[Samba] samba Digest, Vol 172, Issue 2

L.P.H. van Belle belle at bazuin.nl
Sun Apr 2 15:27:50 UTC 2017 

i suspect the ad right in the dns is wrong.

Start the windows dns manager, go to the A (and ptr) get the properties and check the owner and set it to the computername$ and try again.

Greetz,
Louis

> Op 2 apr. 2017 om 17:14 heeft Marc Muehlfeld via samba <samba at lists.samba.org> het volgende geschreven:
> 
> Hello Karl Heinz,
> 
>> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
>> I change the right from 600 (root:root) to 660 (root:bind) and i get
>> following errormessage.
>> 
>> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
> 
> Please revert these insecure permissions to the ones we set during the 
> provisioning.
> 
> Using these permissions, the BIND user account is enabled to read and 
> write to the whole AD database file. The sam.ldb must have 600 
> permissions and owned by root:root to be protected:
> 
> -rw------- root root /usr/local/samba/private/sam.ldb
> 
> sam.ldb is a virtual view to all AD partitions.
> 
> 
> 
>> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
> 
> The permissions on this directory is correct. However, please check the 
> permissions of the raw AD partition database files in it. If you changed 
> them, reset them to the secure permissions we set during the provisioning:
> 
> -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root 
> CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named metadata.tdb
> 
> 
> 
> Some background information: The sam.ldb.d directory is required to 
> enable the third-party daemon BIND to access the AD DNS partitions, 
> without allowing access to any other partition.
> 
> The samb.ldb.d directory contains the raw AD partition databases, while 
> the sam.ldb file is a view to all of them.
> 
> That's why BIND needs write access to the two DNS partition databases 
> files (+ metadata.ldb) and must not have access to any other file in the 
> sam.ldb.d directory, nor to the sam.ldb file.
> 
> 
> 
> Regards,
> Marc
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list