[Samba] samba Digest, Vol 172, Issue 2

Karl Heinz Wichmann wichmann-karl at web.de
Sun Apr 2 15:37:38 UTC 2017 

Hello Marc

I changed the rights back to 600 and root:root to sam.ldb

and i think the rights of sam.ldb.d directory are correct.


-rw------- 1 root root  16M Apr  2 17:29 
CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  10M Apr  2 17:29 
CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind  26M Apr  2 17:28 
DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 4,1M Apr  2 17:28 
DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  65M Apr  2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 412K Apr  2 14:46 metadata.tdb

Regards,
Karl Heinz



-- 

Am 02.04.2017 um 17:13 schrieb Marc Muehlfeld:
> Hello Karl Heinz,
>
> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
>> I change the right from 600 (root:root) to 660 (root:bind) and i get
>> following errormessage.
>>
>> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
>
> Please revert these insecure permissions to the ones we set during the
> provisioning.
>
> Using these permissions, the BIND user account is enabled to read and
> write to the whole AD database file. The sam.ldb must have 600
> permissions and owned by root:root to be protected:
>
> -rw------- root root /usr/local/samba/private/sam.ldb
>
> sam.ldb is a virtual view to all AD partitions.
>
>
>
>> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
>
> The permissions on this directory is correct. However, please check the
> permissions of the raw AD partition database files in it. If you changed
> them, reset them to the secure permissions we set during the provisioning:
>
> -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root
> CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named metadata.tdb
>
>
>
> Some background information: The sam.ldb.d directory is required to
> enable the third-party daemon BIND to access the AD DNS partitions,
> without allowing access to any other partition.
>
> The samb.ldb.d directory contains the raw AD partition databases, while
> the sam.ldb file is a view to all of them.
>
> That's why BIND needs write access to the two DNS partition databases
> files (+ metadata.ldb) and must not have access to any other file in the
> sam.ldb.d directory, nor to the sam.ldb file.
>
>
>
> Regards,
> Marc
>
>
>

More information about the samba mailing list