Re: installing on SLES 10sp3
Chris Buxton wrote: On Sep 9, 2010, at 5:02 PM, Lyle Giese wrote: wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! On SLES, look for AppArmor. You may find that an AppArmor profile is stifling what named can do. Try disabling it. IMO, SELinux and AppArmor have their place, but you generally have to create or customize your own security profile to allow services to work the way you want them to. Both SUSE and RHEL/Fedora/CentOS make the assumption that you will use the provided management tools, or none at all, rather than using any 3rd party management system. Chris Buxton BlueCat Networks Thanks, Chris. That is exactly what it was. AppArmor. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Sep 9, 2010, at 5:02 PM, Lyle Giese wrote: wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! On SLES, look for AppArmor. You may find that an AppArmor profile is stifling what named can do. Try disabling it. IMO, SELinux and AppArmor have their place, but you generally have to create or customize your own security profile to allow services to work the way you want them to. Both SUSE and RHEL/Fedora/CentOS make the assumption that you will use the provided management tools, or none at all, rather than using any 3rd party management system. Chris Buxton BlueCat Networks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Lyle Giese wrote: I am not running named as named, but as root(no -u on command line). But in testng I did change the permissions on this directory to 777 with no change in behaviour and changed it back to 755. Lyle Giese LCR Computer Services, Inc. dhottin...@harrisonburg.k12.va.us wrote: Does name own the directory? Quoting Lyle Giese l...@lcrcomputer.net: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) The error is Sep 9 10:40:05 linuxps named[30549]: transfer of '103.0.10.in-addr.arpa/IN/chase' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.116 secs (48586 bytes/sec) Sep 9 10:40:05 linuxps named[30549]: zone 103.0.10.in-addr.arpa/IN/chase: sending notifies (serial 2010081601) Sep 9 10:40:05 linuxps named[30549]: dumping master file: tmp-QJcEgeBZ3h: open: permission denied There is never a path mentioned in the permission denied message and the zone files are not written out to disk. I have set a directory in the options section: Options { directory /etc/named; }; When I run named-checkconf against named.conf, it is always erroring out against this line(directory line), no matter what I put there or different syntax I insert. And yes the directory really does exist. named.conf: line 17: change directory to: '/etc/named' failed: file not found named.conf:line 17: parse failed What 'file' is named-checkconf looking for? Or is this a bogus error message? Am I missing something else? I am starting named as root, but appear to be getting permission issues. It just does not make any sense right now. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave -- David Forrest e-mail d...@maplepark.com Maple Park Development Corporation http://xen.maplepark.com St. Louis, Missouri(Sent by ALPINE 2.01 FEDORA 11 LINUX) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! Lyle Giese Sent from Garminfone by T-Mobile. Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Many Linux boxes have additional security subsystems added like SELinux and you need to comply with both the filesystem and SELinux's configuration. Also named drops root permissions. Both of these issues are documented in the faq. http://www.isc.org/software/bind/faq -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users