samba - Dec 2013 - Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/

Dear all,

Would like to ask for input on the following.
When using with bind 9.9 with dlz module.
It seem that we would have a permission issue where names would need to
have access to

/var/lib/samba/private/ for a few files.
to be more precise it would be

/var/lib/samba/private/dns (whole folder)
/var/lib/samba/private/named.conf
/var/lib/samba/private/named.conf.update
/var/lib/samba/private/dns.keytab

However as I can see private was 400...
drwx------+  7 root root    4096 Dec 25 03:34 private

Question:
1. Should I use ACL to allow named to have rx access to these folder and
files?
2. Should I just change the group on private to add named in and on other
files or folder involved.

Which one is a better practice and why?

i just feel that having named mixed up with samba private folder is a bad
practice...
At lease in security point of view.
I would said that samba should have move these files to /var/bind/

But I'm not a developer that able to understand that..

Please advise.

Thank You.

On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:
> Dear all,
> 
> Would like to ask for input on the following.
> When using with bind 9.9 with dlz module.
> It seem that we would have a permission issue where names would need to
> have access to
> 
> /var/lib/samba/private/ for a few files.
> to be more precise it would be
> 
> /var/lib/samba/private/dns (whole folder)
> /var/lib/samba/private/named.conf
> /var/lib/samba/private/named.conf.update
> /var/lib/samba/private/dns.keytab
> 
> However as I can see private was 400...
> drwx------+  7 root root    4096 Dec 25 03:34 private
That seems very restrictive. We have a default source build
at /usr/local/samba with:
drwxr-xr-x  7 root root 4096 Dec 13 13:31 private

That let's everyone in, then named has further access as you state.
HTH
Steve