Project

General

Profile

Tâche #26282

Scénario #26291: Configurer correctement le backend BIND

sur une 2.7.0rc3, bind en frontal ne démarre pas

Added by Thierry Bertrand over 2 years ago. Updated over 2 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
-
Start date:
01/29/2018
Due date:
% Done:

0%

Remaining (hours):
0.0

Related issues

Duplicated by Distribution EOLE - Tâche #26304: Ajuster les permissions pour bind9 Fermé 01/29/2018

History

#1 Updated by Thierry Bertrand over 2 years ago

  • Project changed from Distribution EOLE to EOLE AD DC

lorsqu'on essaye d'instancier la vm rie.pdc-ad1-2.7.0rc3 instance default, la configuration dns ne démarre pas.
Cette vm est en mode utiliser le dns interne à non.
Le named.conf contient 4 include dont un vers /var/lib/samba/private/named.conf effectivement absent.

un aca.dc1-2.7.0rc3 instance avec import plante de la même façon après avoir passé le dns interne à non

#2 Updated by Thierry Bertrand over 2 years ago

le répertoire utilisé est désormais /var/lib/samba/bind-dns

le patch vers ce nouveau répertoire ne suffit pas, apparmor s'en mêle :

[ 5095.417728] audit: type=1400 audit(1544713450.840:48): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/named" pid=15346 comm="apparmor_parser" 
[ 5107.699490] IPv6: ADDRCONF(NETDEV_UP): ens4: link is not ready
[ 6131.785986] audit: type=1400 audit(1544714487.209:49): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/dhcpd" pid=19734 comm="apparmor_parser" 
[ 6131.825051] audit: type=1400 audit(1544714487.249:50): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/sbin/dhclient" pid=19733 comm="apparmor_parser" 
[ 6131.826725] audit: type=1400 audit(1544714487.249:51): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=19733 comm="apparmor_parser" 
[ 6131.828583] audit: type=1400 audit(1544714487.253:52): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=19733 comm="apparmor_parser" 
[ 6131.829975] audit: type=1400 audit(1544714487.253:53): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=19733 comm="apparmor_parser" 
[ 6131.867136] audit: type=1400 audit(1544714487.289:54): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/named" pid=19731 comm="apparmor_parser" 
[ 6131.980255] audit: type=1400 audit(1544714487.401:55): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/bin/man" pid=19732 comm="apparmor_parser" 
[ 6131.981880] audit: type=1400 audit(1544714487.405:56): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="man_filter" pid=19732 comm="apparmor_parser" 
[ 6131.983919] audit: type=1400 audit(1544714487.409:57): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="man_groff" pid=19732 comm="apparmor_parser" 
[ 6131.990323] audit: type=1400 audit(1544714487.413:58): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/ntpd" pid=19736 comm="apparmor_parser" 
[ 6145.239722] kauditd_printk_skb: 2 callbacks suppressed
[ 6145.239734] audit: type=1400 audit(1544714500.665:61): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=20558 comm="isc-worker0003" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[ 6146.500347] IPv6: ADDRCONF(NETDEV_UP): ens4: link is not ready
[ 6205.200361] audit: type=1400 audit(1544714560.625:62): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=21440 comm="isc-worker0001" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[ 7598.186272] audit: type=1400 audit(1544715953.609:63): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=22402 comm="isc-worker0001" requested_mask="r" denied_mask="r" fsuid=110 ouid=0
[ 7633.498775] audit: type=1400 audit(1544715988.921:64): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=22434 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=110 ouid=110
[ 7655.289248] audit: type=1400 audit(1544716010.713:65): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=22475 comm="isc-worker0002" requested_mask="r" denied_mask="r" fsuid=110 ouid=110
[ 7711.934471] audit: type=1400 audit(1544716067.357:66): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=22499 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=110 ouid=110

#3 Updated by Thierry Bertrand over 2 years ago

le fichier /var/lib/samba/bind-dns/named.txt donne des indications de mise en oeuvre

#
# Steps for BIND 9.8.x and 9.9.x -----------------------------------------
#

# 1. Insert following lines into the options {} section of your named.conf
#    file:
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

# 2. If SELinux is enabled, ensure that all files have the appropriate
#    SELinux file contexts.  The dns.keytab file must be accessible by the
#    BIND daemon and should have a SELinux type of named_conf_t.  This can be
#    set with the following command:
chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab

#    Even if not using SELinux, do confirm (only) BIND can access this file as the
#    user it becomes (generally not root).

#
# Steps for BIND 9.x.x using BIND9_DLZ ------------------------------
#

# 3. Disable chroot support in BIND.
#    BIND is often configured to run in a chroot, but this is not
#    compatible with access to the dns/sam.ldb files that database
#    access and updates require.  Additionally, the DLZ plugin is
#    linked to a large number of Samba shared libraries and loads
#    additonal plugins.

#
# Steps for BIND 9.x.x using BIND9_FLATFILE ------------------------------
#

# 3. Ensure the BIND zone file(s) that will be dynamically updated are in
#    a directory where the BIND daemon can write.  When BIND performs
#    dynamic updates, it not only needs to update the zone file itself but
#    it must also create a journal (.jnl) file to track the dynamic updates
#    as they occur.  Under Fedora 9, the /var/named directory can not be
#    written to by the "named" user.  However, the directory /var/named/dynamic
#    directory does provide write access.  Therefore the zone files were
#    placed under the /var/named/dynamic directory.  The file directives in
#    both example zone statements at the beginning of this file were changed
#    by prepending the directory "dynamic/".

#4 Updated by Daniel Dehennin over 2 years ago

  • Parent task changed from #26198 to #26290

#5 Updated by Daniel Dehennin over 2 years ago

  • Parent task changed from #26290 to #26291

#6 Updated by Daniel Dehennin over 2 years ago

  • Project changed from EOLE AD DC to Distribution EOLE
  • Status changed from Nouveau to En cours
  • Parent task changed from #26291 to #26290

#7 Updated by Daniel Dehennin over 2 years ago

  • Status changed from En cours to Nouveau

#8 Updated by Daniel Dehennin over 2 years ago

  • Status changed from Nouveau to En cours

#9 Updated by Daniel Dehennin over 2 years ago

  • Assigned To set to Daniel Dehennin

#10 Updated by Daniel Dehennin over 2 years ago

  • Parent task changed from #26290 to #26291

#11 Updated by Benjamin Bohard over 2 years ago

  • Duplicated by Tâche #26304: Ajuster les permissions pour bind9 added

#12 Updated by Daniel Dehennin over 2 years ago

  • Status changed from En cours to Nouveau

#13 Updated by Scrum Master over 2 years ago

  • Assigned To deleted (Daniel Dehennin)

#14 Updated by Scrum Master over 2 years ago

  • Status changed from Nouveau to Fermé
  • Remaining (hours) set to 0.0

Also available in: Atom PDF