Web lists-archives.com

Re: [Samba] Workstations cannot update DNS




On 15/05/2019 17:57, durwin@xxxxxxxxxxxxxxx wrote:

> > May 14 14:22:32 audit[2117]: AVC apparmor="DENIED" operation="file_lock"
> > profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab"
> > pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k"
> > fsuid=111 ouid=0
> > May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35):
> > apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named"
> > name="/var/lib/samba/private/dns.keytab" pid=2117 comm="isc-worker0000"
> > requested_mask="k" denied_mask="k" fsuid=111 ouid=0
>
> It looks like you need to fix Apparmor (at least), try reading this:
>
> https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration

selinux is not installed.
Firewall is not active.
iptables is not active.
The problem appears to have something to do with Apparmor.

From that page,
BIND process has read access to the following files
/var/lib/samba/private/dns.keytab
/var/lib/samba/private/named.conf          # THIS DOES NOT EXIST

OK, but I do not remember you saying which version of Samba you are using, later versions now use the path '/var/lib/samba/bind-dns' instead of '/var/lib/samba/private'


as well read-write access to the
/var/lib/samba/private/dns/        # THIS DOES NOT EXIST
directory and it's own zone file(s).

this is in /etc/apparmor.d/usr.sbin.named.
  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

  # gssapi
  /etc/krb5.keytab kr,
  /etc/bind/krb5.keytab kr,
  /var/lib/samba/lib/** rm,
  /var/lib/samba/private/dns.keytab r,
  /var/lib/samba/private/named.conf r,
  /var/lib/samba/private/dns/** rwk,            # THIS DOES NOT EXIST
  /var/lib/samba/etc/smb.conf r,

I rebooted just to be sure.  However, I still get client update denied.


This is in /etc/bind/

drwxr-sr-x  2 root bind 4096 May 15 10:38 ./
drwxr-xr-x 99 root root 4096 May  3 11:13 ../
-rw-r--r--  1 root root 2761 Apr 24 04:04 bind.keys
-rw-r--r--  1 root root  237 Oct 10  2018 db.0
-rw-r--r--  1 root root  271 Oct 10  2018 db.127
-rw-r--r--  1 root bind  615 May 10 11:28 db.172.23.93
Is the above your reverse zone ?

-rw-r--r--  1 root root  237 Oct 10  2018 db.255
-rw-r--r--  1 root root  353 Oct 10  2018 db.empty
-rw-r--r--  1 root root  270 Oct 10  2018 db.local
-rw-r--r--  1 root root 3171 Oct 10  2018 db.root
-rw-r--r--  1 root bind  499 May 10 11:12 named.conf
-rw-r--r--  1 root bind  662 May 14 11:42 named.conf.default-zones
-rw-r--r--  1 root bind  258 Apr 29 11:34 named.conf.local
-rw-r--r--  1 root bind  193 May 14 11:44 named.conf.msi

And is the above your forward zone ?

If it is yes to both of the last questions, then you need to delete them, you cannot use flatfiles with BIND9_DLZ


-rw-r--r--  1 root bind 1109 May 14 09:22 named.conf.options
-rw-r-----  1 bind bind   77 Apr 29 11:22 rndc.key
-rw-r--r--  1 root root 1317 Oct 10  2018 zones.rfc1918

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba