Web lists-archives.com

Re: [Samba] samba Digest, Vol 172, Issue 2




Hello Karl Heinz,

Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
I change the right from 600 (root:root) to 660 (root:bind) and i get
following errormessage.

-rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb

Please revert these insecure permissions to the ones we set during the provisioning.

Using these permissions, the BIND user account is enabled to read and write to the whole AD database file. The sam.ldb must have 600 permissions and owned by root:root to be protected:

-rw------- root root /usr/local/samba/private/sam.ldb

sam.ldb is a virtual view to all AD partitions.



drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d

The permissions on this directory is correct. However, please check the permissions of the raw AD partition database files in it. If you changed them, reset them to the secure permissions we set during the provisioning:

-rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named metadata.tdb



Some background information: The sam.ldb.d directory is required to enable the third-party daemon BIND to access the AD DNS partitions, without allowing access to any other partition.

The samb.ldb.d directory contains the raw AD partition databases, while the sam.ldb file is a view to all of them.

That's why BIND needs write access to the two DNS partition databases files (+ metadata.ldb) and must not have access to any other file in the sam.ldb.d directory, nor to the sam.ldb file.



Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba