[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Rowland Penny
rowlandpenny at googlemail.com
Sun Dec 29 04:39:05 MST 2013
On 29/12/13 09:31, Chan Min Wai wrote:
> Hum, Just had a try with the chroot bind + dlz...
>
> I've bind the chroot /var/lib/samba, and some other directory
> copy a few files over etc etc
>
> but still the error message was
> samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
>
> Dec 29 17:29:04 localhost named[5292]: generating session key for dynamic
> DNS
> Dec 29 17:29:04 localhost named[5292]: sizing zone task pool based on 9
> zones
> Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone' using driver
> dlopen
> Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to connect to
> /var/lib/samba/private/dns/sam.ldb
> Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS Zone' failed
> Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
> Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
> Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
> Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)
>
> too bad that I don't know what to look for anyway...
>
>
> On Sat, Dec 28, 2013 at 7:08 AM, Günter Kukkukk <linux at kukkukk.com> wrote:
>
>> Am 27.12.2013 20:37, schrieb Chan Min Wai:
>>> Maybe I should try to run chroot bind with symlink from samba.
>>>
>>> But before that...
>>> I'll need to get the chroot bind workning in advance...
>>>
>>> BRB
>>>
>> By default opensuse also runs ISC bind inside a chroot jail.
>> Some months ago i got it working, but at the end it was a whole mess.
>> So i would recommend _not_ to run bind inside a chroot jail!
>>
>> These days there are better hardening tools like selinux and apparmor
>> around - which do a similar/better job...
>>
>> Btw - when running bind with the samba DLZ driver, one can use the
>> zone transfer cmd of dig to see all entries inside a specified zone
>> in a format similar to the ASCII flat zone files:
>>
>> dig AXFR your.dns.zone
>>
>> or by also specifying the dns server:
>>
>> dig @your_dns_server AXFR your.dns.zone
>>
>> This cmd should be repeated for all stored zones, and also e.g. the
>> reverse ones.
>>
>> Note that this zone transfer cmd does _not_ work when using the samba
>> internal
>> dns server! (not implemented)
>>
>> Cheers, Günter
>>
>>> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
>>> <rowlandpenny at googlemail.com>wrote:
>>>
>>>> On 27/12/13 13:30, Ricky Nance wrote:
>>>>
>>>>
>>>> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlandpenny at googlemail.com>
>>>> wrote:
>>>>> On 27/12/13 03:11, Chan Min Wai wrote:
>>>>>> You cannot run bind in a chroot environment with samba4 and bind 9.9,
>>>>>> No, it is written in the docs that it is not possible
>>>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>>>
>>>>>> can you find the samba zone files ?
>>>>>> Sorry I don't get you.
>>>>>>
>>>>>>
>>>>> What I was trying to point out is that you are worrying about nothing,
>>>> if you use the bind9 dlz backend, you will not find the zone files
>> anywhere
>>>> on disk, they are created in memory every time bind is started.
>>>>> Rowland
>>>> Correct me if i am wrong, but are you sure about that? What are the hard
>>>> linked files under private/dns then? They are hard linked to
>>>> private/sam.ldb.d IIRC.
>>>>
>>>> Ricky
>>>>
>>>> >
>>>>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
>>>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
>> wrote:
>>>>>> On 26/12/13 18:48, Chan Min Wai wrote:
>>>>>>> Thank for the info.
>>>>>>>
>>>>>>> I think it would bigger problem..
>>>>>>> If bind is running in a chroot environment...
>>>>>> You cannot run bind in a chroot environment with samba4 and bind
>>>>>> 9.9, can you find the samba zone files ?
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>>> Provided that bind would have no access to any of the files under
>>>>>>> /var/lib/samba
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
>>>>>>> <mailto:steve at steve-ss.com>> wrote:
>>>>>>>
>>>>>>> I think there is confusion because bind doesn't run as root.
>>>>>>> The op has correctly identified the files and directories
>>>>>>> within private that bind needs access to. It now only
>>>>>>> remains to allow the bind user into private. As the op has
>>>>>>> it, only root has access. My argument as to 0755 on private
>>>>>>> are based upon a default source build and make install. I
>>>>>>> notice that the op has a non default location and so may need
>>>>>>> other security measures as we'll. The fact remains that if
>>>>>>> you are using bind, then the user running it must have access
>>>>>>> to private.
>>>>>>> Sorry about the top post. Android limitations.
