[Samba] CentOS 6.8 named won't start after upgrade

Paul R. Ganci ganci at nurdog.com
Thu Sep 29 06:20:59 UTC 2016 

Ugh, I was upgrading the AD server running on a CentOS 6.8 which uses 
named as its back-end. I have been running it for years with no 
problems. Today after upgrading bind named will not start. I get this error:

Sep 28 23:32:25 nikita named[6369]: 
----------------------------------------------------
Sep 28 23:32:25 nikita named[6369]: BIND 9 is maintained by Internet 
Systems Consortium,
Sep 28 23:32:25 nikita named[6369]: Inc. (ISC), a non-profit 501(c)(3) 
public-benefit
Sep 28 23:32:25 nikita named[6369]: corporation.  Support and training 
for BIND 9 are
Sep 28 23:32:25 nikita named[6369]: available at https://www.isc.org/support
Sep 28 23:32:25 nikita named[6369]: 
----------------------------------------------------
Sep 28 23:32:25 nikita named[6369]: adjusted limit on open files from 
4096 to 1048576
Sep 28 23:32:25 nikita named[6369]: found 8 CPUs, using 8 worker threads
Sep 28 23:32:25 nikita named[6369]: using up to 4096 sockets
Sep 28 23:32:25 nikita named[6369]: loading configuration from 
'/etc/named.conf'
Sep 28 23:32:25 nikita named[6369]: reading built-in trusted keys from 
file '/etc/named.iscdlv.key'
Sep 28 23:32:25 nikita named[6369]: using default UDP/IPv4 port range: 
[1024, 65535]
Sep 28 23:32:25 nikita named[6369]: using default UDP/IPv6 port range: 
[1024, 65535]
Sep 28 23:32:25 nikita named[6369]: no IPv6 interfaces found
Sep 28 23:32:25 nikita named[6369]: listening on IPv4 interface lo, 
127.0.0.1#53
Sep 28 23:32:25 nikita named[6369]: listening on IPv4 interface br0, 
192.168.1.11#53
Sep 28 23:32:25 nikita named[6369]: listening on IPv4 interface br1, 
xxx.xxx.xxx.xxx#53
Sep 28 23:32:25 nikita named[6369]: listening on IPv4 interface virbr0, 
192.168.122.1#53
Sep 28 23:32:25 nikita named[6369]: binding TCP socket: address in use
Sep 28 23:32:25 nikita named[6369]: generating session key for dynamic DNS
Sep 28 23:32:25 nikita named[6369]: sizing zone task pool based on 6 zones
Sep 28 23:32:25 nikita named[6369]: Loading 'AD DNS Zone' using driver 
dlopen
Sep 28 23:32:25 nikita named[6369]: samba_dlz: Failed to connect to 
/var/lib/samba/private/dns/sam.ldb
Sep 28 23:32:25 nikita named[6369]: dlz_dlopen of 'AD DNS Zone' failed
Sep 28 23:32:25 nikita named[6369]: SDLZ driver failed to load.
Sep 28 23:32:25 nikita named[6369]: DLZ driver failed to load.
Sep 28 23:32:25 nikita named[6369]: loading configuration: failure
Sep 28 23:32:25 nikita named[6369]: exiting (due to fatal error)

Usually this occurs because of a protection issue. But I have just 
checked... Everything has the correct protections from what I can tell:

 > cd /var/lib/samba

 > ls -alt
total 22160
-rw-------   1 root root                     32768 Sep 29 00:08 
winbindd_cache.tdb
drwxr-x---   8 root named                     4096 Sep 28 23:41 private

 > cd private
/var/lib/samba/private

 > ls -alt
total 5080
drwx------  2 root root     4096 Sep 29 00:08 msg.sock
drwxr-x---  8 root named    4096 Sep 28 23:41 .
-rw-------  1 root root    24576 Sep 28 23:33 schannel_store.tdb
-rw-r--r--  1 root root      633 Sep 28 23:24 named.conf
srwxrwxrwx  1 root root        0 Sep 28 23:23 ldapi
drwxr-x---  2 root root     4096 Sep 28 23:23 ldap_priv
drwxr-xr-x 10 root root     4096 Sep 28 23:23 ..
-rw-------  1 root root      696 Sep 28 23:23 netlogon_creds_cli.tdb
drwxrwx---  3 root named    4096 Sep 11 00:18 dns

 > cd dns
/var/lib/samba/private/dns
 > ls -alt
total 2956
drwxr-x--- 8 root named    4096 Sep 28 23:41 ..
drwxrwx--- 2 root named    4096 Sep 11 00:18 sam.ldb.d
drwxrwx--- 3 root named    4096 Sep 11 00:18 .
-rw-r----- 1 root named 3014656 Sep 11 00:05 sam.ldb

I also believe I have the correct SDLZ driver. Here is the contents of 
/var/lib/samba/private/named.conf

 > cat named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/private/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
     # For BIND 9.8.x
      database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

     # For BIND 9.9.x
     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";

     # For BIND 9.10.x
     # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
};

Finally

 > named -V

BIND 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.1 built with 
'--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' 
'--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' 
'--enable-threads' '--enable-ipv6' '--enable-filter-aaaa' '--with-pic' 
'--disable-static' '--disable-openssl-version-check' '--enable-rpz-nsip' 
'--enable-rpz-nsdname' '--with-dlopen=yes' '--with-dlz-ldap=yes' 
'--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
using libxml2 version: 2.7.6

There is no reason that what was working prior to the upgrade should 
fail now. Does anybody see what is wrong? Very frustrating problem.

-- 
Paul (ganci at nurdog.com)
Cell: (303)257-5208

More information about the samba mailing list