private info like the samba DNS
> >>>>>         zones etc.?
> >>>>>         >
> >>>>>         >If you have any problems about where to store stuff, I
> >>>>>         suggest that you
> >>>>>         >take it up with the Samba devs.
> >>>>>         >
> >>>>>         >Rowland
> >>>>>         >
> >>>>>         >> On Wed, Dec 25, 2013 at 9:17 PM, steve <
> steve at steve-ss.com
> >>>>>         <mailto:steve at steve-ss.com>> wrote:
> >>>>>         >>
> >>>>>         >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> >>>>>         >>>> Dear all,
> >>>>>         >>>>
> >>>>>         >>>> Would like to ask for input on the following.
> >>>>>         >>>> When using with bind 9.9 with dlz module.
> >>>>>         >>>> It seem that we would have a permission issue where
> >>>>>         names would need to
> >>>>>         >>>> have access to
> >>>>>         >>>>
> >>>>>         >>>> /var/lib/samba/private/ for a few files.
> >>>>>         >>>> to be more precise it would be
> >>>>>         >>>>
> >>>>>         >>>> /var/lib/samba/private/dns (whole folder)
> >>>>>         >>>> /var/lib/samba/private/named.conf
> >>>>>         >>>> /var/lib/samba/private/named.conf.update
> >>>>>         >>>> /var/lib/samba/private/dns.keytab
> >>>>>         >>>>
> >>>>>         >>>> However as I can see private was 400...
> >>>>>         >>>> drwx------+  7 root root    4096 Dec 25 03:34 private
> >>>>>         >>> That seems very restrictive. We have a default source
> build
> >>>>>         >>> at /usr/local/samba with:
> >>>>>         >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
> >>>>>         >>>
> >>>>>         >>> That let's everyone in, then named has further access as
> >>>>>         you state.
> >>>>>         >>> HTH
> >>>>>         >>> Steve
> >>>>>         >>>
> >>>>>         >>>
> >>>>>         >>> --
> >>>>>         >>> To unsubscribe from this list go to the following URL and
> >>>>>         read the
> >>>>>         >>> instructions:
> >> https://lists.samba.org/mailman/options/samba
> >>>>>         >>>
> >>>>>         >
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >> They are where Samba stores its domain info, they are not the dns zones
> >> (and indecently, these should never be altered directly)
> >> If I restart bind9, I get this in syslog:
> >>
> >> samba_dlz: started for DN DC=example,DC=com
> >> samba_dlz: starting configure
> >> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
> >> samba_dlz: configured writeable zone 'example.com'
> >> samba_dlz: configured writeable zone '_msdcs.example.com'
> >>
> >> The three zones never get written to disk (well I cannot find them)
> >>
> >> Rowland
> >>
>
>
> --
>
>


More information about the samba mailing list