[Samba] bind - samba_dlz - insufficient access rights
Brady, Mike
mike.brady at devnull.net.nz
Thu Sep 10 21:21:49 UTC 2015
On 2015-09-11 08:39, Robert Moskowitz wrote:
> On 09/10/2015 04:30 PM, Reindl Harald wrote:
>>
>> Am 10.09.2015 um 22:25 schrieb Robert Moskowitz:
>>> Rebuilt my server to test that I 'knew' how to build it, and to do it
>>> on
>>> the net where it will run. Took some effort to get permissions to
>>> /var/lib/samba/private/dns/sam.ldb right, and I probably overkilled.
>>> But
>>> got past that to see:
>>>
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> descriptor initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> objectclass initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> asq initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> server_sort initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> paged_results initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> dirsync initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>> schema_load initialization failed : insufficient access rights
>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
>>> process exited, code=exited status=1
>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start
>>> Berkeley
>>> Internet Name Domain (DNS).
>>>
>>> so now what am I missing?
>>
>> *what are* the permissions
>> "ls -lha -R" may help..........
>
> But to what directory/file?
>
>
> I am guessing:
>
> ls -lha -R /var/lib/samba/private/dns
> /var/lib/samba/private/dns:
> total 2.9M
> drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
> drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
> -rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d
>
> /var/lib/samba/private/dns/sam.ldb.d:
> total 27M
> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
> drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
> -rw------- 1 root named 8.2M Sep 10 13:27
> CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
> -rw------- 1 root named 8.9M Sep 10 13:27
> CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
> -rw------- 2 root named 4.1M Sep 10 13:27
> DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
> -rw------- 2 root named 4.1M Sep 10 13:27
> DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
> -rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
> -rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb
>
>> some sane software refuses to run with *too wide* open permissions as
>> well fails with to tight ones
>
> Yes. I would not be supprised that I was hitting on the wrong
> permissions problem all along and opened up something best left
> closed. I wonder what is missing in the script/instructions in sernet
> and classicupgrade that resulted in permissions problems to begin
> with.
On Centos 7 using the Sernet packages the named user does not have
access to /var/lib/samba/private. I have been correcting this with the
following on my domain controllers. All the other ownership/permissions
were correct.
setfacl -m u:named:rx /var/lib/samba/private
More information about the samba
mailing list