[Samba] Samba 4 DC and member server, rfc3207, winbind, printing, asynchronous I/O - Problems and Fixes

Andrew Bartlett abartlet at samba.org
Tue Nov 19 00:01:17 MST 2013

On Tue, 2013-11-19 at 14:53 +0800, Kinglok, Fong wrote:
> Dear all,
> After 4 days of sleepless nights, I have manged to rebuild the samba farm.  I believe the following discovery might interest our samba community.

> Now, there is no other bug but do a dirty fix:
> chmod 755 /usr/local/samba/private/sam.ldb.d

NEVER. EVER do this.

Quick, dirty or otherwise, NEVER do this.  You have totally compromised
the security of the whole domain, because all the private (secret) keys
are not accessible to any user or process on that host. 

Indeed, as this has now been suggested publicly, I may have to add code
to Samba to refuse to start up in this situation. 

I realise you are in a bind, but all I can suggest is that you follow
the Samba Team's recommendation to use a member server for file and
print server tasks, not to combine these with the DC, until we can get
to the bottom of this particular issue. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list