Bug 1476175
| Summary: | samba folder /var/lib/samba/private/ have wrong access for bind if deploy with --dns-backend=BIND9_DLZ | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dario Lesca <d.lesca> |
| Component: | samba | Assignee: | Guenther Deschner <gdeschner> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | abokovoy, andreas.bierfert, anoopcs, asn, d.lesca, extras-orphan, gdeschner, jarrpa, jeff.sadowski, lists, lmohanty, madam, sbose, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | samba-4.7.0-0.10.rc5.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-09-30 06:25:46 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I think those files are created in the wrong directory. Private is private and permissions should not be relaxed. I believe that into /var/lib/samba/private/ there are some common file between samba and bind. Question: It might be a solution to use a "mount --bind" of this folder (/var/lib/samba/private/) into another folder useful only for bind (/var/named/samba/)? Dario This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. After any samba update I must change the /var/lib/samba/private/ folder permission. I have try the "mount --bind" way, but when I change the /var/named/samba/ dir permission also the /var/lib/samba/private/ are change. Then this way is not practicable. Into samba Technical (devel) ML This problem has been discussed and a solution seems to have been found https://lists.samba.org/archive/samba-technical/2017-August/122142.html https://lists.samba.org/archive/samba-technical/2017-August/122305.html https://git.samba.org/?p=asn/samba.git;a=commit;h=506adac5b72704023940b09582bb7b6ee5f3e9e3 Someone must add some adjust to .spec file of fedora package to allow this news Thanks Dario The patchset is not complete, it doesn't have an upgrade path defined yet. Packages with working bind will be available with the next release candidate or the final version of Samba 4.7.0. You need to wait till this will happen ... Thank you, Dario Lesca, for reporting this bug it would have been annoying every upgrade breaking permissions. Thank you, Andreas Schneider, I am loving the fact that I can install an updated version of samba without having to compile it. Not knowing all the things I want enabled and hooks and plugins. I love how I can do a "dnf install samba-dc" and I can have a domain controller. My temporary work around #create dependence for named to check permissions mkdir /etc/systemd/system/named.service.d cat << EOF_service > /etc/systemd/system/named.service.d/samba-permission-check.conf [Service] ExecStartPre=/etc/scripts/samba-permissions-check.sh EOF_service mkdir /etc/scripts #script used in dependency for named to check permissions cat << EOF_script > /etc/scripts/samba-permissions-check.sh #!/bin/bash chgrp named /var/lib/samba/private/ chmod 0750 /var/lib/samba/private/ chgrp named /var/lib/samba/private/named.conf chgrp -R named /var/lib/samba/private/dns chgrp named /var/lib/samba/private/sam.ldb chgrp -R named /var/lib/samba/private/sam.ldb.d EOF_script systemctl daemon-reload *** Bug 1483932 has been marked as a duplicate of this bug. *** samba-4.7.0-0.10.rc5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c Note, you need to run: samba_upgradedns --dns-backend=BIND9_DLZ Which will upgrade the configuration and create everything in /var/lib/samba/bind-dns Don't forget to modify the named.conf and change the path. samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c I have try to deploy a samba server AD-DC on Fedora 27 server fresh install with new samba package
On f27 server base I have install this packages:
dnf install samba-client samba-dc samba-winbind samba-dc-bind-dlz \
krb5-workstation tdb-tools samba-winbind-clients samba-common \
bind bind-utils
Then I have run this command, but I have get this error:
+ test '!' -e /etc/krb5.conf.orig
+ mv /etc/krb5.conf /etc/krb5.conf.orig
+ test -e /etc/krb5.conf
+ test '!' -e /etc/samba/smb.conf.orig
+ mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
+ test -e /etc/samba/smb.conf
+ samba-tool domain provision --realm=dom.loc --domain=dom --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.2 module_version=1.2.1
ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable
Setting up secrets.ldb
WARNING: Module [samba_secrets] not found - do you need to set LDB_MODULES_PATH?
Unable to load modules for /var/lib/samba/private/secrets.ldb: (null)
ERROR(ldb): uncaught exception - None
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run
nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2140, in provision
backend_credentials=provision_backend.credentials, lp=lp)
File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 966, in setup_secretsdb
secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__
self.connect(url, flags, options)
+ exit
What's happening?
I have missing to install some package?
Dario Lesca
(In reply to Dario Lesca from comment #12) > ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : > ldb_version=1.2.2 module_version=1.2.1 > ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable > Setting up secrets.ldb > WARNING: Module [samba_secrets] not found - do you need to set > LDB_MODULES_PATH? > Unable to load modules for /var/lib/samba/private/secrets.ldb: (null) I think the problem is the version of ldb to use for build of samba package (1.2.1) On system there is ldb 1.2.2 so I think it's necessary to rebuild samba package (In reply to Dario Lesca from comment #13) > (In reply to Dario Lesca from comment #12) > > > ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : > > ldb_version=1.2.2 module_version=1.2.1 > > ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable > > Setting up secrets.ldb > > WARNING: Module [samba_secrets] not found - do you need to set > > LDB_MODULES_PATH? > > Unable to load modules for /var/lib/samba/private/secrets.ldb: (null) > > I think the problem is the version of ldb to use for build of samba package > (1.2.1) > > On system there is ldb 1.2.2 > > so I think it's necessary to rebuild samba package I have downgrade libldb to 1.2.1 and the problem has disappeared I think is useful put into samba.spec a control for this dependency. I do not know how to do it, but i think is possible ... and usefull samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: if deploy samba with --dns-backend=BIND9_DLZ, folder /var/lib/samba/private/ have wrong access for bind Version-Release number of selected component (if applicable): Fedora 27 rawhide # rpm -q samba-dc bind samba-dc-4.7.0-0.6.rc1.fc27.x86_64 bind-9.11.1-4.P3.fc27.x86_64 How reproducible: Deploy samba with bind DLZ dns backend anda start bind Steps to Reproduce: Run samba-tool # samba-tool domain provision \ --realm=dom.loc \ --domain=dom \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 configure bind, add into /etc/named.conf this: (into option session) tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; (at the end) include "/var/lib/samba/private/named.conf"; the files to include have the right access: # ll /var/lib/samba/private/{dns.keytab,named.conf} -rw-r-----. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab -rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf But the folder "private" is not accessible from bind user: # ll -ld /var/lib/samba/private/ drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/ then I have change it with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/ Actual results: Folder /var/lib/samba/private/ is not accessible to bind Expected results: This folder must be accessible to bind Additional info: