Bug 1476175 - samba folder /var/lib/samba/private/ have wrong access for bind if deploy with --dns-backend=BIND9_DLZ
samba folder /var/lib/samba/private/ have wrong access for bind if deploy wit...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Guenther Deschner
Fedora Extras Quality Assurance
:
: 1483932 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-28 04:12 EDT by Dario Lesca
Modified: 2017-09-30 02:25 EDT (History)
14 users (show)

See Also:
Fixed In Version: samba-4.7.0-0.10.rc5.fc27
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-30 02:25:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dario Lesca 2017-07-28 04:12:46 EDT
Description of problem:
if deploy samba with --dns-backend=BIND9_DLZ, folder /var/lib/samba/private/ have wrong access for bind

Version-Release number of selected component (if applicable):
Fedora 27 rawhide
# rpm -q samba-dc bind
samba-dc-4.7.0-0.6.rc1.fc27.x86_64
bind-9.11.1-4.P3.fc27.x86_64

How reproducible:
Deploy samba with bind DLZ dns backend anda start bind

Steps to Reproduce:

Run samba-tool 
# samba-tool domain provision \
        --realm=dom.loc \
        --domain=dom \
        --dns-backend=BIND9_DLZ \
        --use-rfc2307 \
        --server-role=dc \
        --function-level=2008_R2

configure bind, add into /etc/named.conf this:
(into option session)
   tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

(at the end)
   include "/var/lib/samba/private/named.conf";

the files to include have the right access:
# ll /var/lib/samba/private/{dns.keytab,named.conf}
-rw-r-----. 1 root named 772 27 lug 13.46 /var/lib/samba/private/dns.keytab
-rw-r--r--. 1 root root  720 27 lug 13.46 /var/lib/samba/private/named.conf

But the folder "private" is not accessible from bind user:
# ll -ld /var/lib/samba/private/
drwx------. 6 root root 4096 27 lug 13.46 /var/lib/samba/private/

then I have change it with:
# chmod g+rx /var/lib/samba/private/
# chgrp named /var/lib/samba/private/

Actual results:
Folder /var/lib/samba/private/ is not accessible to bind

Expected results:
This folder must be accessible to bind

Additional info:
Comment 1 Andreas Schneider 2017-07-31 10:13:10 EDT
I think those files are created in the wrong directory. Private is private and permissions should not be relaxed.
Comment 2 Dario Lesca 2017-08-01 15:44:55 EDT
I believe that into /var/lib/samba/private/ there are some common file between samba and bind.

Question: It might be a solution to use a "mount --bind" of this folder (/var/lib/samba/private/) into another folder useful only for bind (/var/named/samba/)?

Dario
Comment 3 Jan Kurik 2017-08-15 04:42:44 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 4 Dario Lesca 2017-08-16 15:40:56 EDT
After any samba update I must change the /var/lib/samba/private/ folder permission.

I have try the "mount --bind" way, but when I change the /var/named/samba/ dir permission also the /var/lib/samba/private/ are change.
Then this way is not practicable.

Into samba Technical (devel) ML This problem has been discussed and a solution seems to have been found

https://lists.samba.org/archive/samba-technical/2017-August/122142.html
https://lists.samba.org/archive/samba-technical/2017-August/122305.html

https://git.samba.org/?p=asn/samba.git;a=commit;h=506adac5b72704023940b09582bb7b6ee5f3e9e3

Someone must add some adjust to .spec file of fedora package to allow this news

Thanks

Dario
Comment 5 Andreas Schneider 2017-08-17 06:17:57 EDT
The patchset is not complete, it doesn't have an upgrade path defined yet.

Packages with working bind will be available with the next release candidate or the final version of Samba 4.7.0. You need to wait till this will happen ...
Comment 6 Jeff Sadowski 2017-08-18 10:05:48 EDT
Thank you, Dario Lesca, for reporting this bug it would have been annoying every upgrade breaking permissions.

