[Samba] samba Digest, Vol 172, Issue 2

[Marc Muehlfeld]

Hello Karl Heinz,

Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
> I change the right from 600 (root:root) to 660 (root:bind) and i get
> following errormessage.
>
> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb

Please revert these insecure permissions to the ones we set during the 
provisioning.

Using these permissions, the BIND user account is enabled to read and 
write to the whole AD database file. The sam.ldb must have 600 
permissions and owned by root:root to be protected:

-rw------- root root /usr/local/samba/private/sam.ldb

sam.ldb is a virtual view to all AD partitions.



> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d

The permissions on this directory is correct. However, please check the 
permissions of the raw AD partition database files in it. If you changed 
them, reset them to the secure permissions we set during the provisioning:

-rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root 
CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named metadata.tdb



Some background information: The sam.ldb.d directory is required to 
enable the third-party daemon BIND to access the AD DNS partitions, 
without allowing access to any other partition.

The samb.ldb.d directory contains the raw AD partition databases, while 
the sam.ldb file is a view to all of them.

That's why BIND needs write access to the two DNS partition databases 
files (+ metadata.ldb) and must not have access to any other file in the 
sam.ldb.d directory, nor to the sam.ldb file.



Regards,
Marc