Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
342 views
Skip to first unread message
Chan Min Wai
Dec 24, 2013, 2:50:01 PM12/24/13
to
Dear all,
Would like to ask for input on the following.
When using with bind 9.9 with dlz module.
It seem that we would have a permission issue where names would need to
have access to
/var/lib/samba/private/ for a few files.
to be more precise it would be
/var/lib/samba/private/dns (whole folder)
/var/lib/samba/private/named.conf
/var/lib/samba/private/named.conf.update
/var/lib/samba/private/dns.keytab
However as I can see private was 400...
drwx------+ 7 root root 4096 Dec 25 03:34 private
Question:
1. Should I use ACL to allow named to have rx access to these folder and
files?
2. Should I just change the group on private to add named in and on other
files or folder involved.
Which one is a better practice and why?
i just feel that having named mixed up with samba private folder is a bad
practice...
At lease in security point of view.
I would said that samba should have move these files to /var/bind/
But I'm not a developer that able to understand that..
Please advise.
Thank You.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Would like to ask for input on the following.
When using with bind 9.9 with dlz module.
It seem that we would have a permission issue where names would need to
have access to
/var/lib/samba/private/ for a few files.
to be more precise it would be
/var/lib/samba/private/dns (whole folder)
/var/lib/samba/private/named.conf
/var/lib/samba/private/named.conf.update
/var/lib/samba/private/dns.keytab
However as I can see private was 400...
drwx------+ 7 root root 4096 Dec 25 03:34 private
Question:
1. Should I use ACL to allow named to have rx access to these folder and
files?
2. Should I just change the group on private to add named in and on other
files or folder involved.
Which one is a better practice and why?
i just feel that having named mixed up with samba private folder is a bad
practice...
At lease in security point of view.
I would said that samba should have move these files to /var/bind/
But I'm not a developer that able to understand that..
Please advise.
Thank You.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Dec 25, 2013, 8:20:02 AM12/25/13
to
On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> Dear all,
>
> Would like to ask for input on the following.
> When using with bind 9.9 with dlz module.
> It seem that we would have a permission issue where names would need to
> have access to
>
> /var/lib/samba/private/ for a few files.
> to be more precise it would be
>
> /var/lib/samba/private/dns (whole folder)
> /var/lib/samba/private/named.conf
> /var/lib/samba/private/named.conf.update
> /var/lib/samba/private/dns.keytab
>
> However as I can see private was 400...
> drwx------+ 7 root root 4096 Dec 25 03:34 private
That seems very restrictive. We have a default source build
> Dear all,
>
> Would like to ask for input on the following.
> When using with bind 9.9 with dlz module.
> It seem that we would have a permission issue where names would need to
> have access to
>
> /var/lib/samba/private/ for a few files.
> to be more precise it would be
>
> /var/lib/samba/private/dns (whole folder)
> /var/lib/samba/private/named.conf
> /var/lib/samba/private/named.conf.update
> /var/lib/samba/private/dns.keytab
>
> However as I can see private was 400...
> drwx------+ 7 root root 4096 Dec 25 03:34 private
at /usr/local/samba with:
drwxr-xr-x 7 root root 4096 Dec 13 13:31 private
That let's everyone in, then named has further access as you state.
HTH
Steve
Chan Min Wai
Dec 26, 2013, 10:50:01 AM12/26/13
to
Dear Steve,
I think that is bad idea as /var/lib/samba/private was suppose to hold
something private for samba.
Like secret information security related LDAP/AD information
Putting dns information don't seem to be a good idea.
(unless the dns information are part or LDAP or AD)
And I do believes that it should be place to /var/lib/samba/bind or some
other place which private for both of them.
I think that is bad idea as /var/lib/samba/private was suppose to hold
something private for samba.
Like secret information security related LDAP/AD information
Putting dns information don't seem to be a good idea.
(unless the dns information are part or LDAP or AD)
And I do believes that it should be place to /var/lib/samba/bind or some
other place which private for both of them.
Rowland Penny
Dec 26, 2013, 11:50:03 AM12/26/13
to
On 26/12/13 15:43, Chan Min Wai wrote:
> Dear Steve,
>
> I think that is bad idea as /var/lib/samba/private was suppose to hold
> something private for samba.
Do you mean like the samba DNS zones and the keytab that is required to
> Dear Steve,
>
> I think that is bad idea as /var/lib/samba/private was suppose to hold
> something private for samba.
alter it?
