Samba AD and Bind

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba AD and Bind

Samba - samba-technical mailing list
Hi Andrew,

we have a bind_dlz module so that Bind can be used as a nameserver. The files
needed by bind (beside the module) are the tsig and config file.

Those are located in the Samba private directory!

Distributions limit the access to the private directory to root and give it
0700 as the permissions.

As the 'named' of bind needs to access to those files it wants access to the
private directory but it is not allowed.

I think if an external daemon wants to have access to some samba resources,
the private directory is the wrong place.

So instead of

${LOCALSTATEDIR}/lib/samba/private

there should be probably

${LOCALSTATEDIR}/lib/samba/bind_dns


and all the files required by bind should go there. Then we could give 'named'
access to that directory!

named:root with 0770 for the permissions ...



Cheers,


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
Hi Andreas,

On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical <
[hidden email]> wrote:

> Hi Andrew,
>
> we have a bind_dlz module so that Bind can be used as a nameserver. The
> files
> needed by bind (beside the module) are the tsig and config file.
>
> Those are located in the Samba private directory!
>
> Distributions limit the access to the private directory to root and give it
> 0700 as the permissions.
>

> As the 'named' of bind needs to access to those files it wants access to
> the
> private directory but it is not allowed.
>
> I think if an external daemon wants to have access to some samba resources,
> the private directory is the wrong place.
>
> So instead of
>
> ${LOCALSTATEDIR}/lib/samba/private
>
> there should be probably
>
> ${LOCALSTATEDIR}/lib/samba/bind_dns
>
>
> and all the files required by bind should go there. Then we could give
> 'named'
> access to that directory!
>
> named:root with 0770 for the permissions ...
>

It's a good idea to separate the files required for bind.  However, it has
to be done carefully.

For dlz_bind module, provisioning creates a partial copy of samdb with base
and domain
partitions.  But the dns partitions are linked to the dns partitions from
the main samdb.

For named, to be able to access the dns partitions in private directory
(via a link in
the separate bind_dns directory), the private directory needs to have at
least execute
permission for others.  That will indicate that you can change the
permissions for
the private directory to 0751 (or 0701 if you must).

The other option could be to move sam.ldb* out of private/ directory into
it's own
directory.  That way private/ can be 0700.  We still need to manage the
permissions
for sam.ldb* files and the directory they are moved in, so named as the
required access.

Amitay.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
On 8 August 2017 at 12:50, Amitay Isaacs via samba-technical <
[hidden email]> wrote:

> Hi Andreas,
>
> On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical <
> [hidden email]> wrote:
>
> > Hi Andrew,
> >
> > we have a bind_dlz module so that Bind can be used as a nameserver. The
> > files
> > needed by bind (beside the module) are the tsig and config file.
> >
> > Those are located in the Samba private directory!
> >
> > Distributions limit the access to the private directory to root and give
> it
> > 0700 as the permissions.
> >
>
> > As the 'named' of bind needs to access to those files it wants access to
> > the
> > private directory but it is not allowed.
> >
> > I think if an external daemon wants to have access to some samba
> resources,
> > the private directory is the wrong place.
> >
> > So instead of
> >
> > ${LOCALSTATEDIR}/lib/samba/private
> >
> > there should be probably
> >
> > ${LOCALSTATEDIR}/lib/samba/bind_dns
> >
> >
> > and all the files required by bind should go there. Then we could give
> > 'named'
> > access to that directory!
> >
> > named:root with 0770 for the permissions ...
> >
>
> It's a good idea to separate the files required for bind.  However, it has
> to be done carefully.
>
> For dlz_bind module, provisioning creates a partial copy of samdb with base
> and domain
> partitions.  But the dns partitions are linked to the dns partitions from
> the main samdb.
>
> For named, to be able to access the dns partitions in private directory
> (via a link in
> the separate bind_dns directory), the private directory needs to have at
> least execute
> permission for others.  That will indicate that you can change the
> permissions for
> the private directory to 0751 (or 0701 if you must).
>
> The other option could be to move sam.ldb* out of private/ directory into
> it's own
> directory.  That way private/ can be 0700.  We still need to manage the
> permissions
> for sam.ldb* files and the directory they are moved in, so named as the
> required access.
>
> Amitay.
>

Sadly, I too have travelled this path (trying to separate bind off the
SAMBA server).  Recall that sam.ldb contains little gems like the
unicodePwd, userPassword (and clearTextPassword) of user accounts which
would be sought by any (all?) hacking efforts.
This is the one file that needs strong protection...

I'm happy to be corrected but I understand that SAMBA as AD-DC needs to
talk to bind/named, over tss, to maintain DNS entries for other DC's as
well as a plethora of SRV records for client devices to map.  Is there any
other purpose?  (eg PC registrations? or is it enough that forward and
reverse resolution is successful from say, a recursive request?)
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, 2017-08-08 at 12:50 +1000, Amitay Isaacs via samba-technical
wrote:

> Hi Andreas,
>
> On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical
> <
> [hidden email]> wrote:
>
> > Hi Andrew,
> >
> > we have a bind_dlz module so that Bind can be used as a nameserver.
> > The
> > files
> > needed by bind (beside the module) are the tsig and config file.
> >
> > Those are located in the Samba private directory!
> >
> > Distributions limit the access to the private directory to root and
> > give it
> > 0700 as the permissions.
> >
> > As the 'named' of bind needs to access to those files it wants
> > access to
> > the
> > private directory but it is not allowed.
> >
> > I think if an external daemon wants to have access to some samba
> > resources,
> > the private directory is the wrong place.
> >
> > So instead of
> >
> > ${LOCALSTATEDIR}/lib/samba/private
> >
> > there should be probably
> >
> > ${LOCALSTATEDIR}/lib/samba/bind_dns
> >
> >
> > and all the files required by bind should go there. Then we could
> > give
> > 'named'
> > access to that directory!
> >
> > named:root with 0770 for the permissions ...
> >
>
> It's a good idea to separate the files required for bind.  However,
> it has
> to be done carefully.
>
> For dlz_bind module, provisioning creates a partial copy of samdb
> with base
> and domain
> partitions.  But the dns partitions are linked to the dns partitions
> from
> the main samdb.
>
> For named, to be able to access the dns partitions in private
> directory
> (via a link in
> the separate bind_dns directory), the private directory needs to have
> at
> least execute
> permission for others.  That will indicate that you can change the
> permissions for
> the private directory to 0751 (or 0701 if you must).

Is that correct?  One of the tricks used here is the hard link, rather
than a soft (symbolic) link, which should avoid that.

> The other option could be to move sam.ldb* out of private/ directory
> into
> it's own
> directory.  That way private/ can be 0700.  We still need to manage
> the
> permissions
> for sam.ldb* files and the directory they are moved in, so named as
> the
> required access.

I hope we can avoid that, but we should be clearer about what is
private enough to be in there, and even what private means.  'private
to samba scratch space' vs 'confidential data', as the two have been
conflated on the AD DC.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
On Tue, Aug 8, 2017 at 2:33 PM, Andrew Bartlett <[hidden email]> wrote:

> On Tue, 2017-08-08 at 12:50 +1000, Amitay Isaacs via samba-technical
> wrote:
> > Hi Andreas,
> >
> > On Fri, Aug 4, 2017 at 7:42 PM, Andreas Schneider via samba-technical
> > <
> > [hidden email]> wrote:
> >
> > > Hi Andrew,
> > >
> > > we have a bind_dlz module so that Bind can be used as a nameserver.
> > > The
> > > files
> > > needed by bind (beside the module) are the tsig and config file.
> > >
> > > Those are located in the Samba private directory!
> > >
> > > Distributions limit the access to the private directory to root and
> > > give it
> > > 0700 as the permissions.
> > >
> > > As the 'named' of bind needs to access to those files it wants
> > > access to
> > > the
> > > private directory but it is not allowed.
> > >
> > > I think if an external daemon wants to have access to some samba
> > > resources,
> > > the private directory is the wrong place.
> > >
> > > So instead of
> > >
> > > ${LOCALSTATEDIR}/lib/samba/private
> > >
> > > there should be probably
> > >
> > > ${LOCALSTATEDIR}/lib/samba/bind_dns
> > >
> > >
> > > and all the files required by bind should go there. Then we could
> > > give
> > > 'named'
> > > access to that directory!
> > >
> > > named:root with 0770 for the permissions ...
> > >
> >
> > It's a good idea to separate the files required for bind.  However,
> > it has
> > to be done carefully.
> >
> > For dlz_bind module, provisioning creates a partial copy of samdb
> > with base
> > and domain
> > partitions.  But the dns partitions are linked to the dns partitions
> > from
> > the main samdb.
> >
> > For named, to be able to access the dns partitions in private
> > directory
> > (via a link in
> > the separate bind_dns directory), the private directory needs to have
> > at
> > least execute
> > permission for others.  That will indicate that you can change the
> > permissions for
> > the private directory to 0751 (or 0701 if you must).
>
> Is that correct?  One of the tricks used here is the hard link, rather
> than a soft (symbolic) link, which should avoid that.
>

Yes, that's correct.  I forgot about the hard links.

We can have private/ directory with 0700 permissions with root:root
ownership
and bind_dns/ directory with 0770 (or similar) with named:named ownership.


> > The other option could be to move sam.ldb* out of private/ directory
> > into
> > it's own
> > directory.  That way private/ can be 0700.  We still need to manage
> > the
> > permissions
> > for sam.ldb* files and the directory they are moved in, so named as
> > the
> > required access.
>
> I hope we can avoid that, but we should be clearer about what is
> private enough to be in there, and even what private means.  'private
> to samba scratch space' vs 'confidential data', as the two have been
> conflated on the AD DC.
>

Looks like the original idea will work, so we don't have to worry about
taking samdb out of private/ directory.

Amitay.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> we have a bind_dlz module so that Bind can be used as a nameserver. The files
> needed by bind (beside the module) are the tsig and config file.
>
> Those are located in the Samba private directory!
>
> Distributions limit the access to the private directory to root and give it
> 0700 as the permissions.

This is the key I think.  Upstream that hasn't had 0700 protection ever
(for reasons I never understood at the time).  If distributors think
that is a good idea we should get that upstream, otherwise things like
this will keep happening.

One other note in this space is that I have an upcoming work item to
have 'samba' run as non-root after binding to the sockets.  This will
complicate things here a little, so I just wanted to mention that in
advance.

For that, I'll find out much, much more about the real challenges once
I start coding :-)

Andrew Bartlett

> As the 'named' of bind needs to access to those files it wants access to the
> private directory but it is not allowed.
>
> I think if an external daemon wants to have access to some samba resources,
> the private directory is the wrong place.
>
> So instead of
>
> ${LOCALSTATEDIR}/lib/samba/private
>
> there should be probably
>
> ${LOCALSTATEDIR}/lib/samba/bind_dns

That seems reasonable.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
On Tuesday, 8 August 2017 12:01:32 CEST Andrew Bartlett via samba-technical
wrote:

> On Fri, 2017-08-04 at 11:42 +0200, Andreas Schneider wrote:
> > Hi Andrew,
> >
> > we have a bind_dlz module so that Bind can be used as a nameserver. The
> > files needed by bind (beside the module) are the tsig and config file.
> >
> > Those are located in the Samba private directory!
> >
> > Distributions limit the access to the private directory to root and give
> > it
> > 0700 as the permissions.
>
> This is the key I think.  Upstream that hasn't had 0700 protection ever
> (for reasons I never understood at the time).  If distributors think
> that is a good idea we should get that upstream, otherwise things like
> this will keep happening.

Yes, I would also like to change it to 0700.

>
> > As the 'named' of bind needs to access to those files it wants access to
> > the private directory but it is not allowed.
> >
> > I think if an external daemon wants to have access to some samba
> > resources,
> > the private directory is the wrong place.
> >
> > So instead of
> >
> > ${LOCALSTATEDIR}/lib/samba/private
> >
> > there should be probably
> >
> > ${LOCALSTATEDIR}/lib/samba/bind_dns
>
> That seems reasonable.

Ok, I will implement it that way. We should have that fixed in 4.7.


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba AD and Bind

Samba - samba-technical mailing list
On Tuesday, 8 August 2017 12:22:10 CEST Andreas Schneider via samba-technical
wrote:

> > > As the 'named' of bind needs to access to those files it wants access to
> > > the private directory but it is not allowed.
> > >
> > > I think if an external daemon wants to have access to some samba
> > > resources,
> > > the private directory is the wrong place.
> > >
> > > So instead of
> > >
> > > ${LOCALSTATEDIR}/lib/samba/private
> > >
> > > there should be probably
> > >
> > > ${LOCALSTATEDIR}/lib/samba/bind_dns
> >
> > That seems reasonable.
>
> Ok, I will implement it that way. We should have that fixed in 4.7.
>

Hi Andrew,

I've implemented that we create the 'private dir' with 0700 and that we have a
bind-dns directory with 0770. There is a smb.conf option 'binddns dir' for
that now. So if you have provisioned a domain controller with an earlier
version and have set permissions to the 'private dir' that bind can access it
you can simple set 'binddns dir = /var/lib/samba/private' and it should still
work (I need to test it to confirm).

You can find the patches here:

https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-bind_dlz

Should we support some kind of automatic migration from older installations to
Samba 4.7 or is just adding a note to WHATSNEW.txt enought to set:

  binddns dir = /var/lib/samba/private

If we want to have a migration path how are domaincontrollers upgraded and how
should we support it?


Any suggestions?


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Loading...