[Samba] Workstations cannot update DNS
durwin at mgtsciences.com
durwin at mgtsciences.com
Mon May 20 16:42:26 UTC 2019
> > > I took your lines, modified for my subnet.
> > > 1 options {
> > > 2 directory "/var/cache/bind";
> > > 3 notify no;
> > > 4 empty-zones-enable no;
> > > 5 allow-query { 127.0.0.1; 172.23.93.0/24; };
> > > 6 allow-recursion { 172.23.93.0/24; 127.0.0.1/32; };
> > > 7 forwarders { 172.23.93.3; 8.8.8.8; };
> > > 8 allow-transfer { none; };
> > > 9 dnssec-validation no;
> > > 10 dnssec-enable no;
> > > 11 dnssec-lookaside no;
> > > 12 listen-on-v6 { none; };
> > > 13 listen-on port 53 { 172.23.93.25; 127.0.0.1; };
> > > 14
> > > 15 tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> > > 16 };
> > >
> > > This is what systemctl status bind9 shows
> > >
> > > ● bind9.service - BIND Domain Name Server
> > > Loaded: loaded (/lib/systemd/system/bind9.service; enabled;
vendor
> > > preset: enabled)
> > > Active: failed (Result: exit-code) since Wed 2019-05-15 14:25:31
> > > MDT; 10min ago
> > > Docs: man:named(8)
> > > Process: 868 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited,
> > > status=1/FAILURE)
> > > Main PID: 868 (code=exited, status=1/FAILURE)
> > >
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:9:
> > > unknown option ' '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:10:
> > > unknown option ' '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:11:
> > > unknown option ' '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:12:
> > > unknown option ' '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:13:
> > > unknown option ' '
> > > May 15 14:25:30 dc0 named[868]: /etc/bind/named.conf.options:15:
> > > unknown option ' '
> > > May 15 14:25:31 dc0 named[868]: loading configuration: failure
> > > May 15 14:25:31 dc0 named[868]: exiting (due to fatal error)
> > > May 15 14:25:31 dc0 systemd[1]: bind9.service: Main process exited,
> > > code=exited, status=1/FAILURE
> > > May 15 14:25:31 dc0 systemd[1]: bind9.service: Failed with result
> > > 'exit-code'.
> > >
> > Bit lost here, as I said, I have been using this since 2012, first on
> > Ubuntu, then Debian and finally on Devuan, without problems. All I can
> > suggest is that you check it again for typos's etc.
>
> I did a copy and paste. Some how what looked like spaces were *not*.
> I replaced all spaces and bind now starts. I will check it out
> now and let you know.
Bind is running now.
I found this command 'aa-complain' and used it. DDNS now works. So this
indicates 'apparmor' issue. Here is my usr.sbin.named. Perhaps
someone can see what's wrong.
=== usr.sbin.named ===
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named flags=(attach_disconnected,complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of
it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/bind-dns/** rwk,
/var/lib/samba/etc/smb.conf r,
# ssl
/etc/ssl/openssl.cnf r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
# Allow changing worker thread names
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{PROC}/sys/net/ipv4/ip_local_port_range r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,
/var/lib/sss/pubconf/krb5.include.d/ r,
/var/lib/sss/mc/initgroups r,
/etc/gss/mech.d/ r,
# ldap
/etc/ldap/ldap.conf r,
/{,var/}run/slapd-*.socket rw,
# dynamic updates
/var/tmp/DNS_* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
}
=== local/usr.sbin.named ===
/var/lib/samba/lib/** rm,
/var/lib/samba/bind-dns/** rwmk,
/var/lib/samba/private/dns/** rwmk,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/usr/lib/**/samba/bind9/** rmk,
/usr/lib/**/samba/gensec/* rmk,
/usr/lib/**/samba/ldb/** rmk,
/usr/lib/**/ldb/modules/ldb/** rmk,
/var/tmp/** rwmk,
=== END ===
>
> Thank you,
>
This email message and any attachments are for the sole use of the
intended recipient(s) and may contain proprietary and/or confidential
information which may be privileged or otherwise protected from
disclosure. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient(s), please contact the
sender by reply email and destroy the original message and any copies of
the message as well as any attachments to the original message.
More information about the samba
mailing list