diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2013-08-28 13:35:47 +1200 |
|---|---|---|
| committer | Bjoern Jacke <bj@sernet.de> | 2013-08-29 13:53:25 +0200 |
| commit | 0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae (patch) | |
| tree | d4cd269510b038c328aba8442a4133873ff86621 /source4/setup | |
| parent | 4dd1523b95b214723dc9c0dfc5b5a6778bf4fc4d (diff) | |
| download | samba-0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae.tar.gz samba-0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae.tar.bz2 samba-0ca9c74f91d5e727d5d37d324d4f1b396e75b1ae.zip | |
provision: Rewrite named.txt to be more useful
We already chown the dns.keytab file, so remove the suggestion to do that,
and instead explain why we can not use chroot (an often-requested feature).
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Björn Jacke <bj@sernet.de>
Autobuild-User(master): Björn Jacke <bj@sernet.de>
Autobuild-Date(master): Thu Aug 29 13:53:25 CEST 2013 on sn-devel-104
Diffstat (limited to 'source4/setup')
| -rw-r--r-- | source4/setup/named.txt | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/source4/setup/named.txt b/source4/setup/named.txt index d0657ddfd9..511bc67c82 100644 --- a/source4/setup/named.txt +++ b/source4/setup/named.txt @@ -12,20 +12,29 @@ # file: tkey-gssapi-keytab "${DNS_KEYTAB_ABS}"; +# 2. If SELinux is enabled, ensure that all files have the appropriate +# SELinux file contexts. The ${DNS_KEYTAB} file must be accessible by the +# BIND daemon and should have a SELinux type of named_conf_t. This can be +# set with the following command: +chcon -t named_conf_t ${DNS_KEYTAB_ABS} + +# Even if not using SELinux, do confirm (only) BIND can access this file as the +# user it becomes (generally not root). + # -# Common Steps for BIND 9.x.x -------------------------------------------- +# Steps for BIND 9.x.x using BIND9_DLZ ------------------------------ # -# 2. Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. -# Note that the most distributions have BIND configured to run under a -# non-root user account. For example, Fedora 9 runs BIND as the user -# "named" once the daemon relinquishes its rights. Therefore, the file -# ${DNS_KEYTAB} must be readable by the user that BIND run as. If BIND -# is running as a non-root user, the "${DNS_KEYTAB}" file must have its -# permissions altered to allow the daemon to read it. Under Fedora 9, -# execute the following commands: -chgrp named ${DNS_KEYTAB_ABS} -chmod g+r ${DNS_KEYTAB_ABS} +# 3. Disable chroot support in BIND. +# BIND is often configured to run in a chroot, but this is not +# compatible with access to the dns/sam.ldb files that database +# access and updates require. Additionally, the DLZ plugin is +# linked to a large number of Samba shared libraries and loads +# additonal plugins. + +# +# Steps for BIND 9.x.x using BIND9_FLATFILE ------------------------------ +# # 3. Ensure the BIND zone file(s) that will be dynamically updated are in # a directory where the BIND daemon can write. When BIND performs @@ -38,8 +47,3 @@ chmod g+r ${DNS_KEYTAB_ABS} # both example zone statements at the beginning of this file were changed # by prepending the directory "dynamic/". -# 4. If SELinux is enabled, ensure that all files have the appropriate -# SELinux file contexts. The ${DNS_KEYTAB} file must be accessible by the -# BIND daemon and should have a SELinux type of named_conf_t. This can be -# set with the following command: -chcon -t named_conf_t ${DNS_KEYTAB_ABS} |