[Samba] bind - samba_dlz - insufficient access rights

Brady, Mike mike.brady at devnull.net.nz
Thu Sep 10 22:12:32 UTC 2015 

On 2015-09-11 09:24, Robert Moskowitz wrote:
> On 09/10/2015 05:21 PM, Brady, Mike wrote:
>> On 2015-09-11 08:39, Robert Moskowitz wrote:
>>> On 09/10/2015 04:30 PM, Reindl Harald wrote:
>>>> 
>>>> Am 10.09.2015 um 22:25 schrieb Robert Moskowitz:
>>>>> Rebuilt my server to test that I 'knew' how to build it, and to do 
>>>>> it on
>>>>> the net where it will run.  Took some effort to get permissions to
>>>>> /var/lib/samba/private/dns/sam.ldb right, and I probably 
>>>>> overkilled. But
>>>>> got past that to see:
>>>>> 
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> descriptor initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> objectclass initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> asq initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> server_sort initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> paged_results initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> dirsync initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>> module
>>>>> schema_load initialization failed : insufficient access rights
>>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: 
>>>>> control
>>>>> process exited, code=exited status=1
>>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start 
>>>>> Berkeley
>>>>> Internet Name Domain (DNS).
>>>>> 
>>>>> so now what am I missing?
>>>> 
>>>> *what are* the permissions
>>>> "ls -lha -R" may help..........
>>> 
>>> But to what directory/file?
>>> 
>>> 
>>> I am guessing:
>>> 
>>> ls -lha -R /var/lib/samba/private/dns
>>> /var/lib/samba/private/dns:
>>> total 2.9M
>>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
>>> drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
>>> -rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
>>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d
>>> 
>>> /var/lib/samba/private/dns/sam.ldb.d:
>>> total 27M
>>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
>>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
>>> -rw------- 1 root named 8.2M Sep 10 13:27 
>>> CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>>> -rw------- 1 root named 8.9M Sep 10 13:27
>>> CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>>> -rw------- 2 root named 4.1M Sep 10 13:27 
>>> DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
>>> -rw------- 2 root named 4.1M Sep 10 13:27 
>>> DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
>>> -rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
>>> -rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb
>>> 
>>>> some sane software refuses to run with *too wide* open permissions 
>>>> as well fails with to tight ones
>>> 
>>> Yes.  I would not be supprised that I was hitting on the wrong
>>> permissions problem all along and opened up something best left
>>> closed.  I wonder what is missing in the script/instructions in 
>>> sernet
>>> and classicupgrade that resulted in permissions problems to begin
>>> with.
>> 
>> On Centos 7 using the Sernet packages the named user does not have 
>> access to /var/lib/samba/private.  I have been correcting this with 
>> the following on my domain controllers.  All the other 
>> ownership/permissions were correct.
>> 
>> setfacl -m u:named:rx /var/lib/samba/private
>> 
>> 
> Thanks.  I just tried that and got the same errors trying to start 
> named.

Robert

That is the only file system permission issue that I have encountered.  
Those error messages may be the backend refusing named access to the AD 
LDAP though, rather than filesystem permissions.

Not sure what controls that.

Only thought I have is do you have the  tkey-gssapi-keytab line in your 
named.conf and does the file specified have the necessary keys in it?

Mike

More information about the samba mailing list