The bind_dlz config should not be stored in the private directory. The private directory should have permissions 0700 and only samba (root) should have access to it. bind_dns should have its own directory and so we can give named access to it.
(In reply to Andreas Schneider from comment #0) Don't we already have a directory for this? The one where we store the hardlinks of the sam.ldb* files. So we just need to move the config files to the same directory?
That directory is inside the private directory! So it doesn't really help. My WIP branch is here: https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-bind_dlz
Will be fixed with 4.8.0
Fixed in master with 2d0e13837d8c6fab3fb296aafcabdf2a2973b96d