I am working on my second Ubuntu 16.04.1LTS running Samba 4.5.0 with Bind9_DLZ. I have one machine just like this one. Same hardware, same software setup. First machine is working fine. At the moment this (second) machine is not joined to the other (until I get Bind running.) I have searched log complaints. Compared settings between the two machines and despite bind running on the first one, cannot get bind to run on the second. root at dtdc03:~# systemctl restart apparmor.service root at dtdc03:~# systemctl status apparmor.service ● apparmor.service - LSB: AppArmor initialization Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled) Active: active (exited) since Sun 2016-10-16 12:14:58 CDT; 13s ago Docs: man:systemd-sysv-generator(8) Process: 2197 ExecStop=/etc/init.d/apparmor stop (code=exited, status=0/SUCCESS) Process: 1547 ExecReload=/etc/init.d/apparmor reload (code=exited, status=123) Process: 2211 ExecStart=/etc/init.d/apparmor start (code=exited, status=0/SUCCESS) Oct 16 12:14:54 dtdc03 systemd[1]: Starting LSB: AppArmor initialization... Oct 16 12:14:54 dtdc03 apparmor[2211]: * Starting AppArmor profiles Oct 16 12:14:57 dtdc03 apparmor[2211]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Oct 16 12:14:58 dtdc03 apparmor[2211]: ...done. Oct 16 12:14:58 dtdc03 systemd[1]: Started LSB: AppArmor initialization. root at dtdc03:~# systemctl restart bind9 root at dtdc03:~# systemctl status bind9 ● bind9.service - BIND Domain Name Server Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled) Drop-In: /run/systemd/generator/bind9.service.d └─50-insserv.conf-$named.conf Active: failed (Result: exit-code) since Sun 2016-10-16 12:15:21 CDT; 7s ago Docs: man:named(8) Process: 2267 ExecStop=/usr/sbin/rndc stop (code=exited, status=1/FAILURE) Process: 2260 ExecStart=/usr/sbin/named -f -u bind (code=exited, status=1/FAILURE) Main PID: 2260 (code=exited, status=1/FAILURE) Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface enp2s0, 192.168.16.49#53 Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic DNS Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 zones Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver dlopen Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object file: P Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: 127.0.0.1#953: connection refused Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process exited, code=exited status=1 Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed state. Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result 'exit-code'. Part of the /var/log/syslog Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface enp2s0, 192.168.16.49#53 Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic DNS Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 zones Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver dlopen Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object file: Permission denied Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen of 'AD DNS Zone' failed Oct 16 12:15:21 dtdc03 named[2260]: SDLZ driver failed to load. Oct 16 12:15:21 dtdc03 named[2260]: DLZ driver failed to load. Oct 16 12:15:21 dtdc03 named[2260]: loading configuration: failure Oct 16 12:15:21 dtdc03 kernel: [ 2033.472693] audit_printk_skb: 18 callbacks suppressed Oct 16 12:15:21 dtdc03 kernel: [ 2033.472704] audit: type=1400 audit(1476638121.877:194): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263 comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0 Oct 16 12:15:21 dtdc03 named[2260]: exiting (due to fatal error) Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: 127.0.0.1#953: connection refused Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process exited, code=exited status=1 Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed state. Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result 'exit-code'. I must be overlooking something but, what? Any suggestions would be greatly appreciated. -- _______________________________ Bob Wooden of Donelson Trophy
On Sun, 16 Oct 2016 12:38:00 -0500 Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote:> I am working on my second Ubuntu 16.04.1LTS running Samba 4.5.0 with > Bind9_DLZ. > > I have one machine just like this one. Same hardware, same software > setup. First machine is working fine. > > At the moment this (second) machine is not joined to the other (until > I get Bind running.) > > I have searched log complaints. Compared settings between the two > machines and despite bind running on the first one, cannot get bind to > run on the second. > > root at dtdc03:~# systemctl restart apparmor.service > root at dtdc03:~# systemctl status apparmor.service > ● apparmor.service - LSB: AppArmor initialization > Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled) > Active: active (exited) since Sun 2016-10-16 12:14:58 CDT; 13s ago > Docs: man:systemd-sysv-generator(8) > Process: 2197 ExecStop=/etc/init.d/apparmor stop (code=exited, > status=0/SUCCESS) > Process: 1547 ExecReload=/etc/init.d/apparmor reload (code=exited, > status=123) > Process: 2211 ExecStart=/etc/init.d/apparmor start (code=exited, > status=0/SUCCESS) > > Oct 16 12:14:54 dtdc03 systemd[1]: Starting LSB: AppArmor > initialization... > Oct 16 12:14:54 dtdc03 apparmor[2211]: * Starting AppArmor profiles > Oct 16 12:14:57 dtdc03 apparmor[2211]: Skipping profile in > /etc/apparmor.d/disable: usr.sbin.rsyslogd > Oct 16 12:14:58 dtdc03 apparmor[2211]: ...done. > Oct 16 12:14:58 dtdc03 systemd[1]: Started LSB: AppArmor > initialization. root at dtdc03:~# systemctl restart bind9 > root at dtdc03:~# systemctl status bind9 > ● bind9.service - BIND Domain Name Server > Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor > preset: enabled) > Drop-In: /run/systemd/generator/bind9.service.d > └─50-insserv.conf-$named.conf > Active: failed (Result: exit-code) since Sun 2016-10-16 12:15:21 > CDT; 7s ago > Docs: man:named(8) > Process: 2267 ExecStop=/usr/sbin/rndc stop (code=exited, > status=1/FAILURE) > Process: 2260 ExecStart=/usr/sbin/named -f -u bind (code=exited, > status=1/FAILURE) > Main PID: 2260 (code=exited, status=1/FAILURE) > > Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface > enp2s0, 192.168.16.49#53 > Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic > DNS > Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 > zones > Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver > dlopen > Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library > '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - > /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object > file: P > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, > code=exited, status=1/FAILURE > Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: > 127.0.0.1#953: connection refused > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process > exited, code=exited status=1 > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed > state. > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result > 'exit-code'. > > Part of the /var/log/syslog > > Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface > enp2s0, 192.168.16.49#53 > Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic > DNS > Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 > zones > Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver > dlopen > Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library > '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - > /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object > file: Permission denied > Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen of 'AD DNS Zone' failed > Oct 16 12:15:21 dtdc03 named[2260]: SDLZ driver failed to load. > Oct 16 12:15:21 dtdc03 named[2260]: DLZ driver failed to load. > Oct 16 12:15:21 dtdc03 named[2260]: loading configuration: failure > Oct 16 12:15:21 dtdc03 kernel: [ 2033.472693] audit_printk_skb: 18 > callbacks suppressed > Oct 16 12:15:21 dtdc03 kernel: [ 2033.472704] audit: type=1400 > audit(1476638121.877:194): apparmor="DENIED" operation="open" > profile="/usr/sbin/named" > name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263 > comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0 > Oct 16 12:15:21 dtdc03 named[2260]: exiting (due to fatal error) > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, > code=exited, status=1/FAILURE > Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: > 127.0.0.1#953: connection refused > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process > exited, code=exited status=1 > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed > state. > Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result > 'exit-code'. > > I must be overlooking something but, what? >How about: dlz_dlopen failed to open library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object file: Permission denied and: apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263 comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0 You need to set up Apparmor. Rowland
On 2016-10-16 12:55, Rowland Penny via samba wrote:> On Sun, 16 Oct 2016 12:38:00 -0500 > Bob of Donelson Trophy via samba <samba at lists.samba.org> wrote: > >> I am working on my second Ubuntu 16.04.1LTS running Samba 4.5.0 with >> Bind9_DLZ. >> >> I have one machine just like this one. Same hardware, same software >> setup. First machine is working fine. >> >> At the moment this (second) machine is not joined to the other (until >> I get Bind running.) >> >> I have searched log complaints. Compared settings between the two >> machines and despite bind running on the first one, cannot get bind to >> run on the second. >> >> root at dtdc03:~# systemctl restart apparmor.service >> root at dtdc03:~# systemctl status apparmor.service >> ● apparmor.service - LSB: AppArmor initialization >> Loaded: loaded (/etc/init.d/apparmor; bad; vendor preset: enabled) >> Active: active (exited) since Sun 2016-10-16 12:14:58 CDT; 13s ago >> Docs: man:systemd-sysv-generator(8) >> Process: 2197 ExecStop=/etc/init.d/apparmor stop (code=exited, >> status=0/SUCCESS) >> Process: 1547 ExecReload=/etc/init.d/apparmor reload (code=exited, >> status=123) >> Process: 2211 ExecStart=/etc/init.d/apparmor start (code=exited, >> status=0/SUCCESS) >> >> Oct 16 12:14:54 dtdc03 systemd[1]: Starting LSB: AppArmor >> initialization... >> Oct 16 12:14:54 dtdc03 apparmor[2211]: * Starting AppArmor profiles >> Oct 16 12:14:57 dtdc03 apparmor[2211]: Skipping profile in >> /etc/apparmor.d/disable: usr.sbin.rsyslogd >> Oct 16 12:14:58 dtdc03 apparmor[2211]: ...done. >> Oct 16 12:14:58 dtdc03 systemd[1]: Started LSB: AppArmor >> initialization. root at dtdc03:~# systemctl restart bind9 >> root at dtdc03:~# systemctl status bind9 >> ● bind9.service - BIND Domain Name Server >> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor >> preset: enabled) >> Drop-In: /run/systemd/generator/bind9.service.d >> └─50-insserv.conf-$named.conf >> Active: failed (Result: exit-code) since Sun 2016-10-16 12:15:21 >> CDT; 7s ago >> Docs: man:named(8) >> Process: 2267 ExecStop=/usr/sbin/rndc stop (code=exited, >> status=1/FAILURE) >> Process: 2260 ExecStart=/usr/sbin/named -f -u bind (code=exited, >> status=1/FAILURE) >> Main PID: 2260 (code=exited, status=1/FAILURE) >> >> Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface >> enp2s0, 192.168.16.49#53 >> Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic >> DNS >> Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 >> zones >> Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver >> dlopen >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library >> '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - >> /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object >> file: P >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, >> code=exited, status=1/FAILURE >> Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: >> 127.0.0.1#953: connection refused >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process >> exited, code=exited status=1 >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed >> state. >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result >> 'exit-code'. >> >> Part of the /var/log/syslog >> >> Oct 16 12:15:21 dtdc03 named[2260]: listening on IPv4 interface >> enp2s0, 192.168.16.49#53 >> Oct 16 12:15:21 dtdc03 named[2260]: generating session key for dynamic >> DNS >> Oct 16 12:15:21 dtdc03 named[2260]: sizing zone task pool based on 5 >> zones >> Oct 16 12:15:21 dtdc03 named[2260]: Loading 'AD DNS Zone' using driver >> dlopen >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen failed to open library >> '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - >> /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object >> file: Permission denied >> Oct 16 12:15:21 dtdc03 named[2260]: dlz_dlopen of 'AD DNS Zone' failed >> Oct 16 12:15:21 dtdc03 named[2260]: SDLZ driver failed to load. >> Oct 16 12:15:21 dtdc03 named[2260]: DLZ driver failed to load. >> Oct 16 12:15:21 dtdc03 named[2260]: loading configuration: failure >> Oct 16 12:15:21 dtdc03 kernel: [ 2033.472693] audit_printk_skb: 18 >> callbacks suppressed >> Oct 16 12:15:21 dtdc03 kernel: [ 2033.472704] audit: type=1400 >> audit(1476638121.877:194): apparmor="DENIED" operation="open" >> profile="/usr/sbin/named" >> name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263 >> comm="named" requested_mask="r" denied_mask="r" fsuid=113 ouid=0 >> Oct 16 12:15:21 dtdc03 named[2260]: exiting (due to fatal error) >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Main process exited, >> code=exited, status=1/FAILURE >> Oct 16 12:15:21 dtdc03 rndc[2267]: rndc: connect failed: >> 127.0.0.1#953: connection refused >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Control process >> exited, code=exited status=1 >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Unit entered failed >> state. >> Oct 16 12:15:21 dtdc03 systemd[1]: bind9.service: Failed with result >> 'exit-code'. >> >> I must be overlooking something but, what? > > How about: > > dlz_dlopen failed to open library '/usr/local/samba/lib/bind9/dlz_bind9_10.so' - > /usr/local/samba/lib/bind9/dlz_bind9_10.so: cannot open shared object > file: Permission denied > > and: > > apparmor="DENIED" operation="open" profile="/usr/sbin/named" > name="/usr/local/samba/lib/bind9/dlz_bind9_10.so" pid=2263 comm="named" > requested_mask="r" denied_mask="r" fsuid=113 ouid=0 > > You need to set up Apparmor. > > RowlandI guess where I am confused. Am I giving permission to "/usr/sbin/named" or "/usr/local/samba/lib/bind9/dlz_bind9_10.so" or both? Apparmor is set the same on both machines and first machine works this one (second machine) does not! I thought (could be wrong) that apparmor gives permission to the "name=" file? -- _______________________________ Bob Wooden of Donelson Trophy
Possibly Parallel Threads
- bind9 won't run
- bind9 won't run
- Debian Buster, bind_dlz, and apparmor
- [Bug 103689] New: there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.
- Workstations cannot update DNS