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>>> Rowland Penny <rowlandpenny at googlemail.com
>>>>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>>>
>>>>>>> >On 26/12/13 15:43, Chan Min Wai wrote:
>>>>>>> >> Dear Steve,
>>>>>>> >>
>>>>>>> >> I think that is bad idea as /var/lib/samba/private was
>>>>>>> suppose to hold
>>>>>>> >> something private for samba.
>>>>>>> >
>>>>>>> >Do you mean like the samba DNS zones and the keytab that is
>>>>>>> required to
>>>>>>> >alter it?
>>>>>>> >
>>>>>>> >> Like secret information security related LDAP/AD
>> information
>>>>>>> >>
>>>>>>> >> Putting dns information don't seem to be a good idea.
>>>>>>> >> (unless the dns information are part or LDAP or AD)
>>>>>>> >
>>>>>>> >The samba dns zones are part of AD.
>>>>>>> >
>>>>>>> >>
>>>>>>> >> And I do believes that it should be place to
>>>>>>> /var/lib/samba/bind or some
>>>>>>> >> other place which private for both of them.
>>>>>>> >>
>>>>>>> >
>>>>>>> >Just where would you put private info like the samba DNS
>>>>>>> zones etc.?
>>>>>>> >
>>>>>>> >If you have any problems about where to store stuff, I
>>>>>>> suggest that you
>>>>>>> >take it up with the Samba devs.
>>>>>>> >
>>>>>>> >Rowland
>>>>>>> >
>>>>>>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <
>> steve at steve-ss.com
>>>>>>> <mailto:steve at steve-ss.com>> wrote:
>>>>>>> >>
>>>>>>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
>>>>>>> >>>> Dear all,
>>>>>>> >>>>
>>>>>>> >>>> Would like to ask for input on the following.
>>>>>>> >>>> When using with bind 9.9 with dlz module.
>>>>>>> >>>> It seem that we would have a permission issue where
>>>>>>> names would need to
>>>>>>> >>>> have access to
>>>>>>> >>>>
>>>>>>> >>>> /var/lib/samba/private/ for a few files.
>>>>>>> >>>> to be more precise it would be
>>>>>>> >>>>
>>>>>>> >>>> /var/lib/samba/private/dns (whole folder)
>>>>>>> >>>> /var/lib/samba/private/named.conf
>>>>>>> >>>> /var/lib/samba/private/named.conf.update
>>>>>>> >>>> /var/lib/samba/private/dns.keytab
>>>>>>> >>>>
>>>>>>> >>>> However as I can see private was 400...
>>>>>>> >>>> drwx------+ 7 root root 4096 Dec 25 03:34 private
>>>>>>> >>> That seems very restrictive. We have a default source
>> build
>>>>>>> >>> at /usr/local/samba with:
>>>>>>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
>>>>>>> >>>
>>>>>>> >>> That let's everyone in, then named has further access as
>>>>>>> you state.
>>>>>>> >>> HTH
>>>>>>> >>> Steve
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> --
>>>>>>> >>> To unsubscribe from this list go to the following URL and
>>>>>>> read the
>>>>>>> >>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>>>>> >>>
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> They are where Samba stores its domain info, they are not the dns zones
>>>> (and indecently, these should never be altered directly)
>>>> If I restart bind9, I get this in syslog:
>>>>
>>>> samba_dlz: started for DN DC=example,DC=com
>>>> samba_dlz: starting configure
>>>> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
>>>> samba_dlz: configured writeable zone 'example.com'
>>>> samba_dlz: configured writeable zone '_msdcs.example.com'
>>>>
>>>> The three zones never get written to disk (well I cannot find them)
>>>>
>>>> Rowland
>>>>
>>
>> --
>>
>>
Look at this webpage: https://wiki.samba.org/index.php/Dns-backend_bind
Down near the bottom of the page, you will find this heading:
Known issues and ways to fix/workaround
There is a sub-heading:
Chroot Bind
The very next line is this:
If you use Bind as Backend for your Samba AD, it must not run chroot,
because it must be able to live access files and databases from your
Samba installation.
Now do you understand that the problems you are having are
self-inflicted, YOU MUST NOT RUN BIND IN A CHROOT.
You are trying to do something that will probably never work or if you
do get it to work, it will be a mess and will probably break the chroot
anyway, so what is the point?
Rowland
More information about the samba
mailing list