Web lists-archives.com

Re: [Samba] samba Digest, Vol 172, Issue 2




Hello Marc

I changed the rights back to 600 and root:root to sam.ldb

and i think the rights of sam.ldb.d directory are correct.


-rw------- 1 root root 16M Apr 2 17:29 CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb -rw------- 1 root root 10M Apr 2 17:29 CN=SCHEMA,CN=CONFIGURATION,DC=MY,DC=DOMAIN,DC=DE.ldb -rw-rw---- 2 root bind 26M Apr 2 17:28 DC=DOMAINDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb -rw-rw---- 2 root bind 4,1M Apr 2 17:28 DC=FORESTDNSZONES,DC=MY,DC=DOMAIN,DC=DE.ldb
-rw------- 1 root root  65M Apr  2 17:29 DC=MY,DC=DOMAIN,DC=DE.ldb
-rw-rw---- 2 root bind 412K Apr  2 14:46 metadata.tdb

Regards,
Karl Heinz



--

Am 02.04.2017 um 17:13 schrieb Marc Muehlfeld:
Hello Karl Heinz,

Am 02.04.2017 um 15:22 schrieb Karl Heinz Wichmann via samba:
I change the right from 600 (root:root) to 660 (root:bind) and i get
following errormessage.

-rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb

Please revert these insecure permissions to the ones we set during the
provisioning.

Using these permissions, the BIND user account is enabled to read and
write to the whole AD database file. The sam.ldb must have 600
permissions and owned by root:root to be protected:

-rw------- root root /usr/local/samba/private/sam.ldb

sam.ldb is a virtual view to all AD partitions.



drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d

The permissions on this directory is correct. However, please check the
permissions of the raw AD partition database files in it. If you changed
them, reset them to the secure permissions we set during the provisioning:

-rw------- root root CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root
CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw------- root root  DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb
-rw-rw---- root named metadata.tdb



Some background information: The sam.ldb.d directory is required to
enable the third-party daemon BIND to access the AD DNS partitions,
without allowing access to any other partition.

The samb.ldb.d directory contains the raw AD partition databases, while
the sam.ldb file is a view to all of them.

That's why BIND needs write access to the two DNS partition databases
files (+ metadata.ldb) and must not have access to any other file in the
sam.ldb.d directory, nor to the sam.ldb file.



Regards,
Marc




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba