samba - Apr 2017 - samba Digest, Vol 172, Issue 2

Hallo Rowland

I change the right from 600 (root:root) to 660 (root:bind) and i get 
following errormessage.


02-Apr-2017 14:56:15.190 client 192.168.99.6#54534 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:15.194 client 192.168.99.6#64810 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:15.199 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.200 client 192.168.99.6#51349: update 
'MY.DOMAIN.DE/IN' denied
02-Apr-2017 14:56:15.200 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.203 client 192.168.99.6#52735 
(336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb): query: 
336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb IN TKEY -T 
(192.168.99.8)
02-Apr-2017 14:56:15.238 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.240 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA 
error=insufficient access rights
02-Apr-2017 14:56:15.240 client 192.168.99.6#54726/key 
client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update 
failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:15.240 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.242 client 192.168.99.6#55115 
(6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:15.246 client 192.168.99.6#63569 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:15.251 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.252 client 192.168.99.6#58125: update 
'99.168.192.in-addr.arpa/IN' denied
02-Apr-2017 14:56:15.252 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.253 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.255 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR 
error=insufficient access rights
02-Apr-2017 14:56:15.255 client 192.168.99.6#60594/key 
client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE':
update failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:15.256 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.189 client 192.168.99.6#60714 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:18.194 client 192.168.99.6#49834 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:18.199 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.200 client 192.168.99.6#58125: update 
'MY.DOMAIN.DE/IN' denied
02-Apr-2017 14:56:18.200 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.202 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.204 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA 
error=insufficient access rights
02-Apr-2017 14:56:18.204 client 192.168.99.6#49384/key 
client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update 
failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:18.204 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.207 client 192.168.99.6#50993 
(6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:18.211 client 192.168.99.6#52455 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:18.216 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.216 client 192.168.99.6#50421: update 
'99.168.192.in-addr.arpa/IN' denied
02-Apr-2017 14:56:18.217 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.218 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.220 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR 
error=insufficient access rights
02-Apr-2017 14:56:18.220 client 192.168.99.6#51170/key 
client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE':
update failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:18.220 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa


The right of the /var/lib/samba/private/ are

drwxrwx--- 3 root bind 4,0K Mär 31 12:12 dns
-rw-r----- 1 root bind  792 Mär 31 10:49 dns.backup
-rw-r----- 1 root bind  792 Mär 31 12:12 dns.keytab
-rw------- 1 root root 1,9K Jul  8  2015 dns_update_cache
-rw-r--r-- 1 root root 3,2K Jul  8  2015 dns_update_list
-rw------- 1 root root 1,3M Jul  8  2015 hkcr.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hkcu.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hklm.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hku.ldb
-rw------- 1 root root 5,9M Mär 30 14:23 idmap.ldb
-rw------- 1 root root 5,9M Okt 18 13:24 idmap.ldb.old
-rw-r--r-- 1 root root   93 Jul  8  2015 krb5.conf
srwxrwxrwx 1 root root    0 Apr  2 14:42 ldapi
drwxr-x--- 2 root root 4,0K Apr  2 14:42 ldap_priv
drwx------ 2 root root 4,0K Apr  2 15:07 msg.sock
-rw-r--r-- 1 root root  780 Mär 31 12:12 named.conf
-r--r--r-- 1 root root  408 Mär 31 09:46 named.conf.update
-rw-r--r-- 1 root root 2,1K Mär 31 12:12 named.txt
-rw------- 1 root root  696 Apr  2 14:42 netlogon_creds_cli.tdb
-rw------- 1 root root 1,3M Jul  8  2015 privilege.ldb
-rw------- 1 root root  696 Jul  8  2015 randseed.tdb
-rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
-rw------- 1 root root  696 Apr  2 14:42 schannel_store.tdb
-rw------- 1 root root 1,2K Jul  8  2015 secrets.keytab
-rw------- 1 root root 1,3M Mär 31 12:12 secrets.ldb
-rw------- 1 root root 420K Jul  8  2015 secrets.tdb
-rw------- 1 root root 1,3M Jul  8  2015 share.ldb
drwxr-xr-x 3 root root 4,0K Feb 16  2016 smbd.tmp
-rw-r--r-- 1 root root  955 Jul  8  2015 spn_update_list
drwx------ 2 root root 4,0K Jul  8  2015 tls

Are the rights ok?


I created the dns entry with samba-tool. Is this a problem?

How can i check if i had problems with access rights? For example if 
bind can not read or write a file. Currently i check the bind with " 
named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".

For testing i assign bind a shell (bash) and i can read the file sam.ldb 
as user bind.

Karl Heinz


Am 02.04.2017 um 14:00 schrieb samba-request at
lists.samba.org:
>
> Hello
>
> We have installed 4 Sernet AD controllers on Debian 8.7 with bind9. If
> we run ipconfig /registerdns on a windowsclient , an
> error message is in the logfiles:
>
> 31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
> (client006.my.domain.de): query: client006.my.domain.de IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
> 'my.domain.de/IN' denied
> 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
> (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
> (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
> '99.30.172.in-addr.arpa/IN' denied
> 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
> (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
> (client006.my.domain.de): query: client006.my.domain.de IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
> 'my.domain.de/IN' denied
> 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
> (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
> (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
> '99.30.172.in-addr.arpa/IN' denied
> 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
> (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
>
> If we executed
> samba_dnsupdate --verbose --all-names
> no errors are displayed.
>
> The rights of /var/lib/samba/private/dns/sam.ldb.d/*
> are 660.
>
> relevated content of /etc/bind/named.conf.options
> -------------------------------------------------
> allow-update { any;};
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> dnssec-validation no;
> dnssec-enable no;
>
> We run
> ------
> samba_upgradedns --dns-backend=BIND9_DLZ
>
> /etc/samba/smb.conf
> -------------------
> server services = -dns
>
> named -V
> --------
> BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e>
> built by make with '--prefix=/usr'
'--mandir=/usr/share/man'
> '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
> '--enable-largefile' '--with-libtool'
'--enable-shared' '--enable-static'
> '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
> '--enable-filter-aaaa'
> 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
> -DDIG_SIGCHASE -O2'
> compiled by GCC 4.9.2
> using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
> using libxml2 version: 2.9.1
>
> Timesync
> ---------
> correct time
>
> In the named.config.local we have not create an zone for
"my.domain.de".
> I think this is not nessesary.
>
> dpkg -l | grep sernet
> ----------------------
> ii  libwbclient0:amd64               99:4.5.7-16 amd64        Glue
> package for sernet-samba-libs.
> ii  sernet-samba                     99:4.5.7-16 amd64        SMB/CIFS
> file, print, and login server for Unix
> ii  sernet-samba-ad                  99:4.5.7-16 amd64        Samba
> Active Directory Domain Controller
> ii  sernet-samba-client              99:4.5.7-16 amd64        a
> LanManager-like simple client for Unix
> ii  sernet-samba-common              99:4.5.7-16 all          Samba
> common files used by both the server and the client
> ii  sernet-samba-keyring             1.5 all          GnuPG archive keys
> of the SerNet Samba archive
> ii  sernet-samba-libs:amd64          99:4.5.7-16 amd64        Samba
> common library files used by both the server and the client
> ii  sernet-samba-libsmbclient0:amd64 99:4.5.7-16 amd64        Shared
> library that allows applications to talk to SMB servers
> ii  sernet-samba-winbind             99:4.5.7-16 amd64        Samba
> nameservice integration server
>
> Can anybody help me?
>
>
>
> Re: [Samba] Dynamic updates of windows clients.eml
>
> Betreff:
> Re: [Samba] Dynamic updates of windows clients
> Von:
> Rowland Penny <rpenny at samba.org>
> Datum:
> 01.04.2017 17:24
>
> An:
> samba at lists.samba.org
>
>
> On Sat, 1 Apr 2017 16:44:38 +0200
> Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
>
>
>> The rights of /var/lib/samba/private/dns/sam.ldb.d/*
>> are 660.
>>
> Just in case you don't know, do not touch the files inside
> private/dns/sam.ldb.d or private/sam.ldb.d
>
> Right having got that out of the way, who
> owns /var/lib/samba/private/sam.ldb ?
>
> It should be root:bind with 660 permissions.
>
> Rowland
>
>

On Sun, 2 Apr 2017 15:22:31 +0200
Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
> Hallo Rowland
> 
> client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE':
update
> failed: rejected by secure update (REFUSED)
This shows your problem
> 
> Are the rights ok?
Yes
> 
> I created the dns entry with samba-tool. Is this a problem?
No
> 
> How can i check if i had problems with access rights? For example if 
> bind can not read or write a file. Currently i check the bind with " 
> named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".
> 
Your problem isn't the actual permissions on the directories, you do
not seem to have the right to update AD. This could be something as
simple as a time difference between the clients and the DC. Are you
running an ntp server on the DC and are your windows clients using this
as their timeserver ?

If time isn't the problem, can you please post your Bind conf files.

Rowland

Hello Rowland

Yes i have a timeserver and time in correct and in sync with the client 
und server.

named.conf
----------

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

# samba
include "/etc/bind/named.conf.samba";

// logging
logging {
     channel default_file {
         file "/var/log/named/default.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel general_file {
         file "/var/log/named/general.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel database_file {
         file "/var/log/named/database.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel security_file {
         file "/var/log/named/security.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel config_file {
         file "/var/log/named/config.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel resolver_file {
         file "/var/log/named/resolver.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel xfer-in_file {
         file "/var/log/named/xfer-in.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel xfer-out_file {
         file "/var/log/named/xfer-out.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel notify_file {
         file "/var/log/named/notify.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel client_file {
         file "/var/log/named/client.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel unmatched_file {
         file "/var/log/named/unmatched.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel queries_file {
         file "/var/log/named/queries.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel network_file {
         file "/var/log/named/network.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel update_file {
         file "/var/log/named/update.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel dispatch_file {
         file "/var/log/named/dispatch.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel dnssec_file {
         file "/var/log/named/dnssec.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };
     channel lame-servers_file {
         file "/var/log/named/lame-servers.log" versions 3 size 5m;
         severity dynamic;
         print-time yes;
     };

     category default { default_file; };
     category general { general_file; };
     category database { database_file; };
     category security { security_file; };
     category config { config_file; };
     category resolver { resolver_file; };
     category xfer-in { xfer-in_file; };
     category xfer-out { xfer-out_file; };
     category notify { notify_file; };
     category client { client_file; };
     category unmatched { unmatched_file; };
     category queries { queries_file; };
     category network { network_file; };
     category update { update_file; };
     category dispatch { dispatch_file; };
     category dnssec { dnssec_file; };
     category lame-servers { lame-servers_file; };
};



named.conf.default-zones
------------------------


// prime the server with knowledge of the root servers
zone "." {
         type hint;
         file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
         type master;
         file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
         type master;
         file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
         type master;
         file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
         type master;
         file "/etc/bind/db.255";
};


named.conf.options
------------------

options {
         directory "/var/cache/bind";
         forward only;
         forwarders {
                 <IP of my forwarder>;
                 };
         dnssec-validation no;
         dnssec-enable no;
         auth-nxdomain no;
         listen-on-v6 { 127.0.0.1; 192.168.99.8; };
         listen-on {127.0.0.1; 192.168.99.8;};
         allow-update { any;};
         notify yes;
         allow-query { any; };

         # temp setting
	allow-recursion {
         192.168.0.0/16;
         };

         edns-udp-size 2048;
         max-udp-size 2048;

         # samba update keytab
         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

         allow-transfer {
	<ip of other samba dc1>;
	<ip of other samba dc2>;
	<ip of other samba dc3>;
	<ip of other samba dc4>;
         192.168.99.6;
         };
};


Can this be a Problem with my debian 8.7 bind service?

named -V
--------
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e> 
built by make with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
'--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks 
-DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
using libxml2 version: 2.9.1


Karl Heinz



Am 02.04.2017 um 16:01 schrieb Rowland Penny:
> On Sun, 2 Apr 2017 15:22:31 +0200
> Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
>
>> Hallo Rowland
>>
>
>> client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE':
update
>> failed: rejected by secure update (REFUSED)
>
> This shows your problem
>
>>
>> Are the rights ok?
>
> Yes
>
>>
>> I created the dns entry with samba-tool. Is this a problem?
>
> No
>
>>
>> How can i check if i had problems with access rights? For example if
>> bind can not read or write a file. Currently i check the bind with
"
>> named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".
>>
>
> Your problem isn't the actual permissions on the directories, you do
> not seem to have the right to update AD. This could be something as
> simple as a time difference between the clients and the DC. Are you
> running an ntp server on the DC and are your windows clients using this
> as their timeserver ?
>
> If time isn't the problem, can you please post your Bind conf files.
>
> Rowland
>

Hello Karl Heinz,

Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via
samba:
> I change the right from 600 (root:root) to 660 (root:bind) and i get
> following errormessage.
>
> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
Please revert these insecure permissions to the ones we set during the 
provisioning.

Using these permissions, the BIND user account is enabled to read and 
write to the whole AD database file. The sam.ldb must have 600 
permissions and owned by root:root to be protected:

-rw------- root root /usr/local/samba/private/sam.ldb

sam.ldb is a virtual view to all AD partitions.


> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
The permissions on this directory is correct. However, please check the 
permissions of the raw AD partition database files in it. If you changed 
them, reset them to the secure permissions we set during the provisioning:

-rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root 
CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named metadata.tdb



Some background information: The sam.ldb.d directory is required to 
enable the third-party daemon BIND to access the AD DNS partitions, 
without allowing access to any other partition.

The samb.ldb.d directory contains the raw AD partition databases, while 
the sam.ldb file is a view to all of them.

That's why BIND needs write access to the two DNS partition databases 
files (+ metadata.ldb) and must not have access to any other file in the 
sam.ldb.d directory, nor to the sam.ldb file.



Regards,
Marc

Hello Marc

I changed the rights back to 600 and root:root to sam.ldb

and i think the rights of sam.ldb.d directory are correct.


-rw------- 1 root root  16M Apr  2 17:29 
CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  10M Apr  2 17:29 
CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind  26M Apr  2 17:28 
DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 4,1M Apr  2 17:28 
DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  65M Apr  2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 412K Apr  2 14:46 metadata.tdb

Regards,
Karl Heinz



-- 

Am 02.04.2017 um 17:13 schrieb Marc Muehlfeld:
> Hello Karl Heinz,
>
> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
>> I change the right from 600 (root:root) to 660 (root:bind) and i get
>> following errormessage.
>>
>> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
>
> Please revert these insecure permissions to the ones we set during the
> provisioning.
>
> Using these permissions, the BIND user account is enabled to read and
> write to the whole AD database file. The sam.ldb must have 600
> permissions and owned by root:root to be protected:
>
> -rw------- root root /usr/local/samba/private/sam.ldb
>
> sam.ldb is a virtual view to all AD partitions.
>
>
>
>> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
>
> The permissions on this directory is correct. However, please check the
> permissions of the raw AD partition database files in it. If you changed
> them, reset them to the secure permissions we set during the provisioning:
>
> -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root
> CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named metadata.tdb
>
>
>
> Some background information: The sam.ldb.d directory is required to
> enable the third-party daemon BIND to access the AD DNS partitions,
> without allowing access to any other partition.
>
> The samb.ldb.d directory contains the raw AD partition databases, while
> the sam.ldb file is a view to all of them.
>
> That's why BIND needs write access to the two DNS partition databases
> files (+ metadata.ldb) and must not have access to any other file in the
> sam.ldb.d directory, nor to the sam.ldb file.
>
>
>
> Regards,
> Marc
>
>
>

On Sun, 2 Apr 2017 17:13:17 +0200
Marc Muehlfeld via samba <samba at lists.samba.org> wrote:
> Hello Karl Heinz,
> 
> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
> > I change the right from 600 (root:root) to 660 (root:bind) and i get
> > following errormessage.
> >
> > -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
> 
> Please revert these insecure permissions to the ones we set during
> the provisioning.
> 
> Using these permissions, the BIND user account is enabled to read and 
> write to the whole AD database file. The sam.ldb must have 600 
> permissions and owned by root:root to be protected:
> 
> -rw------- root root /usr/local/samba/private/sam.ldb
> 
> sam.ldb is a virtual view to all AD partitions.
> 
Good catch, I was getting mixed up with the other sam.ldb ;-)

Just for the record, these are from my working DC:

ls -la /usr/local/samba/private/sam.ldb
-rw------- 1 root staff 4247552 Sep 12  2016 /usr/local/samba/private/sam.ldb

ls -la /usr/local/samba/private/dns/sam.ldb
-rw-rw---- 1 root bind 3014656 Sep 12
2016 /usr/local/samba/private/dns/sam.ldb

Rowland