Scénario #32605
Seth 2.7.2 - DENIED apparmor pour le dossier conf.d
100%
Description
Sur notre environnement de test Seth 2.7.2, j’ai configuré les zones de résolutions DNS inversées en mettant à oui l’option dans genconfig, en indiquant des zones à créer.
Le service bind9 n’a pas démarré avec mes paramètres. J’ai fait machine arrière et remis l’option résolution inverse à non. Le service bind9 ne démarre toujours pas.
Avez-vous déjà mis en place le reverse dns, et si oui comment ?
Avez-vous déjà rencontré cet échec de démarrage du service bind9.service ?
Ci-dessous, le journal de démarrage obtenu avec « journalctl -xe » puis le log généré par un lancement à la main de named par la commande : named -u bind -f -g 2>&1 | tee /tmp/named.log
Avec l’option de debug dans le fichier /var/lib/samba/bind-dns/named.conf
# For BIND 9.11.x database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so -d 3";
mai 31 14:14:38 tst-seth-1 systemd[1]: Started BIND Domain Name Server. -- Subject: L'unité (unit) bind9.service a terminé son démarrage -- Defined-By: systemd -- Support: http://www.ubuntu.com/support -- -- L'unité (unit) bind9.service a terminé son démarrage, avec le résultat RESULT. mai 31 14:14:38 tst-seth-1 named[9000]: starting BIND 9.11.3-1ubuntu1.15-Ubuntu (Extended Support Version) <id:a375815> mai 31 14:14:38 tst-seth-1 named[9000]: running on Linux x86_64 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 mai 31 14:14:38 tst-seth-1 named[9000]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/ mai 31 14:14:38 tst-seth-1 named[9000]: running as: named -f -u bind mai 31 14:14:38 tst-seth-1 named[9000]: ---------------------------------------------------- mai 31 14:14:38 tst-seth-1 named[9000]: BIND 9 is maintained by Internet Systems Consortium, mai 31 14:14:38 tst-seth-1 named[9000]: Inc. (ISC), a non-profit 501(c)(3) public-benefit mai 31 14:14:38 tst-seth-1 named[9000]: corporation. Support and training for BIND 9 are mai 31 14:14:38 tst-seth-1 named[9000]: available at https://www.isc.org/support mai 31 14:14:38 tst-seth-1 named[9000]: ---------------------------------------------------- mai 31 14:14:38 tst-seth-1 named[9000]: adjusted limit on open files from 4096 to 1048576 mai 31 14:14:38 tst-seth-1 named[9000]: found 1 CPU, using 1 worker thread mai 31 14:14:38 tst-seth-1 named[9000]: using 1 UDP listener per interface mai 31 14:14:38 tst-seth-1 named[9000]: using up to 4096 sockets mai 31 14:14:38 tst-seth-1 named[9000]: loading configuration from '/etc/bind/named.conf' mai 31 14:14:38 tst-seth-1 named[9000]: reading built-in trust anchors from file '/etc/bind/bind.keys' mai 31 14:14:38 tst-seth-1 named[9000]: initializing GeoIP Country (IPv4) (type 1) DB mai 31 14:14:38 tst-seth-1 named[9000]: GEO-106FREE 20180315 Build mai 31 14:14:38 tst-seth-1 named[9000]: initializing GeoIP Country (IPv6) (type 12) DB mai 31 14:14:38 tst-seth-1 named[9000]: GEO-106FREE 20180315 Build mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP City (IPv4) (type 2) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP City (IPv4) (type 6) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP City (IPv6) (type 30) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP City (IPv6) (type 31) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP Region (type 3) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP Region (type 7) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP ISP (type 4) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP Org (type 5) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP AS (type 9) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP Domain (type 11) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: GeoIP NetSpeed (type 10) DB not available mai 31 14:14:38 tst-seth-1 named[9000]: using default UDP/IPv4 port range: [32768, 60999] mai 31 14:14:38 tst-seth-1 named[9000]: using default UDP/IPv6 port range: [32768, 60999] mai 31 14:14:38 tst-seth-1 named[9000]: listening on IPv6 interfaces, port 53 mai 31 14:14:38 tst-seth-1 named[9000]: listening on IPv4 interface lo, 127.0.0.1#53 mai 31 14:14:38 tst-seth-1 