Description of problem: if deploy samba with --dns-backend=BIND9_DLZ, setup bind.conf and set samba folder /var/lib/samba/private/ with right access (see bug 1476175 - https://bugzilla.redhat.com/show_bug.cgi?id=1476175) service bind not start if selinux is enable. Version-Release number of selected component (if applicable): Fedora 27 rawhide # rpm -q samba-dc bind samba-dc-4.7.0-0.6.rc1.fc27.x86_64 bind-9.11.1-4.P3.fc27.x86_64 How reproducible: Deploy samba with bind DLZ dns backend and start bind Steps to Reproduce: Run samba-tool # samba-tool domain provision \ --realm=dom.loc \ --domain=dom \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 configure bind, add into /etc/named.conf this: (into option session) tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; (at the end) include "/var/lib/samba/private/named.conf"; set samba folder permission with: # chmod g+rx /var/lib/samba/private/ # chgrp named /var/lib/samba/private/ run systemctl start named I get this error ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2017-07-28 10:23:12 CEST; 27s ago Process: 1573 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE) Process: 1570 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) lug 28 10:23:12 server-addc.dom.loc named[1574]: samba_dlz: Failed to connect to /var/lib/samba/private/dns/sam.ldb lug 28 10:23:12 server-addc.dom.loc named[1574]: dlz_dlopen of 'AD DNS Zone' failed lug 28 10:23:12 server-addc.dom.loc named[1574]: SDLZ driver failed to load. lug 28 10:23:12 server-addc.dom.loc named[1574]: DLZ driver failed to load. lug 28 10:23:12 server-addc.dom.loc named[1574]: loading configuration: failure lug 28 10:23:12 server-addc.dom.loc named[1574]: exiting (due to fatal error) lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Control process exited, code=exited status=1 lug 28 10:23:12 server-addc.dom.loc systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Unit entered failed state. lug 28 10:23:12 server-addc.dom.loc systemd[1]: named.service: Failed with result 'exit-code'. This is what I get into /var/log/audit/audit.log type=SERVICE_START msg=audit(1501230403.462:257): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-setup-rndc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1501230403.462:258): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-setup-rndc comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_START msg=audit(1501230403.625:259): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' If I disable selinux (setenforce 0) service start property and samba work great. Actual results: service named not start if selinux is enable Expected results: service named start without disable selinux Additional info:
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
I have install last version of Fedora 27 (Fedora-Server-netinst-x86_64-27-20170926.n.0.iso) and try to deploy Samba AD-DC into BIND_DLZ mode. This is what I have done after f27 server fresh install: sudo dnf install samba-client samba-dc samba-winbind attr acl krb5-workstation tdb-tools samba-winbind-clients python bind bind-utils samba-dc-bind-dlz sudo mv /etc/krb5.conf /etc/krb5.conf.$(date +%s) sudo mv /etc/samba/smb.conf /etc/samba/smb.conf.$(date +%s) sudo samba-tool domain provision \ --realm=samba.loc \ --domain=samba \ --dns-backend=BIND9_DLZ \ --use-rfc2307 \ --server-role=dc \ --function-level=2008_R2 \ sudo cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf At this point I have configure /etc/named.conf like /var/lib/samba/bind-dns/named.txt say: Add into global options this: tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; And at the eof: include "/var/lib/samba/bind-dns/named.conf"; Then: sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns.keytab But if I do "systemctl restart named", named wont start with this error set 27 16:28:56 server-addc.localdomain named[2025]: Loading 'AD DNS Zone' using driver dlopen set 27 16:28:57 server-addc.localdomain named[2025]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb set 27 16:28:57 server-addc.localdomain named[2025]: dlz_dlopen of 'AD DNS Zone' failed But none SElinux error is report into log I look into /var/lib/samba/bind-dns/dns/* and I see all file are not market for named, then I try run: sudo chcon -t named_conf_t /var/lib/samba/bind-dns/dns -R and rerun "systemctl restart named" Bind not start, but at this point into log I see this SElinux error message: set 27 16:31:48 server-addc.localdomain named[2072]: Loading 'AD DNS Zone' using driver dlopen set 27 16:31:49 server-addc.localdomain audit[2072]: AVC avc: denied { write } for pid=2072 comm="named" name="sam.ldb" dev="dm-2" ino=1068765 scon set 27 16:31:49 server-addc.localdomain named[2072]: samba_dlz: Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb If i disable selinux (setenforce 0) named start and work property. Question: How to SElinux should be setup to make sure that bind and samba work together? I thing It's better put this setting into bind or samba package ... or some other package, (I'm not a developer or packager) Many thanks Dario Lesca
I have try this setting: chcon -t named_var_run_t /var/lib/samba/bind-dns/dns -R then sudo setenforce 1 and now bind start. It's possible to set this setting into bind or samba package? Thanks Dario
Hi Dario, chcon is not enough for distribution, it has to be reset by restorecon. I think /etc/selinux/targeted/contexts/files/file_contexts needs one more line: /var/lib/samba/bind-dns/dns(/.*)? system_u:object_r:named_cache_t:s0 This file is owned by selinux-policy-targeted package. Please use named_cache_t instead, that is used for dynamic zones in bind. You could then reset contexts from %post script of samba package. $ restorecon -R /var/lib/samba/bind-dns/dns I wonder if both samba and bind would access this file at the same time? Is it designed to be written by both samba and bind? In general, DLZ modules should be installed into /usr/lib*/bind I think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it does not make sense to distribute modules for different bind versions than packaged (current is bind 9.11 for 26+). Bind supports also chroot mode (bind-chroot package), that would not have access to /var/lib/samba/bind-dns/dns without specific setup of chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of that configuration and keytab for bind should be in /etc/named/, where it is already handled by setup script. The same with DLZ module location. Does it require access to samba database files? Which files files or directories it requires?
Hi Petr, I'm not able to reply to your questions, then I have send these questions to Samba Technical ML: https://lists.samba.org/archive/samba-technical/2017-November/123627.html I hope this help Many thanks Dario
This is the Rowland reply (01/11/2017, 20.42 +0000): Hi Dario, whilst I don't know all the answers, I will answer to the best of my abilities ;-) On Wed, 01 Nov 2017 18:11:17 +0100 Dario Lesca via samba-technical <samba-technical.org> wrote: > I have fill this bug into Bugzilla for Fedora 27: > https://bugzilla.redhat.com/show_bug.cgi?id=1476187 > > Now Petr Menšík ask to me these questions: > > > Product: Fedora > > Version: 27 > > Component: bind > > > > Petr Menšík <pemensik> has asked Dario Lesca > > <d.lesca> for needinfo: > > > Bug 1476187: Service bind not start due selinux when configured with > > samba deploy with --dns-backend=BIND9_DLZ > > https://bugzilla.redhat.com/show_bug.cgi?id=1476187 > > > > > > > > --- Comment #4 from Petr Menšík <pemensik> --- > > Hi Dario, > > > > chcon is not enough for distribution, it has to be reset by > > restorecon. I think > > > > /etc/selinux/targeted/contexts/files/file_contexts needs one more > > line: > > > > /var/lib/samba/bind-dns/dns(/.*)? > > system_u:object_r:named_cache_t:s0 > > > > This file is owned by selinux-policy-targeted package. Please use > > named_cache_t instead, that is used for dynamic zones in bind. > > > > You could then reset contexts from %post script of samba package. > > $ restorecon -R /var/lib/samba/bind-dns/dns > > > > I wonder if both samba and bind would access this file at the same > > time? Yes > > > Is it designed to be written by both samba and bind? Yes > > > > In general, DLZ modules should be installed into /usr/lib*/bind I > > think. I would suggest name /usr/lib*/bind/dlz_sam.so. I think it > > does not make sense to distribute modules for different bind > > versions than packaged (current is bind 9.11 for 26+). If you read the 'named.conf' file that Samba ships, you will find that there a few of the .so files, they are called 'dlz_bind9_${VER}.so, where '${VER}' is the Bind minor version. > > > > Bind supports also chroot mode (bind-chroot package), that would not > > have access to /var/lib/samba/bind-dns/dns without specific setup of > > chroot (handled by /usr/libexec/setup-named-chroot.sh). Because of > > that configuration and keytab for bind should be in /etc/named/, > > where it is already handled by setup script. The same with DLZ > > module location. The 'chroot problem' will not be a problem at all, you cannot run Bind9 in a chroot with a Samba AD DC ;-) > > > > Does it require access to samba database files? OH yes > > > Which files files or directories it requires? Obviously the 'dns' files > > I'm not a developer, I'm only a simple test user and I cannot answer > to Peter. I think 'Peter' needs to talk to the red-hat sponsored Samba developers that are working on getting the Samba AD DC to work with MIT Kerberos. Rowland
This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.