> Like secret information security related LDAP/AD information
>
> Putting dns information don't seem to be a good idea.
> (unless the dns information are part or LDAP or AD)
>
> And I do believes that it should be place to /var/lib/samba/bind or some
> other place which private for both of them.
>
If you have any problems about where to store stuff, I suggest that you
take it up with the Samba devs.
Rowland
Steve
Dec 26, 2013, 1:40:01 PM12/26/13
to
I think there is confusion because bind doesn't run as root. The op has correctly identified the files and directories within private that bind needs access to. It now only remains to allow the bind user into private. As the op has it, only root has access. My argument as to 0755 on private are based upon a default source build and make install. I notice that the op has a non default location and so may need other security measures as we'll. The fact remains that if you are using bind, then the user running it must have access to private.
Sorry about the top post. Android limitations.
Steve
Sorry about the top post. Android limitations.
Steve
Chan Min Wai
Dec 26, 2013, 1:50:01 PM12/26/13
to
Thank for the info.
I think it would bigger problem..
If bind is running in a chroot environment...
Provided that bind would have no access to any of the files under
/var/lib/samba
I think it would bigger problem..
If bind is running in a chroot environment...
Provided that bind would have no access to any of the files under
/var/lib/samba
Steve
Dec 26, 2013, 2:20:01 PM12/26/13
to
I wouldn't know where to start in a chroot. That is the default on many distros so it will be interesting to see how they cope with Samba4 as a dc. Unless private goes to jail too maybe? Can you symlink outside a chroot? Better shut up now. Sounds scary.
Steve
Steve
Rowland Penny
Dec 26, 2013, 3:00:02 PM12/26/13
to
On 26/12/13 18:48, Chan Min Wai wrote:
> Thank for the info.
>
> I think it would bigger problem..
> If bind is running in a chroot environment...
You cannot run bind in a chroot environment with samba4 and bind 9.9,
> Thank for the info.
>
> I think it would bigger problem..
> If bind is running in a chroot environment...
can you find the samba zone files ?
Rowland
>
> Provided that bind would have no access to any of the files under
> /var/lib/samba
>
>
>
>
> On Fri, Dec 27, 2013 at 2:32 AM, Steve <st...@steve-ss.com
> <mailto:st...@steve-ss.com>> wrote:
>
> I think there is confusion because bind doesn't run as root. The
> op has correctly identified the files and directories within
> private that bind needs access to. It now only remains to allow
> the bind user into private. As the op has it, only root has
> access. My argument as to 0755 on private are based upon a default
> source build and make install. I notice that the op has a non
> default location and so may need other security measures as we'll.
> The fact remains that if you are using bind, then the user running
> it must have access to private.
> Sorry about the top post. Android limitations.
> Steve
>
>
> Rowland Penny <rowlan...@googlemail.com
Chan Min Wai
Dec 26, 2013, 10:20:01 PM12/26/13
to
You cannot run bind in a chroot environment with samba4 and bind 9.9,
No, it is written in the docs that it is not possible
https://wiki.samba.org/index.php/Dns-backend_bind
can you find the samba zone files ?
On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
<rowlan...@googlemail.com>wrote:
Rowland Penny
Dec 27, 2013, 6:40:02 AM12/27/13
to
On 27/12/13 03:11, Chan Min Wai wrote:
> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> No, it is written in the docs that it is not possible
> https://wiki.samba.org/index.php/Dns-backend_bind
>
> can you find the samba zone files ?
> Sorry I don't get you.
>
>
What I was trying to point out is that you are worrying about nothing,
> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> No, it is written in the docs that it is not possible
> https://wiki.samba.org/index.php/Dns-backend_bind
>
> can you find the samba zone files ?
> Sorry I don't get you.
>
>
if you use the bind9 dlz backend, you will not find the zone files
anywhere on disk, they are created in memory every time bind is started.
Rowland
Ricky Nance
Dec 27, 2013, 8:40:02 AM12/27/13
to
On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlan...@googlemail.com>
wrote:
>
linked files under private/dns then? They are hard linked to
private/sam.ldb.d IIRC.
Ricky
wrote:
>
> On 27/12/13 03:11, Chan Min Wai wrote:
>>
>> You cannot run bind in a chroot environment with samba4 and bind 9.9,
>> No, it is written in the docs that it is not possible
>> https://wiki.samba.org/index.php/Dns-backend_bind
>>
>> can you find the samba zone files ?
