Bug 1476187
Summary: | Service bind not start due selinux when configured with samba deploy with --dns-backend=BIND9_DLZ | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dario Lesca <d.lesca> |
Component: | bind | Assignee: | Petr Menšík <pemensik> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | asn, brad.inch, d.lesca, mruprich, msehnout, neil, pemensik, thozza, vonsch, zdohnal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-11-30 18:59:23 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dario Lesca
2017-07-28 08:31:41 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. I have install last version of Fedora 27 (Fedora-Server-netinst-x86_64-27-20170926.n.0.iso) and try to deploy Samba AD-DC into BIND_DLZ mode. This is what I have done after f27 server fresh install: sudo dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python bind bind-utils samba-dc-bind-dlz sudo mv /etc/krb5.conf /etc/krb5.conf.$(date +%s) sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s) sudo samba-tool domain provision \ --realm=samba.loc \ --domain=samba \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 \ sudo cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf At this point I have configure /etc/named.conf like /var/lib/samba/bind-dns/named.txt say: Add into global options this: tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; And at the eof: include "/var/lib/samba/bind-dns/named.conf"; Then: sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab But if I do "systemctl restart named", named wont start with this error set 27 16:28:56 server-addc.localdomain named[2025]: Loading 'AD DNS Zone' using driver dlopen set 27 16:28:57 server-addc.localdomain named[2025]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb set 27 16:28:57 server-addc.localdomain named[2025]: dlz_dlopen of 'AD DNS Zone' failed But none SElinux error is report into log I look into /var/lib/samba/bind-dns/dns/* and I see all file are not market for named, then I try run: sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns -R and rerun "systemctl restart named" Bind not start, but at this point into log I see this SElinux error message: set 27 16:31:48 server-addc.localdomain named[2072]: Loading 'AD DNS Zone' using driver dlopen set 27 16:31:49 server-addc.localdomain audit[2072]: AVC avc: denied { write } for pid=2072 comm="named" name="sam.ldb" dev="dm-2" ino=1068765 scon set 27 16:31:49 server-addc.localdomain named[2072]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb If i disable selinux (setenforce 0) named start and work property. Question: How to SElinux should be setup to make sure that bind and samba work together? I thing It's better put this setting into bind or samba package ... or some other package, (I'm not a developer or packager) Many thanks Dario Lesca I have try this setting: chcon -t named_var_run_t /var/lib/samba/bind-dns/dns -R then sudo setenforce 1 and now bind start. It's possible to set this setting into bind or samba package? Thanks Dario Hi Dario, chcon is not enough for distribution, it has to be reset by restorecon. I think /etc/selinux/targeted/contexts/files/file_contexts needs one more line: /var/lib/samba/bind-dns/dns(/.*)? system_u:object_r:named_cache_t:s0 This file is owned by selinux-policy-targeted package. Please use named_cache_t instead, that is used for dynamic zones in bind. You could then reset contexts from %post script of samba package. $ restorecon -R /var/lib/samba/bind-dns/dns I wonder if both samba and bind would access this file at the same time? Is it designed to be written by both samba and bind? In general, DLZ modules should be installed into /usr/lib*/bind I think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it does not make sense to distribute modules for different bind versions than packaged (current is bind 9.11 for 26+). Bind supports also chroot mode (bind-chroot package), that would not have access to /var/lib/samba/bind-dns/dns without specific setup of chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of that configuration and keytab for bind should be in /etc/named/, where it is already handled by setup script. The same with DLZ module location. Does it require access to samba database files? Which files files or directories it requires? Hi Petr, I'm not able to reply to your questions, then I have send these questions to Samba Technical ML: https://lists.samba.org/archive/samba-technical/2017-November/123627.html I hope this help Many thanks Dario This is the Rowland reply (01/11/2017, 20.42 +0000): Hi Dario, whilst I don't know all the answers, I will answer to the best of my abilities ;-) On Wed, 01 Nov 2017 18:11:17 +0100 Dario Lesca via samba-technical <samba-technical.org> wrote: > I have fill this bug into Bugzilla for Fedora 27: > https://bugzilla.redhat.com/show_bug.cgi?id=1476187 > > Now Petr Menšík ask to me these questions: > > > Product: Fedora > > Version: 27 > > Component: bind > > > > Petr Menšík <pemensik> has asked Dario Lesca > > <d.lesca> for needinfo: > > > Bug 1476187: Service bind not start due selinux when configured with > > samba deploy with --dns-backend=BIND9_DLZ > > https://bugzilla.redhat.com/show_bug.cgi?id=1476187 > > > > > > > > --- Comment #4 from Petr Menšík <pemensik> --- > > Hi Dario, > > > > chcon is not enough for distribution, it has to be reset by > > restorecon. I think > > > > /etc/selinux/targeted/contexts/files/file_contexts needs one more > > line: > > > > /var/lib/samba/bind-dns/dns(/.*)? > > system_u:object_r:named_cache_t:s0 > > > > This file is owned by selinux-policy-targeted package. Please use > > named_cache_t instead, that is used for dynamic zones in bind. > > > > You could then reset contexts from %post script of samba package. > > $ restorecon -R /var/lib/samba/bind-dns/dns > > > > I wonder if both samba and bind would access this file at the same > > time? Yes > > > Is it designed to be written by both samba and bind? Yes > > > > In general, DLZ modules should be installed into /usr/lib*/bind I > > think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it > > does not make sense to distribute modules for different bind > > versions than packaged (current is bind 9.11 for 26+). If you read the 'named.conf' file that Samba ships, you will find that there a few of the .so files, they are called 'dlz_bind9_${VER}.so, where '${VER}' is the Bind minor version. > > > > Bind supports also chroot mode (bind-chroot package), that would not > > have access to /var/lib/samba/bind-dns/dns without specific setup of > > chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of > > that configuration and keytab for bind should be in /etc/named/, > > where it is already handled by setup script. The same with DLZ > > module location. The 'chroot problem' will not be a problem at all, you cannot run Bind9 in a chroot with a Samba AD DC ;-) > > > > Does it require access to samba database files? OH yes > > > Which files files or directories it requires? Obviously the 'dns' files > > I'm not a developer, I'm only a simple test user and I cannot answer > to Peter. I think 'Peter' needs to talk to the red-hat sponsored Samba developers that are working on getting the Samba AD DC to work with MIT Kerberos. Rowland This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |