Description of problem: if deploy samba with --dns-backend=BIND9_DLZ, folder /var/lib/samba/private/ have wrong access for bind Version-Release number of selected component (if applicable): Fedora 27 rawhide # rpm -q samba-dc bind samba-dc-4.7.0-0.6.rc1.fc27.x86_64 bind-9.11.1-4.P3.fc27.x86_64 How reproducible: Deploy samba with bind DLZ dns backend anda start bind Steps to Reproduce: Run samba-tool # samba-tool domain provision \ --realm=dom.loc \ --domain=dom \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 configure bind, add into /etc/named.conf this: (into option session) tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; (at the end) include "/var/lib/samba/private/named.conf"; the files to include have the right access: # ll /var/lib/samba/private/{dns.keytab,named.conf} -rw-r-----. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab -rw-r--r--. 1 root root 720 27 lug 13.46 /var/lib/samba/private/named.conf But the folder "private" is not accessible from bind user: # ll -ld /var/lib/samba/private/ drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/ then I have change it with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/ Actual results: Folder /var/lib/samba/private/ is not accessible to bind Expected results: This folder must be accessible to bind Additional info:
I think those files are created in the wrong directory. Private is private and permissions should not be relaxed.
I believe that into /var/lib/samba/private/ there are some common file between samba and bind. Question: It might be a solution to use a "mount --bind" of this folder (/var/lib/samba/private/) into another folder useful only for bind (/var/named/samba/)? Dario
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
After any samba update I must change the /var/lib/samba/private/ folder permission. I have try the "mount --bind" way, but when I change the /var/named/samba/ dir permission also the /var/lib/samba/private/ are change. Then this way is not practicable. Into samba Technical (devel) ML This problem has been discussed and a solution seems to have been found https://lists.samba.org/archive/samba-technical/2017-August/122142.html https://lists.samba.org/archive/samba-technical/2017-August/122305.html https://git.samba.org/?p=asn/samba.git;a=commit;h=506adac5b72704023940b09582bb7b6ee5f3e9e3 Someone must add some adjust to .spec file of fedora package to allow this news Thanks Dario
The patchset is not complete, it doesn't have an upgrade path defined yet. Packages with working bind will be available with the next release candidate or the final version of Samba 4.7.0. You need to wait till this will happen ...
Thank you, Dario Lesca, for reporting this bug it would have been annoying every upgrade breaking permissions. Thank you, Andreas Schneider, I am loving the fact that I can install an updated version of samba without having to compile it. Not knowing all the things I want enabled and hooks and plugins. I love how I can do a "dnf install samba-dc" and I can have a domain controller.
My temporary work around #create dependence for named to check permissions mkdir /etc/systemd/system/named.service.d cat << EOF_service > /etc/systemd/system/named.service.d/samba-permission-check.conf [Service] ExecStartPre=/etc/scripts/samba-permissions-check.sh EOF_service mkdir /etc/scripts #script used in dependency for named to check permissions cat << EOF_script > /etc/scripts/samba-permissions-check.sh #!/bin/bash chgrp named /var/lib/samba/private/ chmod 0750 /var/lib/samba/private/ chgrp named /var/lib/samba/private/named.conf chgrp -R named /var/lib/samba/private/dns chgrp named /var/lib/samba/private/sam.ldb chgrp -R named /var/lib/samba/private/sam.ldb.d EOF_script systemctl daemon-reload
*** Bug 1483932 has been marked as a duplicate of this bug. ***
samba-4.7.0-0.10.rc5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c
Note, you need to run: samba_upgradedns --dns-backend=BIND9_DLZ Which will upgrade the configuration and create everything in /var/lib/samba/bind-dns Don't forget to modify the named.conf and change the path.
samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c
I have try to deploy a samba server AD-DC on Fedora 27 server fresh install with new samba package On f27 server base I have install this packages: dnf install samba-client samba-dc samba-winbind samba-dc-bind-dlz \ krb5-workstation tdb-tools samba-winbind-clients samba-common \ bind bind-utils Then I have run this command, but I have get this error: + test '!' -e /etc/krb5.conf.orig + mv /etc/krb5.conf /etc/krb5.conf.orig + test -e /etc/krb5.conf + test '!' -e /etc/samba/smb.conf.orig + mv /etc/samba/smb.conf /etc/samba/smb.conf.orig + test -e /etc/samba/smb.conf + samba-tool domain provision --realm=dom.loc --domain=dom --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.2 module_version=1.2.1 ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable Setting up secrets.ldb WARNING: Module [samba_secrets] not found - do you need to set LDB_MODULES_PATH? Unable to load modules for /var/lib/samba/private/secrets.ldb: (null) ERROR(ldb): uncaught exception - None File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2140, in provision backend_credentials=provision_backend.credentials, lp=lp) File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 966, in setup_secretsdb secrets_ldb = Ldb(path, session_info=session_info, lp=lp) File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__ self.connect(url, flags, options) + exit What's happening? I have missing to install some package? Dario Lesca
(In reply to Dario Lesca from comment #12) > ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : > ldb_version=1.2.2 module_version=1.2.1 > ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable > Setting up secrets.ldb > WARNING: Module [samba_secrets] not found - do you need to set > LDB_MODULES_PATH? > Unable to load modules for /var/lib/samba/private/secrets.ldb: (null) I think the problem is the version of ldb to use for build of samba package (1.2.1) On system there is ldb 1.2.2 so I think it's necessary to rebuild samba package
(In reply to Dario Lesca from comment #13) > (In reply to Dario Lesca from comment #12) > > > ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : > > ldb_version=1.2.2 module_version=1.2.1 > > ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable > > Setting up secrets.ldb > > WARNING: Module [samba_secrets] not found - do you need to set > > LDB_MODULES_PATH? > > Unable to load modules for /var/lib/samba/private/secrets.ldb: (null) > > I think the problem is the version of ldb to use for build of samba package > (1.2.1) > > On system there is ldb 1.2.2 > > so I think it's necessary to rebuild samba package I have downgrade libldb to 1.2.1 and the problem has disappeared I think is useful put into samba.spec a control for this dependency. I do not know how to do it, but i think is possible ... and usefull
samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.