>> Sorry I don't get you.
>>
>>
>
> What I was trying to point out is that you are worrying about nothing, if
you use the bind9 dlz backend, you will not find the zone files anywhere on
disk, they are created in memory every time bind is started.
>
> Rowland
Correct me if i am wrong, but are you sure about that? What are the hard
>>
>> You cannot run bind in a chroot environment with samba4 and bind 9.9,
>> No, it is written in the docs that it is not possible
>> https://wiki.samba.org/index.php/Dns-backend_bind
>>
>> can you find the samba zone files ?
>> Sorry I don't get you.
>>
>>
>
> What I was trying to point out is that you are worrying about nothing, if
you use the bind9 dlz backend, you will not find the zone files anywhere on
disk, they are created in memory every time bind is started.
>
> Rowland
linked files under private/dns then? They are hard linked to
private/sam.ldb.d IIRC.
Ricky
Rowland Penny
Dec 27, 2013, 8:50:01 AM12/27/13
to
On 27/12/13 13:30, Ricky Nance wrote:
>
>
> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlan...@googlemail.com
>
>
> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlan...@googlemail.com
> <mailto:rowlan...@googlemail.com>> wrote:
> >
> > On 27/12/13 03:11, Chan Min Wai wrote:
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> >> No, it is written in the docs that it is not possible
> >> https://wiki.samba.org/index.php/Dns-backend_bind
> >>
> >> can you find the samba zone files ?
> >> Sorry I don't get you.
> >>
> >>
> >
> > What I was trying to point out is that you are worrying about
> nothing, if you use the bind9 dlz backend, you will not find the zone
> files anywhere on disk, they are created in memory every time bind is
> started.
> >
> > Rowland
>
> Correct me if i am wrong, but are you sure about that? What are the
> hard linked files under private/dns then? They are hard linked to
> private/sam.ldb.d IIRC.
>
> Ricky
>
> >
> >>
> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
> <mailto:rowlan...@googlemail.com
> >
> > On 27/12/13 03:11, Chan Min Wai wrote:
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> >> No, it is written in the docs that it is not possible
> >> https://wiki.samba.org/index.php/Dns-backend_bind
> >>
> >> can you find the samba zone files ?
> >> Sorry I don't get you.
> >>
> >>
> >
> > What I was trying to point out is that you are worrying about
> nothing, if you use the bind9 dlz backend, you will not find the zone
> files anywhere on disk, they are created in memory every time bind is
> started.
> >
> > Rowland
>
> Correct me if i am wrong, but are you sure about that? What are the
> hard linked files under private/dns then? They are hard linked to
> private/sam.ldb.d IIRC.
>
> Ricky
>
> >
> >>
> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
> <mailto:rowlan...@googlemail.com>>> wrote:
> >>
> >> On 26/12/13 18:48, Chan Min Wai wrote:
> >>>
> >>> Thank for the info.
> >>>
> >>> I think it would bigger problem..
> >>> If bind is running in a chroot environment...
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind
> >> 9.9, can you find the samba zone files ?
> >>
> >> Rowland
> >>
> >>
> >>>
> >>> Provided that bind would have no access to any of the files under
> >>> /var/lib/samba
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <st...@steve-ss.com
> <mailto:st...@steve-ss.com>
> >>
> >> On 26/12/13 18:48, Chan Min Wai wrote:
> >>>
> >>> Thank for the info.
> >>>
> >>> I think it would bigger problem..
> >>> If bind is running in a chroot environment...
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind
> >> 9.9, can you find the samba zone files ?
> >>
> >> Rowland
> >>
> >>
> >>>
> >>> Provided that bind would have no access to any of the files under
> >>> /var/lib/samba
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <st...@steve-ss.com
> <mailto:st...@steve-ss.com>
> >>> <mailto:st...@steve-ss.com <mailto:st...@steve-ss.com>>> wrote:
> >>>
> >>> I think there is confusion because bind doesn't run as root.
> >>> The op has correctly identified the files and directories
> >>> within private that bind needs access to. It now only
> >>> remains to allow the bind user into private. As the op has
> >>> it, only root has access. My argument as to 0755 on private
> >>> are based upon a default source build and make install. I
> >>> notice that the op has a non default location and so may need
> >>> other security measures as we'll. The fact remains that if
> >>> you are using bind, then the user running it must have access
> >>> to private.
> >>> Sorry about the top post. Android limitations.
