[Samba] bind9 won't run

Rowland Penny rpenny at samba.org
Sun Oct 16 18:26:22 UTC 2016 

On Sun, 16 Oct 2016 13:13:27 -0500
Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:

> On 2016-10-16 12:55, Rowland Penny via samba wrote:
> 
> > On Sun, 16 Oct 2016 12:38:00 -0500
> > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:
> > 
> >> I am working on my second Ubuntu 16.04.1LTS running Samba 4.5.0
> >> with Bind9_DLZ. 
> >> 
> >> I have one machine just like this one. Same hardware, same software
> >> setup. First machine is working fine. 
> >> 
> >> At the moment this (second) machine is not joined to the other
> >> (until I get Bind running.) 
> >> 
> >> I have searched log complaints. Compared settings between the two
> >> machines and despite bind running on the first one, cannot get
> >> bind to run on the second. 
> >> 
> >> root at dtdc03:~# systemctl restart apparmor.service
> >> root at dtdc03:~# systemctl status apparmor.service
> >> ● apparmor.service - LSB: AppArmor initialization
> >> Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled)
> >> Active: active (exited) since Sun 2016-10-16 12:14:58 CDT; 13s ago
> >> Docs: man:systemd-sysv-generator(8)
> >> Process: 2197 ExecStop=/etc/init.d/apparmor stop (code=exited,
> >> status=0/SUCCESS)
> >> Process: 1547 ExecReload=/etc/init.d/apparmor reload (code=exited,
> >> status=123)
> >> Process: 2211 ExecStart=/etc/init.d/apparmor start (code=exited,
> >> status=0/SUCCESS)
> >> 
> >> Oct 16 12:14:54 dtdc03 systemd[1]: Starting LSB: AppArmor
> >> initialization...
> >> Oct 16 12:14:54 dtdc03 apparmor[2211]:  * Starting AppArmor
> >> profiles Oct 16 12:14:57 dtdc03 apparmor[2211]: Skipping profile in
> >> /etc/apparmor.d/disable: usr.sbin.rsyslogd
> >> Oct 16 12:14:58 dtdc03 apparmor[2211]:    ...done.
> >> Oct 16 12:14:58 dtdc03 systemd[1]: Started LSB: AppArmor
> >> initialization. root at dtdc03:~# systemctl restart bind9
> >> root at dtdc03:~# systemctl status bind9
> >> ● bind9.service - BIND Domain Name Server
> >> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
> >> preset: enabled)
> >> Drop-In: /run/systemd/generator/bind9.service.d
> >> └─50-insserv.conf-$named.conf
> >> Active: failed (Result: exit-code) since Sun 2016-10-16 12:15:21
> >> CDT; 7s ago
> >> Docs: man:named(8)
> >> Process: 2267 ExecStop=/usr/sbin/rndc stop (code=exited,
> >> status=1/FAILURE)
> >> Process: 2260 ExecStart=/usr/sbin/named -f -u bind (code=exited,
> >> status=1/FAILURE)
> >> Main PID: 2260 (code=exited, status=1/FAILURE)
> >> 
> >> Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface
> >> enp2s0, 192.168.16.49#53
> >> Oct 16 12:15:21 dtdc03 named[2260]: generating session key for
> >> dynamic DNS
> >> Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on
> >> 5 zones
> >> Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using
> >> driver dlopen
> >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open
> >> library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' -
> >> /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared
> >> object file: P
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process
> >> exited, code=exited, status=1/FAILURE
> >> Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed:
> >> 127.0.0.1#953: connection refused
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process
> >> exited, code=exited status=1
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered
> >> failed state.
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with
> >> result 'exit-code'. 
> >> 
> >> Part of the /var/log/syslog 
> >> 
> >> Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface
> >> enp2s0, 192.168.16.49#53
> >> Oct 16 12:15:21 dtdc03 named[2260]: generating session key for
> >> dynamic DNS
> >> Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on
> >> 5 zones
> >> Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using
> >> driver dlopen
> >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open
> >> library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' -
> >> /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared
> >> object file: Permission denied
> >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen of 'AD DNS Zone'
> >> failed Oct 16 12:15:21 dtdc03 named[2260]: SDLZ driver failed to
> >> load. Oct 16 12:15:21 dtdc03 named[2260]: DLZ driver failed to
> >> load. Oct 16 12:15:21 dtdc03 named[2260]: loading configuration:
> >> failure Oct 16 12:15:21 dtdc03 kernel: [ 2033.472693]
> >> audit_printk_skb: 18 callbacks suppressed
> >> Oct 16 12:15:21 dtdc03 kernel: [ 2033.472704] audit: type=1400
> >> audit(1476638121.877:194): apparmor="DENIED" operation="open"
> >> profile="/usr/sbin/named"
> >> name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263
> >> comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
> >> Oct 16 12:15:21 dtdc03 named[2260]: exiting (due to fatal error)
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process
> >> exited, code=exited, status=1/FAILURE
> >> Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed:
> >> 127.0.0.1#953: connection refused
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process
> >> exited, code=exited status=1
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered
> >> failed state.
> >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with
> >> result 'exit-code'. 
> >> 
> >> I must be overlooking something but, what?
> > 
> > How about:
> > 
> > dlz_dlopen failed to open library
> > '/usr/local/samba/lib/bind9/dlz_bind9_10.so'
> > - /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared
> > object file: Permission denied
> > 
> > and:
> > 
> > apparmor="DENIED" operation="open" profile="/usr/sbin/named"
> > name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263
> > comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0
> > 
> > You need to set up Apparmor.
> > 
> > Rowland
> 
> I guess where I am confused. Am I giving permission to
> "/usr/sbin/named" or "/usr/local/samba/lib/bind9/dlz_bind9_10.so" or
> both? 
> 
> Apparmor is set the same on both machines and first machine works this
> one (second machine) does not! 
> 
> I thought (could be wrong) that apparmor gives permission to the
> "name=" file?
> 

I just take the easy route, I turn off Apparmor ;-)

However if you are using Apparmor, you need to alter the apparmor file
for 'usr/sbin/named' (from what I remember, you actually change the 
file /etc/apparmor.d/usr.sbin.named). You will need to give named read
permission 'r' to /usr/local/samba/lib/bind9/dlz_bind9_10.so

Rowland

More information about the samba mailing list