named[9000]: listening on IPv4 interface ens160, 10.173.2.51#53 mai 31 14:14:38 tst-seth-1 named[9000]: generating session key for dynamic DNS mai 31 14:14:38 tst-seth-1 named[9000]: sizing zone task pool based on 5 zones mai 31 14:14:38 tst-seth-1 named[9000]: Loading 'AD DNS Zone' using driver dlopen mai 31 14:14:38 tst-seth-1 audit[9000]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/samba/conf.d/full_audit.global" pid=9000 comm="isc-wor mai 31 14:14:38 tst-seth-1 kernel: audit: type=1400 audit(1622463278.484:21): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/etc/samba/conf.d/full_au mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: started for DN DC=tst-colleges,DC=fr mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: starting configure mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: configured writeable zone 'tst-colleges.fr' mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: configured writeable zone '2.173.10.in-addr.arpa' mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: configured writeable zone 'tstsavoie.fr' mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: configured writeable zone '173.10.in-addr.arpa' mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: configured writeable zone '0.173.10.in-addr.arpa' mai 31 14:14:38 tst-seth-1 named[9000]: zone 173.10.in-addr.arpa\010CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f/NONE: has 0 SOA records mai 31 14:14:38 tst-seth-1 named[9000]: zone 173.10.in-addr.arpa\010CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f/NONE: has no NS records mai 31 14:14:38 tst-seth-1 named[9000]: samba_dlz: Failed to configure zone '173.10.in-addr.arpa CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f' mai 31 14:14:38 tst-seth-1 named[9000]: loading configuration: bad zone mai 31 14:14:38 tst-seth-1 named[9000]: exiting (due to fatal error) mai 31 14:14:38 tst-seth-1 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE mai 31 14:14:38 tst-seth-1 systemd[1]: bind9.service: Failed with result 'exit-code'.
root@tst-seth-1:/var/lib/samba/bind-dns# cat /tmp/named.log 31-May-2021 11:23:54.972 starting BIND 9.11.3-1ubuntu1.15-Ubuntu (Extended Support Version) <id:a375815> 31-May-2021 11:23:54.972 running on Linux x86_64 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 31-May-2021 11:23:54.972 built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libjson=/usr' '--without-lmdb' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--with-eddsa=no' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-zLYYTb/bind9-9.11.3+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 31-May-2021 11:23:54.972 running as: named -u bind -f -g 31-May-2021 11:23:54.972 ---------------------------------------------------- 31-May-2021 11:23:54.972 BIND 9 is maintained by Internet Systems Consortium, 31-May-2021 11:23:54.973 Inc. (ISC), a non-profit 501(c)(3) public-benefit 31-May-2021 11:23:54.973 corporation. Support and training for BIND 9 are 31-May-2021 11:23:54.973 available at https://www.isc.org/support 31-May-2021 11:23:54.973 ---------------------------------------------------- 31-May-2021 11:23:54.973 found 1 CPU, using 1 worker thread 31-May-2021 11:23:54.973 using 1 UDP listener per interface 31-May-2021 11:23:54.973 using up to 4096 sockets 31-May-2021 11:23:54.976 loading configuration from '/etc/bind/named.conf' 31-May-2021 11:23:54.977 reading built-in trust anchors from file '/etc/bind/bind.keys' 31-May-2021 11:23:54.977 initializing GeoIP Country (IPv4) (type 1) DB 31-May-2021 11:23:54.977 GEO-106FREE 20180315 Build 31-May-2021 11:23:54.977 initializing GeoIP Country (IPv6) (type 12) DB 31-May-2021 11:23:54.977 GEO-106FREE 20180315 Build 31-May-2021 11:23:54.977 GeoIP City (IPv4) (type 2) DB not available 31-May-2021 11:23:54.977 GeoIP City (IPv4) (type 6) DB not available 31-May-2021 11:23:54.977 GeoIP City (IPv6) (type 30) DB not available 31-May-2021 11:23:54.977 GeoIP City (IPv6) (type 31) DB not available 31-May-2021 11:23:54.977 GeoIP Region (type 3) DB not available 31-May-2021 11:23:54.978 GeoIP Region (type 7) DB not available 