> >>> Steve
> >>>
> >>>
> >>> Rowland Penny <rowlan...@googlemail.com
> <mailto:rowlan...@googlemail.com>
> >>> <mailto:rowlan...@googlemail.com
> >>>
> >>> I think there is confusion because bind doesn't run as root.
> >>> The op has correctly identified the files and directories
> >>> within private that bind needs access to. It now only
> >>> remains to allow the bind user into private. As the op has
> >>> it, only root has access. My argument as to 0755 on private
> >>> are based upon a default source build and make install. I
> >>> notice that the op has a non default location and so may need
> >>> other security measures as we'll. The fact remains that if
> >>> you are using bind, then the user running it must have access
> >>> to private.
> >>> Sorry about the top post. Android limitations.
> >>> Steve
> >>>
> >>>
> >>> Rowland Penny <rowlan...@googlemail.com
> <mailto:rowlan...@googlemail.com>
(and indecently, these should never be altered directly)
If I restart bind9, I get this in syslog:
samba_dlz: started for DN DC=example,DC=com
samba_dlz: starting configure
samba_dlz: configured writeable zone '0.168.192.in-addr.arpa'
samba_dlz: configured writeable zone 'example.com'
samba_dlz: configured writeable zone '_msdcs.example.com'
The three zones never get written to disk (well I cannot find them)
Rowland
Chan Min Wai
Dec 27, 2013, 2:40:01 PM12/27/13
to
Maybe I should try to run chroot bind with symlink from samba.
But before that...
I'll need to get the chroot bind workning in advance...
BRB
On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
<rowlan...@googlemail.com>wrote:
> On 27/12/13 13:30, Ricky Nance wrote:
>
>
> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlan...@googlemail.com>
But before that...
I'll need to get the chroot bind workning in advance...
BRB
On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
<rowlan...@googlemail.com>wrote:
> On 27/12/13 13:30, Ricky Nance wrote:
>
>
> On Dec 27, 2013 5:39 AM, "Rowland Penny" <rowlan...@googlemail.com>
> wrote:
> >
> > On 27/12/13 03:11, Chan Min Wai wrote:
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> >> No, it is written in the docs that it is not possible
> >> https://wiki.samba.org/index.php/Dns-backend_bind
> >>
> >> can you find the samba zone files ?
> >> Sorry I don't get you.
> >>
> >>
> >
> > What I was trying to point out is that you are worrying about nothing,
> if you use the bind9 dlz backend, you will not find the zone files anywhere
> on disk, they are created in memory every time bind is started.
> >
> > Rowland
>
> Correct me if i am wrong, but are you sure about that? What are the hard
> linked files under private/dns then? They are hard linked to
> private/sam.ldb.d IIRC.
>
> Ricky
>
> >
> >>
> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> >
> > On 27/12/13 03:11, Chan Min Wai wrote:
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind 9.9,
> >> No, it is written in the docs that it is not possible
> >> https://wiki.samba.org/index.php/Dns-backend_bind
> >>
> >> can you find the samba zone files ?
> >> Sorry I don't get you.
> >>
> >>
> >
> > What I was trying to point out is that you are worrying about nothing,
> if you use the bind9 dlz backend, you will not find the zone files anywhere
> on disk, they are created in memory every time bind is started.
> >
> > Rowland
>
> Correct me if i am wrong, but are you sure about that? What are the hard
> linked files under private/dns then? They are hard linked to
> private/sam.ldb.d IIRC.
>
> Ricky
>
> >
> >>
> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny <
> rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
> >>
> >> On 26/12/13 18:48, Chan Min Wai wrote:
> >>>
> >>> Thank for the info.
> >>>
> >>> I think it would bigger problem..
> >>> If bind is running in a chroot environment...
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind
> >> 9.9, can you find the samba zone files ?
> >>
> >> Rowland
> >>
> >>
> >>>
> >>> Provided that bind would have no access to any of the files under
> >>> /var/lib/samba
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <st...@steve-ss.com
> >>
> >> On 26/12/13 18:48, Chan Min Wai wrote:
> >>>
> >>> Thank for the info.
> >>>
> >>> I think it would bigger problem..
> >>> If bind is running in a chroot environment...
> >>
> >> You cannot run bind in a chroot environment with samba4 and bind
> >> 9.9, can you find the samba zone files ?
