In message <[EMAIL PROTECTED]>, "[EMAIL PROTECTED]" writes:
> Danny Mayer wrote:
> > [EMAIL PROTECTED] wrote:
> >
> >> A very strange thing happened after upgrading from BIND 8.4.6 to 9.5.0.
> >> We created the "named" user as a service account as required by BIND9,
> >> then granted full control on everything in the BIND directory (d:\bind)
> >> to this user, however the named service failed to start due to:
> >>
> >> > Error 1053: The service did not respond to the start or control
> >> request in a timely fashion
> >>
> >> There are a bunch of "unable to rename log file...permission denied"
> >> errors in the Windows Event Log, the exact error messages read:
> >>
> >> > unable to rename log file '..\\logs\\named.log.5' to
> >> '..\\logs\\named.log.6': permission denied
> >> > unable to rename log file '..\\logs\\named.log.6' to
> >> '..\\logs\\named.log.7': permission denied
> >> > unable to rename log file '..\\logs\\named.log.7' to
> >> '..\\logs\\named.log.8': permission denied
> >> > ...heaps more...
> >>
> >> It became apparent that there are some permission issues writing to the
> >> log directory (d:\bind\logs), but we checked many times and can confirm
> >> that "named" user has full control all the way. The next thing we did
> >> was to rename the log directory to d:\bind\logs_preBIND9 and created a
> >> new log directory d:\bind\logs, and this time named started successfully.
> >>
> >> We then compared the permissions between d:\bind\logs_preBIND9 and
> >> d:\bind\logs, they are exactly the same. It seems the problem is still
> >> there, but because the new log directory is empty so named does not have
> >> to rename anything and therefore it worked. Chances are as soon as the
> >> circular log files start to pop up named will stop working.
> >>
> >> Is there a solution to this problem? What extra permissions are required
> >> to rename the log files when it already has full control? By the way our
> >> log file setting is "versions 50 size 25M" if that matters.
> >>
> >> Thanks! Peter
> >>
> >
> > Look at the ISC BIND service and make certain that the service is run
> > under the account you think it is. You can also look at the task manager
> > and check the "Show processes from all users" box and look to see what
> > account named is using. The go into the directory properties, grant all
> > access to the specified account and make sure to specify that it
> > propogate to all subdirectories. From the CMD line type: CACLS * and see
> > what permissions you actually have and post it here. Where does the
> > named.pid file go and does it get written? Also are you sure you have
> > double backslashes (\\) in the directory path in the application event
> > log or did you just type that into your message?
> >
> > Danny
> >
> Thanks for replying so quickly.
>
> I have double checked named is running under the intended service
> account "named", in services console and task manager.
>
> named.pid is created in d:\bind\etc. Double backslashes as how they
> appear in the Application Event Viewer. Actually it got me thinking is
> relative path allowed in BIND9? This is what we have in named.conf and
> it works fine with BIND8:
>
> channel log_file
> {
> file "..\\logs\\named.log" versions 50 size 25M;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
>
> TIA. Peter
Relative paths work. You will also need to set directory
in options.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
