> From: Rowland penny via samba <samba at lists.samba.org> > To: samba at lists.samba.org > Date: 05/14/2019 02:50 PM > Subject: Re: [Samba] Workstations cannot update DNS > Sent by: "samba" <samba-bounces at lists.samba.org> > > On 14/05/2019 21:36, Durwin via samba wrote: > > I am trying to get DDNS working, so workstations can update their ip. > > > > The domain is msi.mycompany.com > > > > The DC server works, as well as group policies. > > > > I set rights to these files > >> chgrp bind /var/lib/samba/private/ > >> chmod 750 /var/lib/samba/private/ > >> chgrp bind /var/lib/samba/private/dns.keytab > >> chmod 640 /var/lib/samba/private/dns.keytab > > journalctl shows this. > > May 14 14:22:32 audit[2117]: AVC apparmor="DENIED"operation="file_lock"> > profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab" > > pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k" > > fsuid=111 ouid=0 > > May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35): > > apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" > > name="/var/lib/samba/private/dns.keytab" pid=2117comm="isc-worker0000"> > requested_mask="k" denied_mask="k" fsuid=111 ouid=0 > > It looks like you need to fix Apparmor (at least), try reading this: > >https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration selinux is not installed. Firewall is not active. iptables is not active.>From that page,BIND process has read access to the following files /var/lib/samba/private/dns.keytab /var/lib/samba/private/named.conf # THIS DOES NOT EXIST as well read-write access to the /var/lib/samba/private/dns/ # THIS DOES NOT EXIST directory and it's own zone file(s). this is in /etc/apparmor.d/usr.sbin.named. # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, /var/lib/samba/lib/** rm, /var/lib/samba/private/dns.keytab r, /var/lib/samba/private/named.conf r, /var/lib/samba/private/dns/** rwk, # THIS DOES NOT EXIST /var/lib/samba/etc/smb.conf r, I rebooted just to be sure. However, I still get client update denied. This is in /etc/bind/ drwxr-sr-x 2 root bind 4096 May 15 10:38 ./ drwxr-xr-x 99 root root 4096 May 3 11:13 ../ -rw-r--r-- 1 root root 2761 Apr 24 04:04 bind.keys -rw-r--r-- 1 root root 237 Oct 10 2018 db.0 -rw-r--r-- 1 root root 271 Oct 10 2018 db.127 -rw-r--r-- 1 root bind 615 May 10 11:28 db.172.23.93 -rw-r--r-- 1 root root 237 Oct 10 2018 db.255 -rw-r--r-- 1 root root 353 Oct 10 2018 db.empty -rw-r--r-- 1 root root 270 Oct 10 2018 db.local -rw-r--r-- 1 root root 3171 Oct 10 2018 db.root -rw-r--r-- 1 root bind 499 May 10 11:12 named.conf -rw-r--r-- 1 root bind 662 May 14 11:42 named.conf.default-zones -rw-r--r-- 1 root bind 258 Apr 29 11:34 named.conf.local -rw-r--r-- 1 root bind 193 May 14 11:44 named.conf.msi -rw-r--r-- 1 root bind 1109 May 14 09:22 named.conf.options -rw-r----- 1 bind bind 77 Apr 29 11:22 rndc.key -rw-r--r-- 1 root root 1317 Oct 10 2018 zones.rfc1918 Thank you, Durwin> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
On 15/05/2019 17:57, durwin at mgtsciences.com wrote:> > > > May 14 14:22:32 audit[2117]: AVC apparmor="DENIED" > operation="file_lock" > > > profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab" > > > pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k" > > > fsuid=111 ouid=0 > > > May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35): > > > apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" > > > name="/var/lib/samba/private/dns.keytab" pid=2117 > comm="isc-worker0000" > > > requested_mask="k" denied_mask="k" fsuid=111 ouid=0 > > > > It looks like you need to fix Apparmor (at least), try reading this: > > > > > https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration > > selinux is not installed. > Firewall is not active. > iptables is not active.The problem appears to have something to do with Apparmor.> > From that page, > BIND process has read access to the following files > /var/lib/samba/private/dns.keytab > /var/lib/samba/private/named.conf # THIS DOES NOT EXISTOK, but I do not remember you saying which version of Samba you are using, later versions now use the path '/var/lib/samba/bind-dns' instead of '/var/lib/samba/private'> > as well read-write access to the > /var/lib/samba/private/dns/ # THIS DOES NOT EXIST > directory and it's own zone file(s). > > this is in /etc/apparmor.d/usr.sbin.named. > # /etc/bind should be read-only for bind > # /var/lib/bind is for dynamically updated zone (and journal) files. > # /var/cache/bind is for slave/stub data, since we're not the origin > of it. > # See /usr/share/doc/bind9/README.Debian.gz > /etc/bind/** r, > /var/lib/bind/** rw, > /var/lib/bind/ rw, > /var/cache/bind/** lrw, > /var/cache/bind/ rw, > > # gssapi > /etc/krb5.keytab kr, > /etc/bind/krb5.keytab kr, > /var/lib/samba/lib/** rm, > /var/lib/samba/private/dns.keytab r, > /var/lib/samba/private/named.conf r, > /var/lib/samba/private/dns/** rwk, # THIS DOES NOT EXIST > /var/lib/samba/etc/smb.conf r, > > I rebooted just to be sure. However, I still get client update denied. > > > This is in /etc/bind/ > > drwxr-sr-x 2 root bind 4096 May 15 10:38 ./ > drwxr-xr-x 99 root root 4096 May 3 11:13 ../ > -rw-r--r-- 1 root root 2761 Apr 24 04:04 bind.keys > -rw-r--r-- 1 root root 237 Oct 10 2018 db.0 > -rw-r--r-- 1 root root 271 Oct 10 2018 db.127 > -rw-r--r-- 1 root bind 615 May 10 11:28 db.172.23.93Is the above your reverse zone ?