> >>
> >> Rowland
> >>
> >>
> >>>
> >>> Provided that bind would have no access to any of the files under
> >>> /var/lib/samba
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve <st...@steve-ss.com
> >>> <mailto:st...@steve-ss.com>> wrote:
> >>>
> >>> I think there is confusion because bind doesn't run as root.
> >>> The op has correctly identified the files and directories
> >>> within private that bind needs access to. It now only
> >>> remains to allow the bind user into private. As the op has
> >>> it, only root has access. My argument as to 0755 on private
> >>> are based upon a default source build and make install. I
> >>> notice that the op has a non default location and so may need
> >>> other security measures as we'll. The fact remains that if
> >>> you are using bind, then the user running it must have access
> >>> to private.
> >>> Sorry about the top post. Android limitations.
> >>> Steve
> >>>
> >>>
> >>> Rowland Penny <rowlan...@googlemail.com
> >>>
> >>> I think there is confusion because bind doesn't run as root.
> >>> The op has correctly identified the files and directories
> >>> within private that bind needs access to. It now only
> >>> remains to allow the bind user into private. As the op has
> >>> it, only root has access. My argument as to 0755 on private
> >>> are based upon a default source build and make install. I
> >>> notice that the op has a non default location and so may need
> >>> other security measures as we'll. The fact remains that if
> >>> you are using bind, then the user running it must have access
> >>> to private.
> >>> Sorry about the top post. Android limitations.
> >>> Steve
> >>>
> >>>
> >>> Rowland Penny <rowlan...@googlemail.com
> >>> <mailto:rowlan...@googlemail.com>> wrote:
> >>>
> >>> >On 26/12/13 15:43, Chan Min Wai wrote:
> >>> >> Dear Steve,
> >>> >>
> >>> >> I think that is bad idea as /var/lib/samba/private was
> >>> suppose to hold
> >>> >> something private for samba.
> >>> >
> >>> >Do you mean like the samba DNS zones and the keytab that is
> >>> required to
> >>> >alter it?
> >>> >
> >>> >> Like secret information security related LDAP/AD information
> >>> >>
> >>> >> Putting dns information don't seem to be a good idea.
> >>> >> (unless the dns information are part or LDAP or AD)
> >>> >
> >>> >The samba dns zones are part of AD.
> >>> >
> >>> >>
> >>> >> And I do believes that it should be place to
> >>> /var/lib/samba/bind or some
> >>> >> other place which private for both of them.
> >>> >>
> >>> >
> >>> >Just where would you put private info like the samba DNS
> >>> zones etc.?
> >>> >
> >>> >If you have any problems about where to store stuff, I
> >>> suggest that you
> >>> >take it up with the Samba devs.
> >>> >
> >>> >Rowland
> >>> >
> >>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <st...@steve-ss.com
> >>>
> >>> >On 26/12/13 15:43, Chan Min Wai wrote:
> >>> >> Dear Steve,
> >>> >>
> >>> >> I think that is bad idea as /var/lib/samba/private was
> >>> suppose to hold
> >>> >> something private for samba.
> >>> >
> >>> >Do you mean like the samba DNS zones and the keytab that is
> >>> required to
> >>> >alter it?
> >>> >
> >>> >> Like secret information security related LDAP/AD information
> >>> >>
> >>> >> Putting dns information don't seem to be a good idea.
> >>> >> (unless the dns information are part or LDAP or AD)
> >>> >
> >>> >The samba dns zones are part of AD.
> >>> >
> >>> >>
> >>> >> And I do believes that it should be place to
> >>> /var/lib/samba/bind or some
> >>> >> other place which private for both of them.
> >>> >>
> >>> >
> >>> >Just where would you put private info like the samba DNS
> >>> zones etc.?
> >>> >
> >>> >If you have any problems about where to store stuff, I
> >>> suggest that you
> >>> >take it up with the Samba devs.
> >>> >
> >>> >Rowland
> >>> >
> >>> >> On Wed, Dec 25, 2013 at 9:17 PM, steve <st...@steve-ss.com
steve
Dec 27, 2013, 2:50:01 PM12/27/13
to
On Sat, 2013-12-28 at 03:37 +0800, Chan Min Wai wrote:
> Maybe I should try to run chroot bind with symlink from samba.
>
If you have to run chroot bind then just use ordinary files for the
> Maybe I should try to run chroot bind with symlink from samba.
>
zones, like in the old days. I don't think dlz is going to work because
it needs to access AD which is not in the jail.
> But before that...
