[Samba] Workstations cannot update DNS
Rowland penny
rpenny at samba.org
Wed May 15 17:35:25 UTC 2019
On 15/05/2019 17:57, durwin at mgtsciences.com wrote:
>
> > > May 14 14:22:32 audit[2117]: AVC apparmor="DENIED"
> operation="file_lock"
> > > profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab"
> > > pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k"
> > > fsuid=111 ouid=0
> > > May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35):
> > > apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named"
> > > name="/var/lib/samba/private/dns.keytab" pid=2117
> comm="isc-worker0000"
> > > requested_mask="k" denied_mask="k" fsuid=111 ouid=0
> >
> > It looks like you need to fix Apparmor (at least), try reading this:
> >
> >
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
>
> selinux is not installed.
> Firewall is not active.
> iptables is not active.
The problem appears to have something to do with Apparmor.
>
> From that page,
> BIND process has read access to the following files
> /var/lib/samba/private/dns.keytab
> /var/lib/samba/private/named.conf # THIS DOES NOT EXIST
OK, but I do not remember you saying which version of Samba you are
using, later versions now use the path '/var/lib/samba/bind-dns' instead
of '/var/lib/samba/private'
>
> as well read-write access to the
> /var/lib/samba/private/dns/ # THIS DOES NOT EXIST
> directory and it's own zone file(s).
>
> this is in /etc/apparmor.d/usr.sbin.named.
> # /etc/bind should be read-only for bind
> # /var/lib/bind is for dynamically updated zone (and journal) files.
> # /var/cache/bind is for slave/stub data, since we're not the origin
> of it.
> # See /usr/share/doc/bind9/README.Debian.gz
> /etc/bind/** r,
> /var/lib/bind/** rw,
> /var/lib/bind/ rw,
> /var/cache/bind/** lrw,
> /var/cache/bind/ rw,
>
> # gssapi
> /etc/krb5.keytab kr,
> /etc/bind/krb5.keytab kr,
> /var/lib/samba/lib/** rm,
> /var/lib/samba/private/dns.keytab r,
> /var/lib/samba/private/named.conf r,
> /var/lib/samba/private/dns/** rwk, # THIS DOES NOT EXIST
> /var/lib/samba/etc/smb.conf r,
>
> I rebooted just to be sure. However, I still get client update denied.
>
>
> This is in /etc/bind/
>
> drwxr-sr-x 2 root bind 4096 May 15 10:38 ./
> drwxr-xr-x 99 root root 4096 May 3 11:13 ../
> -rw-r--r-- 1 root root 2761 Apr 24 04:04 bind.keys
> -rw-r--r-- 1 root root 237 Oct 10 2018 db.0
> -rw-r--r-- 1 root root 271 Oct 10 2018 db.127
> -rw-r--r-- 1 root bind 615 May 10 11:28 db.172.23.93
Is the above your reverse zone ?
>
> -rw-r--r-- 1 root root 237 Oct 10 2018 db.255
> -rw-r--r-- 1 root root 353 Oct 10 2018 db.empty
> -rw-r--r-- 1 root root 270 Oct 10 2018 db.local
> -rw-r--r-- 1 root root 3171 Oct 10 2018 db.root
> -rw-r--r-- 1 root bind 499 May 10 11:12 named.conf
> -rw-r--r-- 1 root bind 662 May 14 11:42 named.conf.default-zones
> -rw-r--r-- 1 root bind 258 Apr 29 11:34 named.conf.local
> -rw-r--r-- 1 root bind 193 May 14 11:44 named.conf.msi
And is the above your forward zone ?
If it is yes to both of the last questions, then you need to delete
them, you cannot use flatfiles with BIND9_DLZ
>
> -rw-r--r-- 1 root bind 1109 May 14 09:22 named.conf.options
> -rw-r----- 1 bind bind 77 Apr 29 11:22 rndc.key
> -rw-r--r-- 1 root root 1317 Oct 10 2018 zones.rfc1918
>
Rowland
More information about the samba
mailing list