[Samba] Samba 4 AD with Bind 9.8 dlz ( with bind chroot )

L.P.H. van Belle belle at bazuin.nl
Mon Dec 30 05:43:23 MST 2013


side note.. 

setting this up is really easy and no problem. 
and yes its a bit dirty and it will need always extra work, and it's NOT adviced.

what i did. 
step 1. https://wiki.debian.org/Bind9 start from : Bind Chroot 
step 2. create the needed directorys in the chroot for samba and libs. 
mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}
mkdir -p /var/bind9/chroot/{var/lib/samba/private,usr/lib/x86_64-linux-gnu,lib/x86_64-linux-gnu}

mount these dirs with mount --bind 
( put them in /etc/fstab like this . ) 

/var/lib/samba/private 		/var/bind9/chroot/var/lib/samba/private  none rw,bind 0 0
/usr/lib/x86_64-linux-gnu     /var/bind9/chroot/usr/lib/x86_64-linux-gnu  none rw,bind 0 0
/lib/x86_64-linux-gnu         /var/bind9/chroot/lib/x86_64-linux-gnu/  none rw,bind 0 0

start bind and samba and it works..  ( dont forget to set the correct rights for bind in the private folder of samba ) 
yes i know its a quick and dirty setup... 
If you dont want to use the mount --bind, then you need to figure out all the files samba wil need and copy them. 

from my logs. 
starting BIND 9.8.4-rpz2+rl005.12-P1 -u bind -t /var/bind9/chroot
Loading 'AD DNS Zone' using driver dlopen

and
 cat /var/log/samba/log.samba
[2013/12/30 13:18:57.364349,  0] ../source4/smbd/server.c:370(binary_smbd_main)
  samba version 4.1.3-SerNet-Debian-7.wheezy started.

Good luck, its not that hard, but NOT recommmended, but it works..  

Louis




>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: zondag 29 december 2013 12:39
>Aan: Chan Min Wai; Günter Kukkukk
>CC: samba at lists.samba.org
>Onderwerp: Re: [Samba] Samba 4 AD with Bind 9.9 dlz permission 
>access to /var/lib/samba/private/
>
>On 29/12/13 09:31, Chan Min Wai wrote:
>> Hum, Just had a try with the chroot bind + dlz...
>>
>> I've bind the chroot /var/lib/samba, and some other directory
>> copy a few files over etc etc
>>
>> but still the error message was
>> samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
>>
>> Dec 29 17:29:04 localhost named[5292]: generating session 
>key for dynamic
>> DNS
>> Dec 29 17:29:04 localhost named[5292]: sizing zone task pool 
>based on 9
>> zones
>> Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone' 
>using driver
>> dlopen
>> Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to 
>connect to
>> /var/lib/samba/private/dns/sam.ldb
>> Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS 
>Zone' failed
>> Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
>> Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
>> Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
>> Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)
>>
>> too bad that I don't know what to look for anyway...
>>
>>
>> On Sat, Dec 28, 2013 at 7:08 AM, Günter Kukkukk 
><linux at kukkukk.com> wrote:
>>
>>> Am 27.12.2013 20:37, schrieb Chan Min Wai:
>>>> Maybe I should try to run chroot bind with symlink from samba.
>>>>
>>>> But before that...
>>>> I'll need to get the chroot bind workning in advance...
>>>>
>>>> BRB
>>>>
>>> By default opensuse also runs ISC bind inside a chroot jail.
>>> Some months ago i got it working, but at the end it was a 
>whole mess.
>>> So i would recommend _not_ to run bind inside a chroot jail!
>>>
>>> These days there are better hardening tools like selinux 
>and apparmor
>>> around - which do a similar/better job...
>>>
>>> Btw - when running bind with the samba DLZ driver, one can use the
>>> zone transfer cmd of dig to see all entries inside a specified zone
>>> in a format similar to the ASCII flat zone files:
>>>
>>>    dig AXFR your.dns.zone
>>>
>>> or by also specifying the dns server:
>>>
>>>    dig @your_dns_server AXFR your.dns.zone
>>>
>>> This cmd should be repeated for all stored zones, and also e.g. the
>>> reverse ones.
>>>
>>> Note that this zone transfer cmd does _not_ work when using 
>the samba
>>> internal
>>> dns server! (not implemented)
>>>
>>> Cheers, Günter
>>>
>>>> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
>>>> <rowlandpenny at googlemail.com>wrote:
>>>>
>>>>>   On 27/12/13 13:30, Ricky Nance wrote:
>>>>>
>>>>>
>>>>> On Dec 27, 2013 5:39 AM, "Rowland Penny" 
><rowlandpenny at googlemail.com>
>>>>> wrote:
>>>>>> On 27/12/13 03:11, Chan Min Wai wrote:
>>>>>>> You cannot run bind in a chroot environment with samba4 
> and bind 9.9,
>>>>>>> No, it is written in the docs that it is not possible
>>>>>>> https://wiki.samba.org/index.php/Dns-backend_bind
>>>>>>>
>>>>>>> can you find the samba zone files ?
>>>>>>> Sorry I don't get you.
>>>>>>>
>>>>>>>
>>>>>> What I was trying to point out is that you are worrying 
>about nothing,
>>>>> if you use the bind9 dlz backend, you will not find the zone files
>>> anywhere
>>>>> on disk, they are created in memory every time bind is started.
>>>>>> Rowland
>>>>> Correct me if i am wrong, but are you sure about that? 
>What are the hard
>>>>> linked files under private/dns then? They are hard linked to
>>>>> private/sam.ldb.d IIRC.
>>>>>
>>>>> Ricky
>>>>>
>>>>>   >
>>>>>>> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
>>>>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>>
>>> wrote:
>>>>>>>      On 26/12/13 18:48, Chan Min Wai wrote:
>>>>>>>>      Thank for the info.
>>>>>>>>
>>>>>>>>      I think it would bigger problem..
>>>>>>>>      If bind is running in a chroot environment...
>>>>>>>      You cannot run bind in a chroot environment with 
>samba4 and bind
>>>>>>>      9.9, can you find the samba zone files ?
>>>>>>>
>>>>>>>      Rowland
>>>>>>>
>>>>>>>
>>>>>>>>      Provided that bind would have no access to any of 
>the files under
>>>>>>>>      /var/lib/samba
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>      On Fri, Dec 27, 2013 at 2:32 AM, Steve <steve at steve-ss.com
>>>>>>>>      <mailto:steve at steve-ss.com>> wrote:
>>>>>>>>
>>>>>>>>          I think there is confusion because bind 
>doesn't run as root.
>>>>>>>>          The op has correctly identified the files and 
>directories
>>>>>>>>          within private that bind needs access to.  It now only
>>>>>>>>          remains to allow the bind user into private. 
>As the op has
>>>>>>>>          it, only root has access. My argument as to 
>0755 on private
>>>>>>>>          are based upon a default source build and 
>make install. I
>>>>>>>>          notice that the op has a non default location 
>and so may need
>>>>>>>>          other security measures as we'll. The fact 
>remains that if
>>>>>>>>          you are using bind, then the user running it 
>must have access
>>>>>>>>          to private.
>>>>>>>>          Sorry about the top post. Android limitations.
>>>>>>>>          Steve
>>>>>>>>
>>>>>>>>
>>>>>>>>          Rowland Penny <rowlandpenny at googlemail.com
>>>>>>>>          <mailto:rowlandpenny at googlemail.com>> wrote:
>>>>>>>>
>>>>>>>>          >On 26/12/13 15:43, Chan Min Wai wrote:
>>>>>>>>          >> Dear Steve,
>>>>>>>>          >>
>>>>>>>>          >> I think that is bad idea as 
>/var/lib/samba/private was
>>>>>>>>          suppose to hold
>>>>>>>>          >> something private for samba.
>>>>>>>>          >
>>>>>>>>          >Do you mean like the samba DNS zones and the 
>keytab that is
>>>>>>>>          required to
>>>>>>>>          >alter it?
>>>>>>>>          >
>>>>>>>>          >> Like secret information security related LDAP/AD
>>> information
>>>>>>>>          >>
>>>>>>>>          >> Putting dns information don't seem to be a 
>good idea.
>>>>>>>>          >> (unless the dns information are part or LDAP or AD)
>>>>>>>>          >
>>>>>>>>          >The samba dns zones are part of AD.
>>>>>>>>          >
>>>>>>>>          >>
>>>>>>>>          >> And I do believes that it should be place to
>>>>>>>>           /var/lib/samba/bind or some
>>>>>>>>          >> other place which private for both of them.
>>>>>>>>          >>
>>>>>>>>          >
>>>>>>>>          >Just where would you put private info like 
>the samba DNS
>>>>>>>>          zones etc.?
>>>>>>>>          >
>>>>>>>>          >If you have any problems about where to 
>store stuff, I
>>>>>>>>          suggest that you
>>>>>>>>          >take it up with the Samba devs.
>>>>>>>>          >
>>>>>>>>          >Rowland
>>>>>>>>          >
>>>>>>>>          >> On Wed, Dec 25, 2013 at 9:17 PM, steve <
>>> steve at steve-ss.com
>>>>>>>>          <mailto:steve at steve-ss.com>> wrote:
>>>>>>>>          >>
>>>>>>>>          >>> On Wed, 2013-12-25 at 03:43 +0800, Chan 
>Min Wai wrote:
>>>>>>>>          >>>> Dear all,
>>>>>>>>          >>>>
>>>>>>>>          >>>> Would like to ask for input on the following.
>>>>>>>>          >>>> When using with bind 9.9 with dlz module.
>>>>>>>>          >>>> It seem that we would have a permission 
>issue where
>>>>>>>>          names would need to
>>>>>>>>          >>>> have access to
>>>>>>>>          >>>>
>>>>>>>>          >>>> /var/lib/samba/private/ for a few files.
>>>>>>>>          >>>> to be more precise it would be
>>>>>>>>          >>>>
>>>>>>>>          >>>> /var/lib/samba/private/dns (whole folder)
>>>>>>>>          >>>> /var/lib/samba/private/named.conf
>>>>>>>>          >>>> /var/lib/samba/private/named.conf.update
>>>>>>>>          >>>> /var/lib/samba/private/dns.keytab
>>>>>>>>          >>>>
>>>>>>>>          >>>> However as I can see private was 400...
>>>>>>>>          >>>> drwx------+  7 root root    4096 Dec 25 
>03:34 private
>>>>>>>>          >>> That seems very restrictive. We have a 
>default source
>>> build
>>>>>>>>          >>> at /usr/local/samba with:
>>>>>>>>          >>> drwxr-xr-x  7 root root 4096 Dec 13 13:31 private
>>>>>>>>          >>>
>>>>>>>>          >>> That let's everyone in, then named has 
>further access as
>>>>>>>>          you state.
>>>>>>>>          >>> HTH
>>>>>>>>          >>> Steve
>>>>>>>>          >>>
>>>>>>>>          >>>
>>>>>>>>          >>> --
>>>>>>>>          >>> To unsubscribe from this list go to the 
>following URL and
>>>>>>>>          read the
>>>>>>>>          >>> instructions:
>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>          >>>
>>>>>>>>          >
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL 
>and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>> They are where Samba stores its domain info, they are not 
>the dns zones
>>>>> (and indecently, these should never be altered directly)
>>>>> If I restart bind9, I get this in syslog:
>>>>>
>>>>> samba_dlz: started for DN DC=example,DC=com
>>>>> samba_dlz: starting configure
>>>>> samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
>>>>> samba_dlz: configured writeable zone 'example.com'
>>>>> samba_dlz: configured writeable zone '_msdcs.example.com'
>>>>>
>>>>> The three zones never get written to disk (well I cannot 
>find them)
>>>>>
>>>>> Rowland
>>>>>
>>>
>>> --
>>>
>>>
>Look at this webpage: https://wiki.samba.org/index.php/Dns-backend_bind
>
>Down near the bottom of the page, you will find this heading:
>
>
>  Known issues and ways to fix/workaround
>
>There is a sub-heading:
>
>
>    Chroot Bind
>
>The very next line is this:
>
>If you use Bind as Backend for your Samba AD, it must not run chroot, 
>because it must be able to live access files and databases from your 
>Samba installation.
>
>Now do you understand that the problems you are having are 
>self-inflicted, YOU MUST NOT RUN BIND IN A CHROOT.
>You are trying to do something that will probably never work or if you 
>do get it to work, it will be a mess and will probably break 
>the chroot 
>anyway, so what is the point?
>
>Rowland
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>



More information about the samba mailing list