[Samba] samba Digest, Vol 172, Issue 2
Rowland Penny
rpenny at samba.org
Sun Apr 2 15:52:23 UTC 2017
On Sun, 2 Apr 2017 17:13:17 +0200
Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> Hello Karl Heinz,
>
> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
> > I change the right from 600 (root:root) to 660 (root:bind) and i get
> > following errormessage.
> >
> > -rw-rw---- 1 root bind 4,1M Jul 8 2015 sam.ldb
>
> Please revert these insecure permissions to the ones we set during
> the provisioning.
>
> Using these permissions, the BIND user account is enabled to read and
> write to the whole AD database file. The sam.ldb must have 600
> permissions and owned by root:root to be protected:
>
> -rw------- root root /usr/local/samba/private/sam.ldb
>
> sam.ldb is a virtual view to all AD partitions.
>
Good catch, I was getting mixed up with the other sam.ldb ;-)
Just for the record, these are from my working DC:
ls -la /usr/local/samba/private/sam.ldb
-rw------- 1 root staff 4247552 Sep 12 2016 /usr/local/samba/private/sam.ldb
ls -la /usr/local/samba/private/dns/sam.ldb
-rw-rw---- 1 root bind 3014656 Sep 12
2016 /usr/local/samba/private/dns/sam.ldb
Rowland
More information about the samba
mailing list