> I'll need to get the chroot bind workning in advance...
under /var/lib/ or /var/cache/ somewhere that the bind user has write on
for your own zone files.
Good luck
Steve
Rowland Penny
Dec 27, 2013, 3:40:02 PM12/27/13
to
On 27/12/13 19:37, Chan Min Wai wrote:
> Maybe I should try to run chroot bind with symlink from samba.
>
> But before that...
> I'll need to get the chroot bind workning in advance...
>
> BRB
>
>
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> On 27/12/13 13:30, Ricky Nance wrote:
>>
>>
>> On Dec 27, 2013 5:39 AM, "Rowland Penny"
>> <rowlan...@googlemail.com
> Maybe I should try to run chroot bind with symlink from samba.
>
> But before that...
> I'll need to get the chroot bind workning in advance...
>
> BRB
>
>
> On Fri, Dec 27, 2013 at 9:44 PM, Rowland Penny
> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>> wrote:
>
> On 27/12/13 13:30, Ricky Nance wrote:
>>
>>
>> On Dec 27, 2013 5:39 AM, "Rowland Penny"
>> <rowlan...@googlemail.com
>> <mailto:rowlan...@googlemail.com>> wrote:
>> >
>> > On 27/12/13 03:11, Chan Min Wai wrote:
>> >>
>> >> You cannot run bind in a chroot environment with samba4 and
>> bind 9.9,
>> >> No, it is written in the docs that it is not possible
>> >> https://wiki.samba.org/index.php/Dns-backend_bind
>> >>
>> >> can you find the samba zone files ?
>> >> Sorry I don't get you.
>> >>
>> >>
>> >
>> > What I was trying to point out is that you are worrying about
>> nothing, if you use the bind9 dlz backend, you will not find the
>> zone files anywhere on disk, they are created in memory every
>> time bind is started.
>> >
>> > Rowland
>>
>> Correct me if i am wrong, but are you sure about that? What are
>> the hard linked files under private/dns then? They are hard
>> linked to private/sam.ldb.d IIRC.
>>
>> Ricky
>>
>> >
>> >>
>> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
>> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
>> <mailto:rowlan...@googlemail.com
>> >
>> > On 27/12/13 03:11, Chan Min Wai wrote:
>> >>
>> >> You cannot run bind in a chroot environment with samba4 and
>> bind 9.9,
>> >> No, it is written in the docs that it is not possible
>> >> https://wiki.samba.org/index.php/Dns-backend_bind
>> >>
>> >> can you find the samba zone files ?
>> >> Sorry I don't get you.
>> >>
>> >>
>> >
>> > What I was trying to point out is that you are worrying about
>> nothing, if you use the bind9 dlz backend, you will not find the
>> zone files anywhere on disk, they are created in memory every
>> time bind is started.
>> >
>> > Rowland
>>
>> Correct me if i am wrong, but are you sure about that? What are
>> the hard linked files under private/dns then? They are hard
>> linked to private/sam.ldb.d IIRC.
>>
>> Ricky
>>
>> >
>> >>
>> >> On Fri, Dec 27, 2013 at 3:51 AM, Rowland Penny
>> <rowlan...@googlemail.com <mailto:rowlan...@googlemail.com>
>> <mailto:rowlan...@googlemail.com>>> wrote:
>> >>
>> >> On 26/12/13 18:48, Chan Min Wai wrote:
>> >>>
>> >>> Thank for the info.
>> >>>
>> >>> I think it would bigger problem..
>> >>> If bind is running in a chroot environment...
>> >>
>> >> You cannot run bind in a chroot environment with samba4
>> and bind
>> >> 9.9, can you find the samba zone files ?
>> >>
>> >> Rowland
>> >>
>> >>
>> >>>
>> >>> Provided that bind would have no access to any of the
>> files under
>> >>> /var/lib/samba
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve
>> <st...@steve-ss.com <mailto:st...@steve-ss.com>
>> >>> <mailto:st...@steve-ss.com <mailto:st...@steve-ss.com>>>
>> >>
>> >> On 26/12/13 18:48, Chan Min Wai wrote:
>> >>>
>> >>> Thank for the info.
>> >>>
>> >>> I think it would bigger problem..
>> >>> If bind is running in a chroot environment...
>> >>
>> >> You cannot run bind in a chroot environment with samba4
>> and bind
>> >> 9.9, can you find the samba zone files ?
