[Samba] bind-dns folder permissions with bind-dlz configuration 4.10

Rowland penny rpenny at samba.org
Wed Sep 11 09:02:52 UTC 2019

On 11/09/2019 09:37, L.P.H. van Belle via samba wrote:
> Sure it was,  ;-),  maybe not that one specific site link but it was on wiki

Possibly it was on the wiki , but not on that page ;-)

If you read the history:

(cur | prev 
16:46, 10 September 2019 
| contribs 
<https://wiki.samba.org/index.php/Special:Contributions/Hortimech>)‎ m . 
. (12,113 bytes) (+245)‎ . . (/* added permissions for 
/usr/local/samba/bind-dns) (undo 

> and my google searches do show that.. Im always wondering what people used for there searches.
> When they can find it.
> I also noticed on the link:  https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
> Verify that your /etc/krb5.conf Kerberos client configuration file is readable by your BIND user. For example:
> # ls -l /etc/krb5.conf
> -rw-r--r--. 1 root named 99  2. Sep 2014  /etc/krb5.conf
> Im wondering.. /etc/krb5.conf is setup to 644, why is named added if we have 644?
> Second, if we dont have 644 and we use 640,
> Then use setfacl and not chmod ...  add the needed users to the a group and allow it to read it.

Just checked on one of my DCs and I have:

-rw-r--r-- 1 root root 114 Apr 24  2018 /etc/krb5.conf

Everything works okay ;-)

I think that something like 'krb5.conf', which is just a conf file, is 
okay to be readable by anyone, but only writeable by root.

> My "in general rule" here is, if its only used by one program, you can use chmod and apply posix rights.
> If a file/folder needs to be read by multiple users, of use groups or add extra acls.
> This is a part we should correct a bit.
I would replace 'only used by' with 'writeable by' in the above statement.
> ...
> A few simple tips in howto improve you google skills.
> Lets take this example. > google: "samba wiki bind9 dlz chmod"
> Prio of words, from left to right. Important -> less important.
> Howto improve the above string:
> Google: +samba wiki +bind9 dlz chmod
> + means, this MUST be on the website.
> - means, this MUST NOT be on the website.
> More direct search.
> +samba wiki +bind9 dlz chmod +site:wiki.samba.org -site:www.samba.org
> Means, only search on the site wiki.samba.org for the words, and remove any www.samba.org results.
> And here you go only 2 link with the correct info.
Well, yes, but no search is any good, if the data isn't there when you 
do the search ;-)


More information about the samba mailing list