Hi,
I solved the problem like this:
Add these lines in /etc/apparmor.d/usr.sbin.named
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/bind-dns/named.conf r,
/var/lib/samba/bind-dns/dns/** rwk,
/var/lib/samba/private/sam.ldb rwk,
/usr/lib/x86_64-linux-gnu/samba/bind9/** rm,
/usr/lib/x86_64-linux-gnu/samba/ldb/** rm,
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/ldb/** rm,
Regards,
M?rcio Bacci
Em seg., 15 de fev. de 2021 ?s 22:32, Marcio B. <marciobacci at gmail.com>
escreveu:
> Hi,
>
> I have the following problem on my DC Samba4 with Bind9_DLZ:
>
> root at samba4dc-2:~# /etc/init.d/bind9 status
> ? bind9.service - BIND Domain Name Server
> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
> preset: enabled)
> Active: failed (Result: exit-code) since Mon 2021-02-15 21:59:14 -03;
> 37s ago
> Docs: man:named(8)
> Process: 394 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited,
> status=1/FAILURE)
> Main PID: 394 (code=exited, status=1/FAILURE)
>
> fev 15 21:59:14 samba4dc-2 named[394]: adjusted limit on open files from
> 524288 to 1048576
> fev 15 21:59:14 samba4dc-2 named[394]: found 1 CPU, using 1 worker thread
> fev 15 21:59:14 samba4dc-2 named[394]: using 1 UDP listener per interface
> fev 15 21:59:14 samba4dc-2 named[394]: using up to 4096 sockets
> fev 15 21:59:14 samba4dc-2 named[394]: loading configuration from
> '/etc/bind/named.conf'
> fev 15 21:59:14 samba4dc-2 named[394]: /etc/bind/named.conf.local:8: open:
> /var/lib/samba/bind-dns/named.conf: permission denied
> fev 15 21:59:14 samba4dc-2 named[394]: loading configuration: permission
> denied
> fev 15 21:59:14 samba4dc-2 named[394]: exiting (due to fatal error)
> fev 15 21:59:14 samba4dc-2 systemd[1]: bind9.service: Main process exited,
> code=exited, status=1/FAILURE
> fev 15 21:59:14 samba4dc-2 systemd[1]: bind9.service: Failed with result
> 'exit-code'.
>
> My permissions look like this:
> root at samba4dc-2:/etc/bind# ls -lh
> total 52K
> -rw-r--r-- 1 root bind 3,9K mai 3 2019 bind.keys
> -rw-r--r-- 1 root bind 237 mai 3 2019 db.0
> -rw-r--r-- 1 root bind 271 mai 3 2019 db.127
> -rw-r--r-- 1 root bind 237 mai 3 2019 db.255
> -rw-r--r-- 1 root bind 353 mai 3 2019 db.empty
> -rw-r--r-- 1 root bind 270 mai 3 2019 db.local
> -rw-r--r-- 1 root bind 3,1K mai 3 2019 db.root
> -rw-r--r-- 1 root bind 463 mai 3 2019 named.conf
> -rw-r--r-- 1 root bind 490 mai 3 2019 named.conf.default-zones
> -rw-r--r-- 1 root bind 211 set 2 2019 named.conf.local
> -rw-r--r-- 1 root bind 1,6K set 2 2019 named.conf.options
> -rw-r----- 1 bind bind 77 set 2 2019 rndc.key
> -rw-r--r-- 1 root bind 1,3K mai 3 2019 zones.rfc1918
>
> root at samba4dc-2:/var/lib/samba/bind-dns# ls -lh
> total 20K
> drwxrwx--- 3 root bind 4,0K fev 15 22:02 dns
> -rw-r----- 2 root bind 882 set 2 2019 dns.keytab
> -rw-r--r-- 1 root bind 883 fev 15 22:02 named.conf
> -r--r--r-- 1 root bind 311 set 5 2019 named.conf.update
> -rw-r--r-- 1 root bind 2,1K fev 15 22:02 named.txt
>
> I performed the following procedure, but it did not resolve:
>
> root at samba4dc-2:~# samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/EMPRESA.COM.BR.zone
> DNS records will be automatically created
> DNS partitions already exist
> dns-samba4dc-2 account already exists
> See /var/lib/samba/bind-dns/named.conf for an example configuration
> include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further documentation required
> for secure DNS updates
> Finished upgrading DNS
>
> This is my smb.conf
>
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = SAMBA4DC-2
> realm = EMPRESA.COM.BR
> workgroup = EMPRESA
> log level = 1 auth:5 winbind:5
> server role = active directory domain controller
> server services = -dns
> #dns forwarder = 192.168.1.1 192.168.1.2
> #dns update command = /usr/sbin/samba_dnsupdate --use-samba-too
> ldap server require strong auth = no
> log file = /var/log/samba/auditoria/.%m
> #log level = 1 auth_audit:3 #auth_json_audit:3
> #log level = 1 passdb:5 auth:10 winbind:2
> #log level = 1 full_audit:1
> #log level = 2 auth:1@/var/log/auditoria.log
>
> [netlogon]
> path = /var/lib/samba/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> Could someone help me?
>
> Regards,
>
> M?rcio Bacci
>
>
>