Chan Min Wai
2013-Dec-24 19:43 UTC
[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
Dear all, Would like to ask for input on the following. When using with bind 9.9 with dlz module. It seem that we would have a permission issue where names would need to have access to /var/lib/samba/private/ for a few files. to be more precise it would be /var/lib/samba/private/dns (whole folder) /var/lib/samba/private/named.conf /var/lib/samba/private/named.conf.update /var/lib/samba/private/dns.keytab However as I can see private was 400... drwx------+ 7 root root 4096 Dec 25 03:34 private Question: 1. Should I use ACL to allow named to have rx access to these folder and files? 2. Should I just change the group on private to add named in and on other files or folder involved. Which one is a better practice and why? i just feel that having named mixed up with samba private folder is a bad practice... At lease in security point of view. I would said that samba should have move these files to /var/bind/ But I'm not a developer that able to understand that.. Please advise. Thank You.
steve
2013-Dec-25 13:17 UTC
[Samba] Samba 4 AD with Bind 9.9 dlz permission access to /var/lib/samba/private/
On Wed, 2013-12-25 at 03:43 +0800, Chan Min Wai wrote:> Dear all, > > Would like to ask for input on the following. > When using with bind 9.9 with dlz module. > It seem that we would have a permission issue where names would need to > have access to > > /var/lib/samba/private/ for a few files. > to be more precise it would be > > /var/lib/samba/private/dns (whole folder) > /var/lib/samba/private/named.conf > /var/lib/samba/private/named.conf.update > /var/lib/samba/private/dns.keytab > > However as I can see private was 400... > drwx------+ 7 root root 4096 Dec 25 03:34 privateThat seems very restrictive. We have a default source build at /usr/local/samba with: drwxr-xr-x 7 root root 4096 Dec 13 13:31 private That let's everyone in, then named has further access as you state. HTH Steve