>> >>
>> >> Rowland
>> >>
>> >>
>> >>>
>> >>> Provided that bind would have no access to any of the
>> files under
>> >>> /var/lib/samba
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Fri, Dec 27, 2013 at 2:32 AM, Steve
>> <st...@steve-ss.com <mailto:st...@steve-ss.com>
>> wrote:
>> >>>
>> >>> I think there is confusion because bind doesn't run
>> as root.
>> >>> The op has correctly identified the files and directories
>> >>> within private that bind needs access to. It now only
>> >>> remains to allow the bind user into private. As the
>> op has
>> >>> it, only root has access. My argument as to 0755 on
>> private
>> >>> are based upon a default source build and make install. I
>> >>> notice that the op has a non default location and so
>> may need
>> >>> other security measures as we'll. The fact remains
>> that if
>> >>> you are using bind, then the user running it must
>> have access
>> >>> to private.
>> >>> Sorry about the top post. Android limitations.
>> >>> Steve
>> >>>
>> >>>
>> >>> Rowland Penny <rowlan...@googlemail.com
>> <mailto:rowlan...@googlemail.com>
>> >>> <mailto:rowlan...@googlemail.com
>> >>>
>> >>> I think there is confusion because bind doesn't run
>> as root.
>> >>> The op has correctly identified the files and directories
>> >>> within private that bind needs access to. It now only
>> >>> remains to allow the bind user into private. As the
>> op has
>> >>> it, only root has access. My argument as to 0755 on
>> private
>> >>> are based upon a default source build and make install. I
>> >>> notice that the op has a non default location and so
>> may need
>> >>> other security measures as we'll. The fact remains
>> that if
>> >>> you are using bind, then the user running it must
>> have access
>> >>> to private.
>> >>> Sorry about the top post. Android limitations.
>> >>> Steve
>> >>>
>> >>>
>> >>> Rowland Penny <rowlan...@googlemail.com
>> <mailto:rowlan...@googlemail.com>
> samba_dlz: configured writeable zone '_msdcs.example.com
> <http://msdcs.example.com>'
>
> The three zones never get written to disk (well I cannot find them)
>
> Rowland
>
>
Hi, just what part of 'you cannot run bind in a chroot with samba 4' do
> The three zones never get written to disk (well I cannot find them)
>
> Rowland
>
>
you not understand ???
It just will not work, forget it and move on.
Günter Kukkukk
Dec 27, 2013, 6:20:01 PM12/27/13
to
Am 27.12.2013 20:37, schrieb Chan Min Wai:
> Maybe I should try to run chroot bind with symlink from samba.
>
> But before that...
> I'll need to get the chroot bind workning in advance...
>
> BRB
>
By default opensuse also runs ISC bind inside a chroot jail.
> Maybe I should try to run chroot bind with symlink from samba.
>
> But before that...
> I'll need to get the chroot bind workning in advance...
>
> BRB
>
Some months ago i got it working, but at the end it was a whole mess.
So i would recommend _not_ to run bind inside a chroot jail!
These days there are better hardening tools like selinux and apparmor
around - which do a similar/better job...
Btw - when running bind with the samba DLZ driver, one can use the
zone transfer cmd of dig to see all entries inside a specified zone
in a format similar to the ASCII flat zone files:
dig AXFR your.dns.zone
or by also specifying the dns server:
dig @your_dns_server AXFR your.dns.zone
This cmd should be repeated for all stored zones, and also e.g. the reverse ones.
Note that this zone transfer cmd does _not_ work when using the samba internal
dns server! (not implemented)
Cheers, Günter
Chan Min Wai
Dec 29, 2013, 4:40:02 AM12/29/13
to
Hum, Just had a try with the chroot bind + dlz...
I've bind the chroot /var/lib/samba, and some other directory
copy a few files over etc etc
but still the error message was
samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb
Dec 29 17:29:04 localhost named[5292]: generating session key for dynamic
DNS
Dec 29 17:29:04 localhost named[5292]: sizing zone task pool based on 9
zones
Dec 29 17:29:04 localhost named[5292]: Loading 'AD DNS Zone' using driver
dlopen
Dec 29 17:29:04 localhost named[5292]: samba_dlz: Failed to connect to
/var/lib/samba/private/dns/sam.ldb
Dec 29 17:29:04 localhost named[5292]: dlz_dlopen of 'AD DNS Zone' failed
Dec 29 17:29:04 localhost named[5292]: SDLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: DLZ driver failed to load.
