[Samba] samba Digest, Vol 172, Issue 2
Marc Muehlfeld
mmuehlfeld at samba.org
Sun Apr 2 15:13:17 UTC 2017
Hello Karl Heinz,
Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
> I change the right from 600 (root:root) to 660 (root:bind) and i get
> following errormessage.
>
> -rw-rw---- 1 root bind 4,1M Jul 8 2015 sam.ldb
Please revert these insecure permissions to the ones we set during the
provisioning.
Using these permissions, the BIND user account is enabled to read and
write to the whole AD database file. The sam.ldb must have 600
permissions and owned by root:root to be protected:
-rw------- root root /usr/local/samba/private/sam.ldb
sam.ldb is a virtual view to all AD partitions.
> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
The permissions on this directory is correct. However, please check the
permissions of the raw AD partition database files in it. If you changed
them, reset them to the secure permissions we set during the provisioning:
-rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root
CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named metadata.tdb
Some background information: The sam.ldb.d directory is required to
enable the third-party daemon BIND to access the AD DNS partitions,
without allowing access to any other partition.
The samb.ldb.d directory contains the raw AD partition databases, while
the sam.ldb file is a view to all of them.
That's why BIND needs write access to the two DNS partition databases
files (+ metadata.ldb) and must not have access to any other file in the
sam.ldb.d directory, nor to the sam.ldb file.
Regards,
Marc
More information about the samba
mailing list