[Samba] bind - samba_dlz - insufficient access rights

Robert Moskowitz rgm at htt-consult.com
Thu Sep 10 21:24:58 UTC 2015



On 09/10/2015 05:21 PM, Brady, Mike wrote:
> On 2015-09-11 08:39, Robert Moskowitz wrote:
>> On 09/10/2015 04:30 PM, Reindl Harald wrote:
>>>
>>> Am 10.09.2015 um 22:25 schrieb Robert Moskowitz:
>>>> Rebuilt my server to test that I 'knew' how to build it, and to do 
>>>> it on
>>>> the net where it will run.  Took some effort to get permissions to
>>>> /var/lib/samba/private/dns/sam.ldb right, and I probably 
>>>> overkilled. But
>>>> got past that to see:
>>>>
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> descriptor initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> objectclass initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> asq initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> server_sort initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> paged_results initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> dirsync initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
>>>> schema_load initialization failed : insufficient access rights
>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
>>>> process exited, code=exited status=1
>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start Berkeley
>>>> Internet Name Domain (DNS).
>>>>
>>>> so now what am I missing?
>>>
>>> *what are* the permissions
>>> "ls -lha -R" may help..........
>>
>> But to what directory/file?
>>
>>
>> I am guessing:
>>
>> ls -lha -R /var/lib/samba/private/dns
>> /var/lib/samba/private/dns:
>> total 2.9M
>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
>> drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
>> -rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d
>>
>> /var/lib/samba/private/dns/sam.ldb.d:
>> total 27M
>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
>> -rw------- 1 root named 8.2M Sep 10 13:27 
>> CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>> -rw------- 1 root named 8.9M Sep 10 13:27
>> CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>> -rw------- 2 root named 4.1M Sep 10 13:27 
>> DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
>> -rw------- 2 root named 4.1M Sep 10 13:27 
>> DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
>> -rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
>> -rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb
>>
>>> some sane software refuses to run with *too wide* open permissions 
>>> as well fails with to tight ones
>>
>> Yes.  I would not be supprised that I was hitting on the wrong
>> permissions problem all along and opened up something best left
>> closed.  I wonder what is missing in the script/instructions in sernet
>> and classicupgrade that resulted in permissions problems to begin
>> with.
>
> On Centos 7 using the Sernet packages the named user does not have 
> access to /var/lib/samba/private.  I have been correcting this with 
> the following on my domain controllers.  All the other 
> ownership/permissions were correct.
>
> setfacl -m u:named:rx /var/lib/samba/private
>
>
Thanks.  I just tried that and got the same errors trying to start named.





More information about the samba mailing list