Thank you, Andreas Schneider, I am loving the fact that I can install an updated version of samba without having to compile it. Not knowing all the things I want enabled and hooks and plugins. I love how I can do a "dnf install samba-dc" and I can have a domain controller.
Comment 7 Jeff Sadowski 2017-08-18 10:57:06 EDT
My temporary work around

#create dependence for named to check permissions
mkdir /etc/systemd/system/named.service.d
cat << EOF_service > /etc/systemd/system/named.service.d/samba-permission-check.conf
[Service]
ExecStartPre=/etc/scripts/samba-permissions-check.sh
EOF_service
mkdir /etc/scripts

#script used in dependency for named to check permissions
cat << EOF_script > /etc/scripts/samba-permissions-check.sh
#!/bin/bash
chgrp named /var/lib/samba/private/
chmod 0750 /var/lib/samba/private/
chgrp named /var/lib/samba/private/named.conf
chgrp -R named /var/lib/samba/private/dns
chgrp named /var/lib/samba/private/sam.ldb
chgrp -R named /var/lib/samba/private/sam.ldb.d
EOF_script
systemctl daemon-reload
Comment 8 Andreas Schneider 2017-08-22 09:28:42 EDT
*** Bug 1483932 has been marked as a duplicate of this bug. ***
Comment 9 Fedora Update System 2017-09-12 13:18:09 EDT
samba-4.7.0-0.10.rc5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c
Comment 10 Andreas Schneider 2017-09-12 13:19:38 EDT
Note, you need to run:

samba_upgradedns --dns-backend=BIND9_DLZ

Which will upgrade the configuration and create everything in /var/lib/samba/bind-dns

Don't forget to modify the named.conf and change the path.
Comment 11 Fedora Update System 2017-09-12 15:58:33 EDT
samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-84d8296a2c
Comment 12 Dario Lesca 2017-09-14 17:46:24 EDT
I have try to deploy a samba server AD-DC on Fedora 27 server fresh install with new samba package

On f27 server base I have install this packages:

dnf install samba-client samba-dc samba-winbind samba-dc-bind-dlz \
 krb5-workstation tdb-tools samba-winbind-clients samba-common \
 bind bind-utils

Then I have run this command, but I have  get this error:

+ test '!' -e /etc/krb5.conf.orig
+ mv /etc/krb5.conf /etc/krb5.conf.orig
+ test -e /etc/krb5.conf
+ test '!' -e /etc/samba/smb.conf.orig
+ mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
+ test -e /etc/samba/smb.conf
+ samba-tool domain provision --realm=dom.loc --domain=dom --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c : ldb_version=1.2.2 module_version=1.2.1
ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable
Setting up secrets.ldb
WARNING: Module [samba_secrets] not found - do you need to set LDB_MODULES_PATH?
Unable to load modules for /var/lib/samba/private/secrets.ldb: (null)
ERROR(ldb): uncaught exception - None
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 474, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2140, in provision
    backend_credentials=provision_backend.credentials, lp=lp)
  File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 966, in setup_secretsdb
    secrets_ldb = Ldb(path, session_info=session_info, lp=lp)
  File "/usr/lib64/python2.7/site-packages/samba/__init__.py", line 114, in __init__
    self.connect(url, flags, options)
+ exit

What's happening?

I have missing to install some package?

Dario Lesca
Comment 13 Dario Lesca 2017-09-15 05:03:49 EDT
(In reply to Dario Lesca from comment #12)

> ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c :
> ldb_version=1.2.2 module_version=1.2.1
> ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable
> Setting up secrets.ldb
> WARNING: Module [samba_secrets] not found - do you need to set
> LDB_MODULES_PATH?
> Unable to load modules for /var/lib/samba/private/secrets.ldb: (null)

I think the problem is the version of ldb to use for build of samba package (1.2.1)

On system there is ldb 1.2.2

so I think it's necessary to rebuild samba package
Comment 14 Dario Lesca 2017-09-15 05:17:14 EDT
(In reply to Dario Lesca from comment #13)
> (In reply to Dario Lesca from comment #12)
> 
> > ldb: module version mismatch in ../source4/dsdb/samdb/ldb_modules/acl.c :
> > ldb_version=1.2.2 module_version=1.2.1
> > ldb: failed to initialise module /usr/lib64/samba/ldb/acl.so : Unavailable
> > Setting up secrets.ldb
> > WARNING: Module [samba_secrets] not found - do you need to set
> > LDB_MODULES_PATH?
> > Unable to load modules for /var/lib/samba/private/secrets.ldb: (null)
> 
> I think the problem is the version of ldb to use for build of samba package
> (1.2.1)
> 
> On system there is ldb 1.2.2
> 
> so I think it's necessary to rebuild samba package

I have downgrade libldb to 1.2.1 and the problem has disappeared

I think is useful put into samba.spec a control for this dependency.

I do not know how to do it, but i think is possible ... and usefull
Comment 15 Fedora Update System 2017-09-30 02:25:46 EDT
samba-4.7.0-0.10.rc5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.