There are a number of complaints on the mailing list where people find ../samba/bind-dns/named.conf is inaccessible to Bind even though the permissions look good. This is likely because some kernel security module (selinux, apparmour) is blocking access. That's not unexpected.
The trouble is the way the DLZ reports it is by saying "Failed to connect to /var/lib/samba/private/dns/sam.ldb", which you'll notice is not the samba/bind-dns directory at all. That's because Samba falls back to trying an old location for this file and doesn't tell anyone.