Univention Bugzilla – Bug 25358
Fehlermledungen / läuft als root statt bind
Last modified: 2020-05-07 08:37:21 CEST
univention-bind-samba4 läuft als "root" statt "bind", wies es "univention-bind" und "univention-bind-proxy" tun. 1. es sollte unbedingt überprüft werden, ob das notwendig ist, denn in Bind wurden in den letzten Jahren schon mehrere Sicherheitslücken gefunden. 2. Das führt beim Starten anscheinend zu folgenden (Fehler-)Meldungen: none:0 open: /etc/bind/rndc.key: permission denied (Bug #24785) couldn't add command channel 127.0.0.1#952: permission denied couldn't add command channel ::1#952: permission denied zone ./IN: has 0 SOA records (Bug #3129) zone ./IN: has no NS records zone ./IN: not loaded de to errors. managed-keys-zone ./IN: loading from maste file managed-keys.bind failed: file not found managed-keys-zone: ./IN: loaded serial 0 3. Auf dem Backup wird in "/etc/bind/named.conf.samba4" im "options"-Abschnitt für die Einstellung "tkey-gssapi-keytab" die Datei "/var/lib/samba/private/dns.keytab" referenziert, die es (dort) nicht gibt.
(In reply to comment #0) > 2. Das führt beim Starten anscheinend zu folgenden (Fehler-)Meldungen: > none:0 open: /etc/bind/rndc.key: permission denied (Bug #24785) > couldn't add command channel 127.0.0.1#952: permission denied > couldn't add command channel ::1#952: permission denied > > zone ./IN: has 0 SOA records (Bug #3129) > zone ./IN: has no NS records > zone ./IN: not loaded de to errors. > managed-keys-zone ./IN: loading from maste file managed-keys.bind failed: file > not found > managed-keys-zone: ./IN: loaded serial 0 > > 3. Auf dem Backup wird in "/etc/bind/named.conf.samba4" im "options"-Abschnitt > für die Einstellung "tkey-gssapi-keytab" die Datei > "/var/lib/samba/private/dns.keytab" referenziert, die es (dort) nicht gibt. Es hört sich so an, als wenn dein S4 Setup nicht erfolgreich war. In der join.log sollten Infos zu finden sein.
Punkt 2 im Forum berichtet. Ich kann das auf einem Testmaster ebenfalls beobachten (Namensauflösung geht allerdings). May 18 14:08:15 adrian named[16962]: none:0: open: /etc/bind/rndc.key: permission denied May 18 14:08:15 adrian named[16962]: couldn't add command channel 127.0.0.1#953: permission denied May 18 14:08:15 adrian named[16962]: none:0: open: /etc/bind/rndc.key: permission denied May 18 14:08:15 adrian named[16962]: couldn't add command channel ::1#953: permission denied May 18 14:08:15 adrian named[16962]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found May 18 14:08:15 adrian named[16962]: managed-keys-zone ./IN: loaded serial 0 May 18 14:08:15 adrian named[16962]: running root@master:~# ls -la /etc/bind/rndc.key -rw-rw---- 1 bind bind 77 30. Apr 10:14 /etc/bind/rndc.key root@master:~# ps aux | grep name root 16962 0.4 2.0 351320 20968 ? Sl 14:08 0:01 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f
(In reply to comment #2) "adrian" == "master"
(In reply to comment #2) > Punkt 2 im Forum berichtet. > Ich kann das auf einem Testmaster ebenfalls beobachten (Namensauflösung geht > allerdings). > May 18 14:08:15 adrian named[16962]: none:0: open: /etc/bind/rndc.key: > permission denied > May 18 14:08:15 adrian named[16962]: couldn't add command channel > 127.0.0.1#953: permission denied > May 18 14:08:15 adrian named[16962]: none:0: open: /etc/bind/rndc.key: > permission denied > May 18 14:08:15 adrian named[16962]: couldn't add command channel ::1#953: > permission denied > May 18 14:08:15 adrian named[16962]: managed-keys-zone ./IN: loading from > master file managed-keys.bind failed: file not found > May 18 14:08:15 adrian named[16962]: managed-keys-zone ./IN: loaded serial 0 > May 18 14:08:15 adrian named[16962]: running Bei mir, wie im Forum berichtet, funktioniert auch die Namensauflösung, bloß nicht diese von neu angelegten DNS Einträge...
