samba - Apr 2017 - samba Digest, Vol 172, Issue 2

Hello Marc

I changed the rights back to 600 and root:root to sam.ldb

and i think the rights of sam.ldb.d directory are correct.


-rw------- 1 root root  16M Apr  2 17:29 
CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  10M Apr  2 17:29 
CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind  26M Apr  2 17:28 
DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 4,1M Apr  2 17:28 
DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  65M Apr  2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 412K Apr  2 14:46 metadata.tdb

Regards,
Karl Heinz



-- 

Am 02.04.2017 um 17:13 schrieb Marc Muehlfeld:
> Hello Karl Heinz,
>
> Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
>> I change the right from 600 (root:root) to 660 (root:bind) and i get
>> following errormessage.
>>
>> -rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
>
> Please revert these insecure permissions to the ones we set during the
> provisioning.
>
> Using these permissions, the BIND user account is enabled to read and
> write to the whole AD database file. The sam.ldb must have 600
> permissions and owned by root:root to be protected:
>
> -rw------- root root /usr/local/samba/private/sam.ldb
>
> sam.ldb is a virtual view to all AD partitions.
>
>
>
>> drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
>
> The permissions on this directory is correct. However, please check the
> permissions of the raw AD partition database files in it. If you changed
> them, reset them to the secure permissions we set during the provisioning:
>
> -rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root
> CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
> -rw-rw---- root named metadata.tdb
>
>
>
> Some background information: The sam.ldb.d directory is required to
> enable the third-party daemon BIND to access the AD DNS partitions,
> without allowing access to any other partition.
>
> The samb.ldb.d directory contains the raw AD partition databases, while
> the sam.ldb file is a view to all of them.
>
> That's why BIND needs write access to the two DNS partition databases
> files (+ metadata.ldb) and must not have access to any other file in the
> sam.ldb.d directory, nor to the sam.ldb file.
>
>
>
> Regards,
> Marc
>
>
>

Hallo Marc

I change the loglevel to 10


  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so 
-d 10";

and i get following errors:

02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring: No 
such Base DN: 
DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de
02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE
02-Apr-2017 18:47:44.389 samba_dlz: error: 32
02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: 
DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de
02-Apr-2017 18:47:44.389 samba_dlz:
02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH
02-Apr-2017 18:47:44.389 samba_dlz:  dn: 
DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de
02-Apr-2017 18:47:44.389 samba_dlz:  scope: base
02-Apr-2017 18:47:44.389 samba_dlz:  expr: (objectClass=dnsZone)
02-Apr-2017 18:47:44.389 samba_dlz:  control: <NONE>

and

02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego
02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism gssapi_krb5
02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed
02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key 
CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update 
failed: rejected by secure update (REFUSED)
02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction (nesting: 0)


Regards,

Karl Heinz



Am 02.04.2017 um 17:37 schrieb Karl Heinz Wichmann:
> Hello Marc
>
> I changed the rights back to 600 and root:root to sam.ldb
>
> and i think the rights of sam.ldb.d directory are correct.
>
>
> -rw------- 1 root root  16M Apr  2 17:29
> CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
> -rw------- 1 root root  10M Apr  2 17:29
> CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb
> -rw-rw---- 2 root bind  26M Apr  2 17:28
> DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
> -rw-rw---- 2 root bind 4,1M Apr  2 17:28
> DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
> -rw------- 1 root root  65M Apr  2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb
> -rw-rw---- 2 root bind 412K Apr  2 14:46 metadata.tdb
>
> Regards,
> Karl Heinz
>
>
>

On Sun, 2 Apr 2017 19:02:35 +0200
Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
> Hallo Marc
> 
> I change the loglevel to 10
> 
> 
>   database
> "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so -d
10";
> 
> and i get following errors:
> 
> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_asprintf/set_errstring:
> No such Base DN: 
>
DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de
> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_response: DONE
> 02-Apr-2017 18:47:44.389 samba_dlz: error: 32
> 02-Apr-2017 18:47:44.389 samba_dlz: msg: No such Base DN: 
>
DC=client008.my.domain.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=my,DC=domain,DC=de
> 02-Apr-2017 18:47:44.389 samba_dlz:
> 02-Apr-2017 18:47:44.389 samba_dlz: ldb: ldb_trace_request: SEARCH
> 02-Apr-2017 18:47:44.389 samba_dlz:  dn: 
> DC=client008.my.domain.de,CN=MicrosoftDNS,CN=System,DC=my,DC=domain,DC=de
> 02-Apr-2017 18:47:44.389 samba_dlz:  scope: base
> 02-Apr-2017 18:47:44.389 samba_dlz:  expr: (objectClass=dnsZone)
> 02-Apr-2017 18:47:44.389 samba_dlz:  control: <NONE>
> 
> and
> 
> 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC mechanism spnego
> 02-Apr-2017 18:47:41.373 samba_dlz: Starting GENSEC submechanism
> gssapi_krb5 02-Apr-2017 18:47:41.373 samba_dlz: spnego update failed
> 02-Apr-2017 18:47:41.374 client 192.168.99.6#58125/key 
> CLIENT\$\@my.domain.de: updating zone 'my.domain.de/NONE': update 
> failed: rejected by secure update (REFUSED)
> 02-Apr-2017 18:47:41.374 samba_dlz: ldb: cancel ldb transaction
> (nesting: 0)
> 
> 
Try adding 'allow dns updates = nonsecure' to smb.conf

Rowland