Dec 29 17:29:04 localhost named[5292]: loading configuration: failure
Dec 29 17:29:04 localhost named[5292]: exiting (due to fatal error)
too bad that I don't know what to look for anyway...
Rowland Penny
Dec 29, 2013, 6:40:01 AM12/29/13
to
Down near the bottom of the page, you will find this heading:
Known issues and ways to fix/workaround
There is a sub-heading:
Chroot Bind
The very next line is this:
If you use Bind as Backend for your Samba AD, it must not run chroot,
because it must be able to live access files and databases from your
Samba installation.
Now do you understand that the problems you are having are
self-inflicted, YOU MUST NOT RUN BIND IN A CHROOT.
You are trying to do something that will probably never work or if you
do get it to work, it will be a mess and will probably break the chroot
anyway, so what is the point?
Rowland
L.P.H. van Belle
Dec 30, 2013, 7:50:01 AM12/30/13
to
side note..
setting this up is really easy and no problem.
and yes its a bit dirty and it will need always extra work, and it's NOT adviced.
what i did.
step 1. https://wiki.debian.org/Bind9 start from : Bind Chroot
step 2. create the needed directorys in the chroot for samba and libs.
mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}
mkdir -p /var/bind9/chroot/{var/lib/samba/private,usr/lib/x86_64-linux-gnu,lib/x86_64-linux-gnu}
mount these dirs with mount --bind
( put them in /etc/fstab like this . )
/var/lib/samba/private /var/bind9/chroot/var/lib/samba/private none rw,bind 0 0
/usr/lib/x86_64-linux-gnu /var/bind9/chroot/usr/lib/x86_64-linux-gnu none rw,bind 0 0
/lib/x86_64-linux-gnu /var/bind9/chroot/lib/x86_64-linux-gnu/ none rw,bind 0 0
start bind and samba and it works.. ( dont forget to set the correct rights for bind in the private folder of samba )
yes i know its a quick and dirty setup...
If you dont want to use the mount --bind, then you need to figure out all the files samba wil need and copy them.
from my logs.
starting BIND 9.8.4-rpz2+rl005.12-P1 -u bind -t /var/bind9/chroot
cat /var/log/samba/log.samba
[2013/12/30 13:18:57.364349, 0] ../source4/smbd/server.c:370(binary_smbd_main)
samba version 4.1.3-SerNet-Debian-7.wheezy started.
Good luck, its not that hard, but NOT recommmended, but it works..
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: zondag 29 december 2013 12:39
>Aan: Chan Min Wai; Günter Kukkukk
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba 4 AD with Bind 9.9 dlz permission
>access to /var/lib/samba/private/
setting this up is really easy and no problem.
and yes its a bit dirty and it will need always extra work, and it's NOT adviced.
what i did.
step 1. https://wiki.debian.org/Bind9 start from : Bind Chroot
step 2. create the needed directorys in the chroot for samba and libs.
mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}
mkdir -p /var/bind9/chroot/{var/lib/samba/private,usr/lib/x86_64-linux-gnu,lib/x86_64-linux-gnu}
mount these dirs with mount --bind
( put them in /etc/fstab like this . )
/var/lib/samba/private /var/bind9/chroot/var/lib/samba/private none rw,bind 0 0
/usr/lib/x86_64-linux-gnu /var/bind9/chroot/usr/lib/x86_64-linux-gnu none rw,bind 0 0
/lib/x86_64-linux-gnu /var/bind9/chroot/lib/x86_64-linux-gnu/ none rw,bind 0 0
start bind and samba and it works.. ( dont forget to set the correct rights for bind in the private folder of samba )
yes i know its a quick and dirty setup...
If you dont want to use the mount --bind, then you need to figure out all the files samba wil need and copy them.
from my logs.
starting BIND 9.8.4-rpz2+rl005.12-P1 -u bind -t /var/bind9/chroot
Loading 'AD DNS Zone' using driver dlopen
and
cat /var/log/samba/log.samba
[2013/12/30 13:18:57.364349, 0] ../source4/smbd/server.c:370(binary_smbd_main)
samba version 4.1.3-SerNet-Debian-7.wheezy started.
Good luck, its not that hard, but NOT recommmended, but it works..
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: zondag 29 december 2013 12:39
>Aan: Chan Min Wai; Günter Kukkukk
>CC: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Samba 4 AD with Bind 9.9 dlz permission
>access to /var/lib/samba/private/
0 new messages