[Samba] Samba 4 AD with Bind 9.8 dlz ( with bind chroot )
L.P.H. van Belle
belle at bazuin.nl
Mon Dec 30 05:43:23 MST 2013
side note..
setting this up is really easy and no problem.
and yes its a bit dirty and it will need always extra work, and it's NOT adviced.
what i did.
step 1. https://wiki.debian.org/Bind9 start from : Bind Chroot
step 2. create the needed directorys in the chroot for samba and libs.
mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}
mkdir -p /var/bind9/chroot/{var/lib/samba/private,usr/lib/x86_64-linux-gnu,lib/x86_64-linux-gnu}
mount these dirs with mount --bind
( put them in /etc/fstab like this . )
/var/lib/samba/private /var/bind9/chroot/var/lib/samba/private none rw,bind 0 0
/usr/lib/x86_64-linux-gnu /var/bind9/chroot/usr/lib/x86_64-linux-gnu none rw,bind 0 0
/lib/x86_64-linux-gnu /var/bind9/chroot/lib/x86_64-linux-gnu/ none rw,bind 0 0
start bind and samba and it works.. ( dont forget to set the correct rights for bind in the private folder of samba )
yes i know its a quick and dirty setup...
If you dont want to use the mount --bind, then you need to figure out all the files samba wil need and copy them.
from my logs.
starting BIND 9.8.4-rpz2+rl005.12-P1 -u bind -t /var/bind9/chroot
Loading 'AD DNS Zone' using driver dlopen
and
cat /var/log/samba/log.samba
[2013/12/30 13:18:57.364349, 0] ../source4/smbd/server.c:370(binary_smbd_main)
samba version 4.1.3-SerNet-Debian-7.wheezy started.
Good luck, its not that hard, but NOT recommmended, but it works..
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: zondag 29 december 2013 12:39
>Aan: Chan Min Wai; Günter Kukkukk
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba 4 AD with Bind 9.9 dlz permission
>access to /var/lib/samba/private/
>
>On 29/12/13 09:31, Chan Min Wai wrote:
>> Hum, Just had a try with the chroot bind + dlz...
>>
>> I've bind the chroot /var/lib/samba, and some other directory
>> copy a few files over etc etc
>>
>> but still the error message was
>> samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
>>
>> Dec 29 17:29:04 localhost named[5292]: generating session
>key for dynamic
>> DNS
>> Dec 29 17:29:04 localhost named[5292]: sizing zone task pool
>based on 9
>> zones
>> Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone'
>using driver
>> dlopen
>> Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to
>connect to
>> /var/lib/samba/private/dns/sam.ldb
>> Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS
>Zone' failed
>> Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
>> Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
>> Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
>> Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)
>>
>> too bad that I don't know what to look for anyway...
>>
>>
>> On Sat, Dec 28, 2013 at 7:08 AM, Günter Kukkukk
><linux at kukkukk.com> wrote:
>>
>>> Am 27.12.2013 20:37, schrieb Chan Min Wai:
>>>> Maybe I should try to run chroot bind with symlink from samba.
>>>>
>>>> But before that...
>>>> I'll need to get the chroot bind workning in advance...
>>>>
>>>> BRB
>>>>
>>> By default opensuse also runs ISC bind inside a chroot jail.
>>> Some months ago i got it working, but at the end it was a
>whole mess.
>>> So i would recommend _not_ to run bind inside a chroot jail!
>>>
>>> These days there are better hardening tools like selinux
>and apparmor
>>> around - which do a similar/better job...
>>>
>>> Btw - when running bind with the samba DLZ driver, one can use the
>>> zone transfer cmd of dig to see all entries inside a specified zone
>>> in a format similar to the ASCII flat zone files:
>>>
>>> dig AXFR your.dns.zone
>>>
>>> or by also specifying the dns server:
>>>
>>> dig @your_dns_server AXFR your.dns.zone
>>>
>>> This cmd should be repeated for all stored zones, and also e.g. the
>>> reverse ones.
>>>
>>> Note that this zone transfer cmd does _not_ work when using
>the samba
>>> internal
>>> dns server! (not implemented)
>>>
>>> Cheers, Günter
>>>
>>>> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
>>>> <rowlandpenny at googlemail.com>wrote:
>>>>
>>>>> On 27/12/13 13:30, Ricky Nance wrote:
>>>>>
>>>>>
>>>>> On Dec 27, 2013 5:39 AM, "Rowland Penny"
><rowlandpenny at googlemail.com>
>>>>> wrote:
>>>>>> On 27/12/13 03:11, Chan Min Wai wrote:
>>>>>>> You cannot run bind in a chroot environment with samba4
> and bind 9.9,
>>>>>>> No, it is written in the docs that it is not possible
>>>>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>>>>
>>>>>>> can you find the samba zone files ?
>>>>>>> Sorry I don't get you.
>>>>>>>
>>>>>>>
>>>>>> What I was trying to point out is that you are worrying
>about nothing,
>>>>> if you use the bind9 dlz backend, you will not find the zone files
>>> anywhere
>>>>> on disk, they are created in memory every time bind is started.
>>>>>> Rowland
>>>>> Correct me if i am wrong, but are you sure about that?
>What are the hard
>>>>> linked files under private/dns then? They are hard linked to
>>>>> private/sam.ldb.d IIRC.
>>>>>
>>>>> Ricky
>>>>>
>>>>> >
>>>>>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
>>>>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
>>> wrote:
>>>>>>> On 26/12/13 18:48, Chan Min Wai wrote:
>>>>>>>> Thank for the info.
>>>>>>>>
>>>>>>>> I think it would bigger problem..
>>>>>>>> If bind is running in a chroot environment...
>>>>>>> You cannot run bind in a chroot environment with
>samba4 and bind
>>>>>>> 9.9, can you find the samba zone files ?
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>>> Provided that bind would have no access to any of
>the files under
>>>>>>>> /var/lib/samba
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
>>>>>>>> <mailto:steve at steve-ss.com>> wrote:
>>>>>>>>
>>>>>>>> I think there is confusion because bind
>doesn't run as root.
>>>>>>>> The op has correctly identified the files and
>directories
>>>>>>>> within private that bind needs access to. It now only
>>>>>>>> remains to allow the bind user into private.
>As the op has
>>>>>>>> it, only root has access. My argument as to
>0755 on private
>>>>>>>> are based upon a default source build and
>make install. I
>>>>>>>> notice that the op has a non default location
>and so may need
>>>>>>>> other security measures as we'll. The fact
>remains that if
>>>>>>>> you are using bind, then the user running it
>must have access
>>>>>>>> to private.
>>>>>>>> Sorry about the top post. Android limitations.
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>>> Rowland Penny <rowlandpenny at googlemail.com
>>>>>>>> <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>>>>
>>>>>>>> >On 26/12/13 15:43, Chan Min Wai wrote:
>>>>>>>> >> Dear Steve,
>>>>>>>> >>
>>>>>>>> >> I think that is bad idea as
>/var/lib/samba/private was
>>>>>>>> suppose to hold
>>>>>>>> >> something private for samba.
>>>>>>>> >
>>>>>>>> >Do you mean like the samba DNS zones and the
>keytab that is
>>>>>>>> required to
>>>>>>>> >alter it?
>>>>>>>> >
>>>>>>>> >> Like secret information security related LDAP/AD
>>> information
>>>>>>>> >>
>>>>>>>> >> Putting dns information don't seem to be a
>good idea.
>>>>>>>> >> (unless the dns information are part or LDAP or AD)
>>>>>>>> >
>>>>>>>> >The samba dns zones are part of AD.
