Hello Marc I changed the rights back to 600 and root:root to sam.ldb and i think the rights of sam.ldb.d directory are correct. -rw------- 1 root root 16M Apr 2 17:29 CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb -rw------- 1 root root 10M Apr 2 17:29 CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb -rw-rw---- 2 root bind 26M Apr 2 17:28 DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb -rw-rw---- 2 root bind 4,1M Apr 2 17:28 DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb -rw------- 1 root root 65M Apr 2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb -rw-rw---- 2 root bind 412K Apr 2 14:46 metadata.tdb Regards, Karl Heinz -- Am 02.04.2017 um 17:13 schrieb Marc Muehlfeld:> Hello Karl Heinz, > > Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba: >> I change the right from 600 (root:root) to 660 (root:bind) and i get >> following errormessage. >> >> -rw-rw---- 1 root bind 4,1M Jul 8 2015 sam.ldb > > Please revert these insecure permissions to the ones we set during the > provisioning. > > Using these permissions, the BIND user account is enabled to read and > write to the whole AD database file. The sam.ldb must have 600 > permissions and owned by root:root to be protected: > > -rw------- root root /usr/local/samba/private/sam.ldb > > sam.ldb is a virtual view to all AD partitions. > > > >> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d > > The permissions on this directory is correct. However, please check the > permissions of the raw AD partition database files in it. If you changed > them, reset them to the secure permissions we set during the provisioning: > > -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb > -rw------- root root > CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb > -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb > -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb > -rw------- root root DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb > -rw-rw---- root named metadata.tdb > > > > Some background information: The sam.ldb.d directory is required to > enable the third-party daemon BIND to access the AD DNS partitions, > without allowing access to any other partition. > > The samb.ldb.d directory contains the raw AD partition databases, while > the sam.ldb file is a view to all of them. > > That's why BIND needs write access to the two DNS partition databases > files (+ metadata.ldb) and must not have access to any other file in the > sam.ldb.d directory, nor to the sam.ldb file. > > > > Regards, > Marc > > >
Hallo Marc I change the loglevel to 10 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so -d 10"; and i get following errors: 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring: No such Base DN: DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE 02-Apr-2017 18:47:44.389 samba_dlz: error: 32 02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de 02-Apr-2017 18:47:44.389 samba_dlz: 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH 02-Apr-2017 18:47:44.389 samba_dlz: dn: DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de 02-Apr-2017 18:47:44.389 samba_dlz: scope: base 02-Apr-2017 18:47:44.389 samba_dlz: expr: (objectClass=dnsZone) 02-Apr-2017 18:47:44.389 samba_dlz: control: <NONE> and 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism gssapi_krb5 02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed 02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update failed: rejected by secure update (REFUSED) 02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction (nesting: 0) Regards, Karl Heinz Am 02.04.2017 um 17:37 schrieb Karl Heinz Wichmann:> Hello Marc > > I changed the rights back to 600 and root:root to sam.ldb > > and i think the rights of sam.ldb.d directory are correct. > > > -rw------- 1 root root 16M Apr 2 17:29 > CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb > -rw------- 1 root root 10M Apr 2 17:29 > CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb > -rw-rw---- 2 root bind 26M Apr 2 17:28 > DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb > -rw-rw---- 2 root bind 4,1M Apr 2 17:28 > DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb > -rw------- 1 root root 65M Apr 2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb > -rw-rw---- 2 root bind 412K Apr 2 14:46 metadata.tdb > > Regards, > Karl Heinz > > >
On Sun, 2 Apr 2017 19:02:35 +0200 Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:> Hallo Marc > > I change the loglevel to 10 > > > database > "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so -d 10"; > > and i get following errors: > > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring: > No such Base DN: > DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE > 02-Apr-2017 18:47:44.389 samba_dlz: error: 32 > 02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: > DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: > 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH > 02-Apr-2017 18:47:44.389 samba_dlz: dn: > DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de > 02-Apr-2017 18:47:44.389 samba_dlz: scope: base > 02-Apr-2017 18:47:44.389 samba_dlz: expr: (objectClass=dnsZone) > 02-Apr-2017 18:47:44.389 samba_dlz: control: <NONE> > > and > > 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego > 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism > gssapi_krb5 02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed > 02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key > CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update > failed: rejected by secure update (REFUSED) > 02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction > (nesting: 0) > >Try adding 'allow dns updates = nonsecure' to smb.conf Rowland