> > -rw-r--r-- 1 root root 237 Oct 10 2018 db.255 > -rw-r--r-- 1 root root 353 Oct 10 2018 db.empty > -rw-r--r-- 1 root root 270 Oct 10 2018 db.local > -rw-r--r-- 1 root root 3171 Oct 10 2018 db.root > -rw-r--r-- 1 root bind 499 May 10 11:12 named.conf > -rw-r--r-- 1 root bind 662 May 14 11:42 named.conf.default-zones > -rw-r--r-- 1 root bind 258 Apr 29 11:34 named.conf.local > -rw-r--r-- 1 root bind 193 May 14 11:44 named.conf.msiAnd is the above your forward zone ? If it is yes to both of the last questions, then you need to delete them, you cannot use flatfiles with BIND9_DLZ> > -rw-r--r-- 1 root bind 1109 May 14 09:22 named.conf.options > -rw-r----- 1 bind bind 77 Apr 29 11:22 rndc.key > -rw-r--r-- 1 root root 1317 Oct 10 2018 zones.rfc1918 >Rowland
> >https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration> > > > selinux is not installed. > > Firewall is not active. > > iptables is not active. > The problem appears to have something to do with Apparmor. > > > > From that page, > > BIND process has read access to the following files > > /var/lib/samba/private/dns.keytab > > /var/lib/samba/private/named.conf # THIS DOES NOT EXIST > > OK, but I do not remember you saying which version of Samba you are > using, later versions now use the path '/var/lib/samba/bind-dns' instead> of '/var/lib/samba/private'I am using Bind9 on Ubuntu 18.04 Ok, I verified permissions on /var/lib/samba/bind-dns.> > > > > as well read-write access to the > > /var/lib/samba/private/dns/ # THIS DOES NOT EXIST > > directory and it's own zone file(s). > > > > this is in /etc/apparmor.d/usr.sbin.named. > > # /etc/bind should be read-only for bind > > # /var/lib/bind is for dynamically updated zone (and journal) files. > > # /var/cache/bind is for slave/stub data, since we're not the origin> > of it. > > # See /usr/share/doc/bind9/README.Debian.gz > > /etc/bind/** r, > > /var/lib/bind/** rw, > > /var/lib/bind/ rw, > > /var/cache/bind/** lrw, > > /var/cache/bind/ rw, > > > > # gssapi > > /etc/krb5.keytab kr, > > /etc/bind/krb5.keytab kr, > > /var/lib/samba/lib/** rm, > > /var/lib/samba/private/dns.keytab r, > > /var/lib/samba/private/named.conf r, > > /var/lib/samba/private/dns/** rwk, # THIS DOES NOT EXISTI changed above line to. /var/lib/samba/bind-dns/** rwk, Or should it be? /var/lib/samba/bind-dns/dns/** rwk,> > /var/lib/samba/etc/smb.conf r, > > > > I rebooted just to be sure. However, I still get client updatedenied.> > > > > > This is in /etc/bind/ > > > > drwxr-sr-x 2 root bind 4096 May 15 10:38 ./ > > drwxr-xr-x 99 root root 4096 May 3 11:13 ../ > > -rw-r--r-- 1 root root 2761 Apr 24 04:04 bind.keys > > -rw-r--r-- 1 root root 237 Oct 10 2018 db.0 > > -rw-r--r-- 1 root root 271 Oct 10 2018 db.127 > > -rw-r--r-- 1 root bind 615 May 10 11:28 db.172.23.93 > Is the above your reverse zone ?The only thing I added or modified in this entire directory is named.conf.msi and added line, include "/etc/bind/named.conf.msi"; to named.conf The rest you see here was not added by me.> > > > -rw-r--r-- 1 root root 237 Oct 10 2018 db.255 > > -rw-r--r-- 1 root root 353 Oct 10 2018 db.empty > > -rw-r--r-- 1 root root 270 Oct 10 2018 db.local > > -rw-r--r-- 1 root root 3171 Oct 10 2018 db.root > > -rw-r--r-- 1 root bind 499 May 10 11:12 named.conf > > -rw-r--r-- 1 root bind 662 May 14 11:42 named.conf.default-zones > > -rw-r--r-- 1 root bind 258 Apr 29 11:34 named.conf.local > > -rw-r--r-- 1 root bind 193 May 14 11:44 named.conf.msi > > And is the above your forward zone ? > > If it is yes to both of the last questions, then you need to delete > them, you cannot use flatfiles with BIND9_DLZDo I delete only the 'db.*' files? Are the 'named.conf*' files in this location not used? If I do delete the named.* files, what do I edit to add a slave domain for mycompany.com (DC domain is msi.mycompany.com)? The DC is master of msi.mycompany.com, another server is master of mycompany.com. Thank you, Durwin> > > > > -rw-r--r-- 1 root bind 1109 May 14 09:22 named.conf.options > > -rw-r----- 1 bind bind 77 Apr 29 11:22 rndc.key > > -rw-r--r-- 1 root root 1317 Oct 10 2018 zones.rfc1918 > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaThis email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.
Reasonably Related Threads
- Workstations cannot update DNS
- Workstations cannot update DNS
- [Bug 103689] New: there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.
- Debian Buster, bind_dlz, and apparmor
- bind9 won't run