View Single Post
  #19  
Old 21st December 2008, 21:54
docfx docfx is offline
Junior Member
 
Join Date: Dec 2008
Posts: 8
Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Bind9 still failing...

Installed Hardy updated to 8.04.1LTS w/LVM

All was well,
Code:
Dec 20 16:21:14 wonder named[31642]: starting BIND 9.4.2-P2 -u bind
Dec 20 16:21:14 wonder named[31642]: found 1 CPU, using 1 worker thread
Dec 20 16:21:14 wonder named[31642]: loading configuration from '/etc/bind/named.conf'
Dec 20 16:21:14 wonder named[31642]: listening on IPv6 interfaces, port 53
then I started going thru the Howtoforge "perfect server" tutorial. Got to the part where bind gets chrooted and...

Bind 9 fails - acc'd to /var/log/syslog:
Code:
Dec 21 14:00:54 wonder named[6828]: starting BIND 9.4.2-P2 -u bind -t /var/lib/named
Dec 21 14:00:54 wonder named[6828]: found 1 CPU, using 1 worker thread
Dec 21 14:00:54 wonder named[6828]: loading configuration from '/etc/bind/named.conf'
Dec 21 14:00:54 wonder named[6828]: none:0: open: /etc/bind/named.conf: permission denied
Dec 21 14:00:54 wonder named[6828]: loading configuration: permission denied
Dec 21 14:00:54 wonder named[6828]: exiting (due to fatal error)
Have tried it, per the tutorial ( w/ AppArmor disabled/purged ) as well as per Ubuntu Forum ( ubuntuforums.org/showthread.php?t=735188&highlight=bind9+fail ).

AppArmor is currently running and my usr.sbin.named is:
Code:
# vim:syntax=apparmor
# Last Modified: Fri Jun  1 16:43:22 2007
#include <tunables/global>

/usr/sbin/named {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  # /etc/bind/** r,

  # Dynamic updates needs zone and journal files rw. We just allow rw for all
  # in /etc/bind, and let DAC handle the rest > moved to /var/lib/named/etc/bind
  /var/lib/named/etc/bind/* rw,

  # if local zones are in a subdirectory
  /var/lib/named/etc/bind/zones/* rw,
  /var/lib/named/etc/bind/zones/external/* rw,
  /var/lib/named/etc/bind/zones/internal/* rw,

  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** rw,
  /var/cache/bind/ rw,

  # some people like to put logs in /var/log/named/
  /var/log/named/** rw,

  # dnscvsutil package
  /var/lib/dnscvsutil/compiled/** rw,

  /proc/net/if_inet6 r,
  /usr/sbin/named mr,
  /var/lib/named/var/run/bind/run/named.pid w,
  #/var/run/bind/run/named.pid w,
  # support for resolvconf
  /var/lib/named/var/run/bind/named.options r,
  #/var/run/bind/named.options r,

# add also following lines thanks to Spezi2u
  /var/lib/named/dev/null rw,
  /var/lib/named/dev/random rw,

}
Contents of /etc/bind/ aka /var/lib/named/etc/bind/ are:
Code:
-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.0
-rw-r--r-- 1 bind bind  271 2008-04-09 15:44 db.127
-rw-r--r-- 1 bind bind  237 2008-04-09 15:44 db.255
-rw-r--r-- 1 bind bind  353 2008-04-09 15:44 db.empty
-rw-r--r-- 1 bind bind  270 2008-04-09 15:44 db.local
-rw-r--r-- 1 bind bind 2878 2008-04-09 15:44 db.root
-rw-r--r-- 1 bind bind  907 2008-04-09 15:44 named.conf
-rw-r--r-- 1 bind bind  165 2008-04-09 15:44 named.conf.local
-rw-r--r-- 1 bind bind 3041 2008-12-21 13:51 named.conf.options
-rw------- 1 root root  695 2008-12-21 13:51 named.conf.options~
-rw-r----- 1 bind bind   77 2008-05-26 17:26 rndc.key
-rw-r--r-- 1 bind bind 1317 2008-04-09 15:44 zones.rfc1918
and still bind9 refuses to start from CLI or during reboot... It doesn't see to make any difference if I use OPTIONS="-u bind -t /var/lib/named" or OPTIONS="-u bind".

Any suggestions would greatly appreciated.
Reply With Quote