[Samba] Workstations cannot update DNS

durwin at mgtsciences.com durwin at mgtsciences.com
Mon May 20 16:42:26 UTC 2019 

> > > I took your lines, modified for my subnet.
> > >   1 options {
> > >   2      directory "/var/cache/bind";
> > >   3      notify no;
> > >   4      empty-zones-enable no;
> > >   5      allow-query { 127.0.0.1; 172.23.93.0/24; };
> > >   6      allow-recursion {  172.23.93.0/24; 127.0.0.1/32; };
> > >   7      forwarders { 172.23.93.3; 8.8.8.8; };
> > >   8      allow-transfer { none; };
> > >   9      dnssec-validation no;
> > >  10      dnssec-enable no;
> > >  11      dnssec-lookaside no;
> > >  12      listen-on-v6 { none; };
> > >  13      listen-on port 53 { 172.23.93.25; 127.0.0.1; };
> > >  14
> > >  15      tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > >  16 };
> > >
> > > This is what systemctl status bind9 shows
> > >
> > > ● bind9.service - BIND Domain Name Server
> > >    Loaded: loaded (/lib/systemd/system/bind9.service; enabled; 
vendor 
> > > preset: enabled)
> > >    Active: failed (Result: exit-code) since Wed 2019-05-15 14:25:31 
> > > MDT; 10min ago
> > >      Docs: man:named(8)
> > >   Process: 868 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, 
> > > status=1/FAILURE)
> > >  Main PID: 868 (code=exited, status=1/FAILURE)
> > >
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:9: 
> > > unknown option '   '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:10: 
> > > unknown option '   '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:11: 
> > > unknown option '   '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:12: 
> > > unknown option '   '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:13: 
> > > unknown option '   '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:15: 
> > > unknown option '   '
> > > May 15 14:25:31 dc0 named[868]: loading configuration: failure
> > > May 15 14:25:31 dc0 named[868]: exiting (due to fatal error)
> > > May 15 14:25:31 dc0 systemd[1]: bind9.service: Main process exited, 
> > > code=exited, status=1/FAILURE
> > > May 15 14:25:31 dc0 systemd[1]: bind9.service: Failed with result 
> > > 'exit-code'.
> > >
> > Bit lost here, as I said, I have been using this since 2012, first on 
> > Ubuntu, then Debian and finally on Devuan, without problems. All I can 

> > suggest  is that you check it again for typos's etc.
> 
> I did a copy and paste.  Some how what looked like spaces were *not*.
> I replaced all spaces and bind now starts.  I will check it out
> now and let you know.

Bind is running now.

I found this command 'aa-complain' and used it.  DDNS now works.  So this
indicates 'apparmor' issue.  Here is my usr.sbin.named.  Perhaps
someone can see what's wrong.


=== usr.sbin.named ===
# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named flags=(attach_disconnected,complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of 
it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,
  /var/lib/samba/lib/** rm,
  /var/lib/samba/private/dns.keytab r,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/bind-dns/** rwk,
  /var/lib/samba/etc/smb.conf r,

  # ssl
  /etc/ssl/openssl.cnf r,

  # GeoIP data files for GeoIP ACLs
  /usr/share/GeoIP/** r,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  # Allow changing worker thread names
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{PROC}/sys/net/ipv4/ip_local_port_range r,
  /usr/sbin/named mr,
  /{,var/}run/named/named.pid w,
  /{,var/}run/named/session.key w,
  # support for resolvconf
  /{,var/}run/named/named.options r,

  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  # gssapi
  /var/lib/sss/pubconf/krb5.include.d/** r,
  /var/lib/sss/pubconf/krb5.include.d/ r,
  /var/lib/sss/mc/initgroups r,
  /etc/gss/mech.d/ r,

  # ldap
  /etc/ldap/ldap.conf r,
  /{,var/}run/slapd-*.socket rw,

  # dynamic updates
  /var/tmp/DNS_* rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.named>
}

=== local/usr.sbin.named ===
/var/lib/samba/lib/** rm,
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,

=== END ===





> 
> Thank you,
> 



This email message and any attachments are for the sole use of the 
intended recipient(s) and may contain proprietary and/or confidential 
information which may be privileged or otherwise protected from 
disclosure. Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient(s), please contact the 
sender by reply email and destroy the original message and any copies of 
the message as well as any attachments to the original message.

More information about the samba mailing list