Hi, Suse 10.1. I installed and setup a slave DNS server as follows: Forwarder - my ISP's DNS server Slave for our 2 domains - as master is SuSE 10.0 machine on a different subnet (i.e. if the net on which I set up the new machine is 10.88.1.0/24, the master DNS is on 10.88.2.0/24). The routing between the 2 networks is OK, I can ping, etc. machines on both nets. The routing goes trough 10.88.3.x router machine. Now, when I start the DNS slave, in the log files I see: May 22 12:46:29 fwqa named[20985]: zone mydomain.com/IN: Transfer started. May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: connected using 10.88.3.11#44250 May 22 12:46:29 fwqa named[20985]: dumping master file: rename: slave/mydomain.com: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: failed while receiving responses: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: end of transfer May 22 12:46:29 fwqa kernel: audit(1148319989.417:73): REJECTING w access to /slave/mydomain.com (named(20986) profile /usr/sbin/named active /usr/sbin/named) And I can not resolve anything for the domain mydomain.com. There is no mydomain.com subdir in /var/lib/named/slave at all, so I do not understand the permission denied message. The named daemon runs as user named. And the permissions in /var/lib/named are as follows: sunny@fwqa:~> ls -l /var/lib/named/ total 40 -rw-r--r-- 1 root root 192 2001-07-04 02:27 127.0.0.zone drwxr-xr-x 2 root root 4096 2006-05-22 10:45 dev drwxr-xr-x 2 named named 4096 2006-05-02 03:33 dyn drwxr-xr-x 3 root root 4096 2006-05-22 10:48 etc -rw-r--r-- 1 root root 158 2001-07-04 02:27 localhost.zone drwxr-xr-x 2 named named 4096 2006-05-02 03:33 log drwxr-xr-x 2 root root 4096 2006-05-02 03:33 master -rw-r--r-- 1 root root 2517 2006-05-02 03:33 root.hint drwxr-xr-x 2 named named 4096 2006-05-22 12:46 slave drwxr-xr-x 4 root root 4096 2006-05-19 16:42 var Under /var/lib/named/slave there are a bunch of tmp-xxxx files, all with named:named owner. What is going wrong? Someone had a success to configure DNS server in 10.1? I did not change anything, all these are created by YaST, so looks like a bug. If someone else confirms that problem, I'll file a bug report. But meanwhile, I need to make it run, so any help is appreciated. Cheers -- -- Svetoslav Milenov (Sunny) Windows is a 32-bit extension to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition.
Sunny wrote:
Now, when I start the DNS slave, in the log files I see:
May 22 12:46:29 fwqa named[20985]: zone mydomain.com/IN: Transfer started. May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: connected using 10.88.3.11#44250 May 22 12:46:29 fwqa named[20985]: dumping master file: rename: slave/mydomain.com: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: failed while receiving responses: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: end of transfer May 22 12:46:29 fwqa kernel: audit(1148319989.417:73): REJECTING w access to /slave/mydomain.com (named(20986) profile /usr/sbin/named active /usr/sbin/named)
This is auditd creating a problem - to start with you can turn the REJECTs into warnings by issuing "complain /usr/sbin/named". Alternatively, you can update the apparmor profile by issuing "aa-genprof /usr/sbin/named". /Per Jessen, Zürich
On 5/22/06, Per Jessen
Sunny wrote:
Now, when I start the DNS slave, in the log files I see:
May 22 12:46:29 fwqa named[20985]: zone mydomain.com/IN: Transfer started. May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: connected using 10.88.3.11#44250 May 22 12:46:29 fwqa named[20985]: dumping master file: rename: slave/mydomain.com: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: failed while receiving responses: permission denied May 22 12:46:29 fwqa named[20985]: transfer of 'mydomain.com/IN' from 10.88.2.11#53: end of transfer May 22 12:46:29 fwqa kernel: audit(1148319989.417:73): REJECTING w access to /slave/mydomain.com (named(20986) profile /usr/sbin/named active /usr/sbin/named)
This is auditd creating a problem - to start with you can turn the REJECTs into warnings by issuing "complain /usr/sbin/named". Alternatively, you can update the apparmor profile by issuing "aa-genprof /usr/sbin/named".
/Per Jessen, Zürich
None of these exist on my system. locate aa-genprof and locate complain display nothing. This is 10.1 text install, no GUI, etc. -- -- Svetoslav Milenov (Sunny) Windows is a 32-bit extension to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition.
Sunny wrote:
This is auditd creating a problem - to start with you can turn the REJECTs into warnings by issuing "complain /usr/sbin/named". Alternatively, you can update the apparmor profile by issuing "aa-genprof /usr/sbin/named".
None of these exist on my system. locate aa-genprof and locate complain display nothing.
This is 10.1 text install, no GUI, etc.
complain is /usr/sbin/complain on my 10.1GM system. The messages you quoted are definitely from auditd - which is part of audit-1.1.3-17 - complain etc. are part of apparmor-utils-2.0-19 - which is in the default install, I believe. /Per Jessen, Zürich
On 5/22/06, Per Jessen wrote:
complain is /usr/sbin/complain on my 10.1GM system.
The messages you quoted are definitely from auditd - which is part of audit-1.1.3-17 - complain etc. are part of apparmor-utils-2.0-19 - which is in the default install, I believe.
/Per Jessen, Zürich
sunny@fwqa:~> ps aux | grep audit sunny@fwqa:~> rpm -qa | grep audit sunny@fwqa:~> rpm -qa | grep apparmor apparmor-profiles-2.0-31 apparmor-parser-2.0-19 So, no auditd at all. -- Svetoslav Milenov (Sunny) Windows is a 32-bit extension to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition.
participants (2)
-
Per Jessen
-
Sunny