>>>>>>>> >
>>>>>>>> >>
>>>>>>>> >> And I do believes that it should be place to
>>>>>>>> /var/lib/samba/bind or some
>>>>>>>> >> other place which private for both of them.
>>>>>>>> >>
>>>>>>>> >
>>>>>>>> >Just where would you put private info like
>the samba DNS
>>>>>>>> zones etc.?
>>>>>>>> >
>>>>>>>> >If you have any problems about where to
>store stuff, I
>>>>>>>> suggest that you
>>>>>>>> >take it up with the Samba devs.
>>>>>>>> >
>>>>>>>> >Rowland
>>>>>>>> >
>>>>>>>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <
>>> steve at steve-ss.com
>>>>>>>> <mailto:steve at steve-ss.com>> wrote:
>>>>>>>> >>
>>>>>>>> >>> On Wed, 2013-12-25 at 03:43 +0800, Chan
>Min Wai wrote:
>>>>>>>> >>>> Dear all,
>>>>>>>> >>>>
>>>>>>>> >>>> Would like to ask for input on the following.
>>>>>>>> >>>> When using with bind 9.9 with dlz module.
>>>>>>>> >>>> It seem that we would have a permission
>issue where
>>>>>>>> names would need to
>>>>>>>> >>>> have access to
>>>>>>>> >>>>
>>>>>>>> >>>> /var/lib/samba/private/ for a few files.
>>>>>>>> >>>> to be more precise it would be
>>>>>>>> >>>>
>>>>>>>> >>>> /var/lib/samba/private/dns (whole folder)
>>>>>>>> >>>> /var/lib/samba/private/named.conf
>>>>>>>> >>>> /var/lib/samba/private/named.conf.update
>>>>>>>> >>>> /var/lib/samba/private/dns.keytab
>>>>>>>> >>>>
>>>>>>>> >>>> However as I can see private was 400...
>>>>>>>> >>>> drwx------+ 7 root root 4096 Dec 25
>03:34 private
>>>>>>>> >>> That seems very restrictive. We have a
>default source
>>> build
>>>>>>>> >>> at /usr/local/samba with:
>>>>>>>> >>> drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
>>>>>>>> >>>
>>>>>>>> >>> That let's everyone in, then named has
>further access as
>>>>>>>> you state.
>>>>>>>> >>> HTH
>>>>>>>> >>> Steve
>>>>>>>> >>>
>>>>>>>> >>>
>>>>>>>> >>> --
>>>>>>>> >>> To unsubscribe from this list go to the
>following URL and
>>>>>>>> read the
>>>>>>>> >>> instructions:
>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>> >>>
>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL
>and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>> They are where Samba stores its domain info, they are not
>the dns zones
>>>>> (and indecently, these should never be altered directly)
>>>>> If I restart bind9, I get this in syslog:
>>>>>
>>>>> samba_dlz: started for DN DC=example,DC=com
>>>>> samba_dlz: starting configure
>>>>> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
>>>>> samba_dlz: configured writeable zone 'example.com'
>>>>> samba_dlz: configured writeable zone '_msdcs.example.com'
>>>>>
>>>>> The three zones never get written to disk (well I cannot
>find them)
>>>>>
>>>>> Rowland
>>>>>
>>>
>>> --
>>>
>>>
>Look at this webpage: https://wiki.samba.org/index.php/Dns-backend_bind
>
>Down near the bottom of the page, you will find this heading:
>
>
> Known issues and ways to fix/workaround
>
>There is a sub-heading:
>
>
> Chroot Bind
>
>The very next line is this:
>
>If you use Bind as Backend for your Samba AD, it must not run chroot,
>because it must be able to live access files and databases from your
>Samba installation.
>
>Now do you understand that the problems you are having are
>self-inflicted, YOU MUST NOT RUN BIND IN A CHROOT.
>You are trying to do something that will probably never work or if you
>do get it to work, it will be a mess and will probably break
>the chroot
>anyway, so what is the point?
>
>Rowland
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list