<http://forum.univention.de/viewtopic.php?f=48&t=2057&p=7189> Workaround damit bind den control-Port (953) wieder öffnet: chown root:root /etc/bind/rndc.key
Sind die "managed-keys" Meldungen an dieser Stelle ein "Problem"? Ich habe hierzu spontan folgendes gefunden: <http://serversupportforum.de/forum/dns/40446-bind-managed-keys-zone.html>
Please refer to http://o-o-s.de/2011-03-05/debian-squeeze-managed-keys-bind-file-not-found After changing the contents of /etc/bind/named.conf.bind as described above the error didn't occured anymore. Adding the line 'include "/etc/bind/bind.keys";' after 'include "/etc/bind/local.conf.samba4";' and "touch /var/cache/bind/managed-keys.bind ; chown bind:bind /var/cache/bind/managed-keys.bind" solves the problem. DNS is still working. tail -f /var/log/daemin.log: ... Jan 22 12:34:40 ucs1 named[6863]: automatic empty zone: B.E.F.IP6.ARPA Jan 22 12:34:40 ucs1 named[6863]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jan 22 12:34:40 ucs1 named[6863]: command channel listening on 127.0.0.1#953 Jan 22 12:34:40 ucs1 named[6863]: command channel listening on ::1#953 Jan 22 12:34:40 ucs1 named[6863]: managed-keys-zone ./IN: loaded serial 1 Jan 22 12:34:40 ucs1 named[6863]: running
(In reply to comment #7) > Please refer to > http://o-o-s.de/2011-03-05/debian-squeeze-managed-keys-bind-file-not-found > > After changing the contents of /etc/bind/named.conf.bind as described above the > error didn't occured anymore. > > Adding the line 'include "/etc/bind/bind.keys";' after 'include > "/etc/bind/local.conf.samba4";' and "touch /var/cache/bind/managed-keys.bind ; > chown bind:bind /var/cache/bind/managed-keys.bind" solves the problem. DNS is > still working. This leads to a situation in which the univention-bind-samba4 service couldn't be stopped anymore after an update to UCS 3.1 - not sure if this was there before in UCS 3.0. After removing the above config, everything is okay again.
(In reply to comment #8) > not sure if this was there before in UCS 3.0. It wasn't used in that environment before UCS 3.1
That's the way it looks with adjusted managed-keys config: root@host:/etc/service/univention-bind-samba4# ls -la insgesamt 28 drwxr-xr-x 4 root root 4096 14. Feb 13:14 . drwxr-xr-x 9 root root 4096 18. Apr 2012 .. -rw-r--r-- 1 root root 0 21. Dez 2011 down lrwxrwxrwx 1 root root 41 31. Jan 10:27 finish -> /usr/share/univention-runit/sleep-dynamic -rw-r--r-- 1 root root 1185 14. Feb 13:14 managed-keys.bind -rw-r--r-- 1 root root 512 14. Feb 13:14 managed-keys.bind.jnl -rwxr-xr-x 1 root root 1908 31. Jan 10:31 run drwxr-xr-x 2 root root 4096 14. Feb 13:10 strange_files drwx------ 2 root root 4096 14. Feb 13:14 supervise I suppose that sv gets in trouble when stopping the service and having these file in there... actually the folder doesn't get cleaned up, after "sv stop univention-bind-samba4" the named process is still there, the folder isn't cleaned up and named does not respond. You have to kill it.
(In reply to comment #10) > drwxr-xr-x 2 root root 4096 14. Feb 13:10 strange_files That's from me ;)
We currently don't save the DNS data in separate LDB partitions. This was upstream (Samba 4) changed between the S4 version in UCS 3.0 and the S4 version in UCS 3.1, but we didn't change it because it would have broke the DNS replication. The change is planned for UCS 3.2, but in this case all other S4 DCs must be at least 3.1: Bug #30704. Until we don't have moved to separate LDB partitions we must run bind as root or we must give bind permissions to read the whole LDB interface. In this bug I changed the permissions for /etc/bind/rndc.key to root. Thus the rdnc port is opened again. I created a new bug for this message, because it is not a real problem, so we won't fix it for UCS 3.1-1: Bug #30705 > managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file > not found
Verified: ========================================================== root@master10:~# ucr set dns/backend='ldap' Setting dns/backend root@master10:~# /etc/init.d/univention-bind restart Restarting bind9 daemon: . done. root@master10:~# ls -l /etc/bind/rndc.key -rw-rw---- 1 bind bind 77 28. Jan 10:52 /etc/bind/rndc.key root@master10:~# rndc reload server reload successful root@master10:~# ucr set dns/backend='samba4' Setting dns/backend root@master10:~# /etc/init.d/univention-bind restart Restarting bind9 daemon: . done. root@master10:~# ls -l /etc/bind/rndc.key -rw-rw---- 1 root root 77 28. Jan 10:52 /etc/bind/rndc.key root@master10:~# rndc reload server reload successful ========================================================== Changelog OK.
UCS 3.1-1 has been released: http://download.univention.de/doc/release-notes-3.1-1_en.pdf http://download.univention.de/doc/release-notes-3.1-1.pdf If this error occurs again, please use "Clone This Bug".
*** Bug 24785 has been marked as a duplicate of this bug. ***