[Samba] bind - samba_dlz - insufficient access rights

Post by Robert Moskowitz
Rebuilt my server to test that I 'knew' how to build it, and to do it on
the net where it will run. Took some effort to get permissions to
/var/lib/samba/private/dns/sam.ldb right, and I probably overkilled. But
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
descriptor initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
objectclass initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
asq initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
server_sort initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
paged_results initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
dirsync initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
schema_load initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
process exited, code=exited status=1
Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
so now what am I missing?

*what are* the permissions
"ls -lha -R" may help..........

some sane software refuses to run with *too wide* open permissions as
well fails with to tight ones

Robert Moskowitz

2015-09-10 20:39:56 UTC

*what are* the permissions
"ls -lha -R" may help..........

But to what directory/file?

I am guessing:

ls -lha -R /var/lib/samba/private/dns
/var/lib/samba/private/dns:
total 2.9M
drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
-rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d

/var/lib/samba/private/dns/sam.ldb.d:
total 27M
drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
-rw------- 1 root named 8.2M Sep 10 13:27
CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
-rw------- 1 root named 8.9M Sep 10 13:27
CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
-rw------- 2 root named 4.1M Sep 10 13:27
DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
-rw------- 2 root named 4.1M Sep 10 13:27
DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
-rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
-rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb

Post by Reindl Harald
some sane software refuses to run with *too wide* open permissions as
well fails with to tight ones

Yes. I would not be supprised that I was hitting on the wrong
permissions problem all along and opened up something best left closed.
I wonder what is missing in the script/instructions in sernet and
classicupgrade that resulted in permissions problems to begin with.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Brady, Mike

2015-09-10 21:21:49 UTC

*what are* the permissions
"ls -lha -R" may help..........

But to what directory/file?
ls -lha -R /var/lib/samba/private/dns
total 2.9M
drwxr-x--- 3 root named 4.0K Sep 10 13:27 .
drwxr-x--- 7 root named 4.0K Sep 10 16:36 ..
-rw-rw---- 1 root named 2.9M Sep 10 13:27 sam.ldb
drwxr-xr-x 2 root named 4.0K Sep 10 13:27 sam.ldb.d
total 27M
drwxr-xr-x 2 root named 4.0K Sep 10 13:27 .
drwxr-x--- 3 root named 4.0K Sep 10 13:27 ..
-rw------- 1 root named 8.2M Sep 10 13:27
CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
-rw------- 1 root named 8.9M Sep 10 13:27
CN=SCHEMA,CN=CONFIGURATION,DC=HOME,DC=HTT.ldb
-rw------- 2 root named 4.1M Sep 10 13:27
DC=DOMAINDNSZONES,DC=HOME,DC=HTT.ldb
-rw------- 2 root named 4.1M Sep 10 13:27
DC=FORESTDNSZONES,DC=HOME,DC=HTT.ldb
-rw-r--r-- 1 root named 1.3M Sep 10 13:27 DC=HOME,DC=HTT.ldb
-rw-r----- 2 root named 412K Sep 10 15:10 metadata.tdb

Post by Reindl Harald
some sane software refuses to run with *too wide* open permissions as
well fails with to tight ones

Yes. I would not be supprised that I was hitting on the wrong
permissions problem all along and opened up something best left
closed. I wonder what is missing in the script/instructions in sernet
and classicupgrade that resulted in permissions problems to begin
with.

On Centos 7 using the Sernet packages the named user does not have
access to /var/lib/samba/private. I have been correcting this with the
following on my domain controllers. All the other ownership/permissions
were correct.

setfacl -m u:named:rx /var/lib/samba/private

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Robert Moskowitz

2015-09-10 21:24:58 UTC

Post by Robert Moskowitz
Rebuilt my server to test that I 'knew' how to build it, and to do it on
the net where it will run. Took some effort to get permissions to
/var/lib/samba/private/dns/sam.ldb right, and I probably
overkilled. But
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
descriptor initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
objectclass initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
asq initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
server_sort initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
paged_results initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
dirsync initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
schema_load initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
process exited, code=exited status=1
Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
so now what am I missing?

*what are* the permissions
"ls -lha -R" may help..........

Post by Reindl Harald
some sane software refuses to run with *too wide* open permissions
as well fails with to tight ones

Yes. I would not be supprised that I was hitting on the wrong
permissions problem all along and opened up something best left
closed. I wonder what is missing in the script/instructions in sernet
and classicupgrade that resulted in permissions problems to begin
with.

On Centos 7 using the Sernet packages the named user does not have
access to /var/lib/samba/private. I have been correcting this with
the following on my domain controllers. All the other
ownership/permissions were correct.
setfacl -m u:named:rx /var/lib/samba/private

Thanks. I just tried that and got the same errors trying to start named.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Brady, Mike

2015-09-10 22:12:32 UTC

Post by Robert Moskowitz
Rebuilt my server to test that I 'knew' how to build it, and to do it on
the net where it will run. Took some effort to get permissions to
/var/lib/samba/private/dns/sam.ldb right, and I probably
overkilled. But
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
descriptor initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
objectclass initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
asq initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
server_sort initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
paged_results initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
dirsync initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt named[2698]: samba_dlz: ldb: module
schema_load initialization failed : insufficient access rights
Sep 10 16:21:14 homebase.home.htt systemd[1]: named.service: control
process exited, code=exited status=1
Sep 10 16:21:14 homebase.home.htt systemd[1]: Failed to start Berkeley
Internet Name Domain (DNS).
so now what am I missing?

*what are* the permissions
"ls -lha -R" may help..........

Post by Reindl Harald
some sane software refuses to run with *too wide* open permissions
as well fails with to tight ones

Yes. I would not be supprised that I was hitting on the wrong
permissions problem all along and opened up something best left
closed. I wonder what is missing in the script/instructions in sernet
and classicupgrade that resulted in permissions problems to begin
with.

On Centos 7 using the Sernet packages the named user does not have
access to /var/lib/samba/private. I have been correcting this with
the following on my domain controllers. All the other
ownership/permissions were correct.
setfacl -m u:named:rx /var/lib/samba/private

Thanks. I just tried that and got the same errors trying to start named.

Robert

That is the only file system permission issue that I have encountered.
Those error messages may be the backend refusing named access to the AD
LDAP though, rather than filesystem permissions.

Not sure what controls that.

Only thought I have is do you have the tkey-gssapi-keytab line in your
named.conf and does the file specified have the necessary keys in it?

Mike

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Robert Moskowitz

2015-09-10 23:16:01 UTC