[Samba] SOLVED Re: bind - samba_dlz - insufficient access rights

Thu Sep 10 23:16:01 UTC 2015

On 09/10/2015 06:12 PM, Brady, Mike wrote:
> On 2015-09-11 09:24, Robert Moskowitz wrote:
>> On 09/10/2015 05:21 PM, Brady, Mike wrote:
>>> On 2015-09-11 08:39, Robert Moskowitz wrote:
>>>> On 09/10/2015 04:30 PM, Reindl Harald wrote:
>>>>>
>>>>> Am 10.09.2015 um 22:25 schrieb Robert Moskowitz:
>>>>>> Rebuilt my server to test that I 'knew' how to build it, and to 
>>>>>> do it on
>>>>>> the net where it will run.  Took some effort to get permissions to
>>>>>> /var/lib/samba/private/dns/sam.ldb right, and I probably 
>>>>>> overkilled. But
>>>>>> got past that to see:
>>>>>>
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> descriptor initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> objectclass initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> asq initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> server_sort initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> paged_results initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> dirsync initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: 
>>>>>> module
>>>>>> schema_load initialization failed : insufficient access rights
>>>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
>>>>>> process exited, code=exited status=1
>>>>>> Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start 
>>>>>> Berkeley
>>>>>> Internet Name Domain (DNS).
>>>>>>
>>>>>> so now what am I missing?
>>>>>
>>>>> *what are* the permissions
>>>>> "ls -lha -R" may help..........
>>>>
>>>> But to what directory/file?
>>>>
>>>>
>>>> I am guessing:
>>>>
>>>> ls -lha -R /var/lib/samba/private/dns
>>>> /var/lib/samba/private/dns:
>>>> total 2.9M
>>>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
>>>> drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
>>>> -rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
>>>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d
>>>>
>>>> /var/lib/samba/private/dns/sam.ldb.d:
>>>> total 27M
>>>> drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
>>>> drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
>>>> -rw------- 1 root named 8.2M Sep 10 13:27 
>>>> CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>>>> -rw------- 1 root named 8.9M Sep 10 13:27
>>>> CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
>>>> -rw------- 2 root named 4.1M Sep 10 13:27 
>>>> DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
>>>> -rw------- 2 root named 4.1M Sep 10 13:27 
>>>> DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
>>>> -rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
>>>> -rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb
>>>>
>>>>> some sane software refuses to run with *too wide* open permissions 
>>>>> as well fails with to tight ones
>>>>
>>>> Yes.  I would not be supprised that I was hitting on the wrong
>>>> permissions problem all along and opened up something best left
>>>> closed.  I wonder what is missing in the script/instructions in sernet
>>>> and classicupgrade that resulted in permissions problems to begin
>>>> with.
>>>
>>> On Centos 7 using the Sernet packages the named user does not have 
>>> access to /var/lib/samba/private.  I have been correcting this with 
>>> the following on my domain controllers.  All the other 
>>> ownership/permissions were correct.
>>>
>>> setfacl -m u:named:rx /var/lib/samba/private
>>>
>>>
>> Thanks.  I just tried that and got the same errors trying to start 
>> named.
>
> Robert
>
> That is the only file system permission issue that I have 
> encountered.  Those error messages may be the backend refusing named 
> access to the AD LDAP though, rather than filesystem permissions.
>
> Not sure what controls that.

chmod 664 /var/lib/samba/private/dns/sam.ldb.d/*

did the trick.

Next time to figure out how little is really needed compared to all that 
I did.

I am going to first try your setfacl and my chmod.