31-May-2021 11:23:54.978 GeoIP ISP (type 4) DB not available 31-May-2021 11:23:54.978 GeoIP Org (type 5) DB not available 31-May-2021 11:23:54.978 GeoIP AS (type 9) DB not available 31-May-2021 11:23:54.978 GeoIP Domain (type 11) DB not available 31-May-2021 11:23:54.978 GeoIP NetSpeed (type 10) DB not available 31-May-2021 11:23:54.978 using default UDP/IPv4 port range: [32768, 60999] 31-May-2021 11:23:54.978 using default UDP/IPv6 port range: [32768, 60999] 31-May-2021 11:23:54.979 listening on IPv6 interfaces, port 53 31-May-2021 11:23:54.980 listening on IPv4 interface lo, 127.0.0.1#53 31-May-2021 11:23:54.980 listening on IPv4 interface ens160, 10.173.2.51#53 31-May-2021 11:23:54.981 generating session key for dynamic DNS 31-May-2021 11:23:54.981 sizing zone task pool based on 5 zones 31-May-2021 11:23:54.982 Loading 'AD DNS Zone' using driver dlopen 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'gssapi_spnego' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'gssapi_krb5' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'spnego' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'schannel' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'naclrpc_as_system' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'ntlmssp' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered 31-May-2021 11:23:55.000 samba_dlz: GENSEC backend 'http_basic' registered 31-May-2021 11:23:55.001 samba_dlz: GENSEC backend 'http_ntlm' registered 31-May-2021 11:23:55.001 samba_dlz: GENSEC backend 'http_negotiate' registered 31-May-2021 11:23:55.001 samba_dlz: GENSEC backend 'krb5' registered 31-May-2021 11:23:55.001 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered 31-May-2021 11:23:55.051 samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted 31-May-2021 11:23:55.051 samba_dlz: 31-May-2021 11:23:55.143 samba_dlz: started for DN DC=tst-colleges,DC=fr 31-May-2021 11:23:55.144 samba_dlz: starting configure 31-May-2021 11:23:55.145 samba_dlz: configured writeable zone 'tst-colleges.fr' 31-May-2021 11:23:55.145 samba_dlz: configured writeable zone '2.173.10.in-addr.arpa' 31-May-2021 11:23:55.146 samba_dlz: configured writeable zone 'tstsavoie.fr' 31-May-2021 11:23:55.146 samba_dlz: configured writeable zone '173.10.in-addr.arpa' 31-May-2021 11:23:55.146 samba_dlz: configured writeable zone '0.173.10.in-addr.arpa' 31-May-2021 11:23:55.147 zone 173.10.in-addr.arpa\010CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f/NONE: has 0 SOA records 31-May-2021 11:23:55.147 zone 173.10.in-addr.arpa\010CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f/NONE: has no NS records 31-May-2021 11:23:55.147 samba_dlz: Failed to configure zone '173.10.in-addr.arpa CNF:d435cfe6-f8a7-4e3d-b454-2f43f2f2032f' 31-May-2021 11:23:55.147 loading configuration: bad zone 31-May-2021 11:23:55.147 exiting (due to fatal error)
Sous-tâches
Demandes liées
Historique
#1 Mis à jour par Joël Cuissinat il y a presque 3 ans
- Tracker changé de Demande à Scénario
- Echéance mis à 25/06/2021
- Version cible mis à Prestation Cadoles MEN 2021 23-25
- Release mis à EOLE 2.7.2
- Points de scénarios mis à 1.0
#2 Mis à jour par Joël Cuissinat il y a presque 3 ans
- Description mis à jour (diff)
#3 Mis à jour par Gilles Grandgérard il y a presque 3 ans
- Version cible changé de Prestation Cadoles MEN 2021 23-25 à sprint 2021 26-34 Equipe MENSR (été)
NON FAIT Sprint 2021 23-25
#4 Mis à jour par Gilles Grandgérard il y a presque 3 ans
- Version cible changé de sprint 2021 26-34 Equipe MENSR (été) à Prestation Cadoles MEN 2021 26-34 (été)
#5 Mis à jour par Emmanuel GARETTE il y a presque 3 ans
- Assigné à mis à Emmanuel GARETTE
#6 Mis à jour par Ludwig Seys il y a presque 3 ans
- Statut changé de Nouveau à Résolu
#7 Mis à jour par Joël Cuissinat il y a plus de 2 ans
- Bloqué par Tâche #32957: Suivi du contact utilisateur pour son problème de DNS supprimé
#8 Mis à jour par Joël Cuissinat il y a plus de 2 ans
- Lié à Tâche #32957: Suivi du contact utilisateur pour son problème de DNS ajouté
#9 Mis à jour par Joël Cuissinat il y a plus de 2 ans
- Statut changé de Résolu à Terminé (Sprint)