DNS failed after samba AD DC provision

I have defined a samba AD DC on a raspberry pi 400 (loaded with tumbleweed) using the next command

rasp:/var/lib/samba # samba-tool domain provision --use-rfc2307 --interactive
Realm [SAMDOM.PCE23.NET]:  
Domain [SAMDOM]:  
Server Role (dc, member, standalone) [dc]:  
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]:  BIND9_DLZ
Administrator password: 
Retype password:
...
INFO 2021-05-13 21:55:21,336 pid:2899 /usr/.../samba/provision/__init__.py #492: Server Role:           active directory domain controller
INFO 2021-05-13 21:55:21,336 pid:2899 /usr/.../samba/provision/__init__.py #493: Hostname:              rasp
INFO 2021-05-13 21:55:21,336 pid:2899 /usr/.../samba/provision/__init__.py #494: NetBIOS Domain:        SAMDOM
INFO 2021-05-13 21:55:21,336 pid:2899 /usr/.../samba/provision/__init__.py #495: DNS Domain:            samdom.pce23.net
INFO 2021-05-13 21:55:21,337 pid:2899 /usr/.../samba/provision/__init__.py #496: DOMAIN SID:            S-1-5-21-4198509159-1934609394-2213185027:

thereafter i added the requested options in /etc/named.conf

include "/var/lib/samba/bind-dns/named.conf";
...
options {
...
    ###SAMBA
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    minimal-responses yes;    
    ### SAMBA
…}

/etc/named.conf is correctly checked without error

rasp:/var/lib/samba/bind-dns # rasp:/var/lib/samba/bind-dns #  named-checkconf -l
. in _default hint
localhost in _default master
0.0.127.in-addr.arpa in _default master
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa in _default master
pce23.net in _default slave
1.168.192.in-addr.arpa in _default slave
2.168.192.in-addr.arpa in _default slave
3.168.192.in-addr.arpa in _default slave
samdom.pce23.net in _default master

Restarting named give this error:

rasp:/var/lib/samba/bind-dns # systemctl start named
Job for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xe" for details.
rasp:/var/lib/samba/bind-dns # systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Thu 2021-05-13 22:01:24 CEST; 11s ago
    Process: 3023 ExecStartPre=/usr/libexec/bind/named.prep (code=exited, status=0/SUCCESS)
    Process: 3029 ExecStart=/usr/sbin/named -u named -d 9 $NAMED_ARGS (code=exited, status=1/FAILURE)
        CPU: 315ms

May 13 22:01:24 rasp named[3030]: samba_dlz: Failed to connect to Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system: Operations error
May 13 22:01:24 rasp named[3030]: samba_dlz: FAILED dlz_create call result=25 #refs=0
May 13 22:01:24 rasp named[3030]: dlz_dlopen of 'AD DNS Zone' failed
May 13 22:01:24 rasp named[3030]: SDLZ driver failed to load.
May 13 22:01:24 rasp named[3030]: DLZ driver failed to load.
May 13 22:01:24 rasp named[3030]: loading configuration: failure
May 13 22:01:24 rasp named[3030]: exiting (due to fatal error)
May 13 22:01:24 rasp systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
May 13 22:01:24 rasp systemd[1]: named.service: Failed with result 'exit-code'.
May 13 22:01:24 rasp systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

apparmor is not active (I disabled it)

rasp:~ # systemctl status apparmor
      ● apparmor.service - Load AppArmor profiles
           Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; vendor preset: enabled)
           Active: inactive (dead)

and selinux is not installed.
The file var/lib/samba/bid-dns/dns/sam.ldb seems readable by named

rasp:/var/lib/samba/bind-dns # ls -l
total 16
drwxrwx--- 3 root named 4096 May 13 21:55 dns
-rw-r----- 2 root named  490 May 13 21:55 dns.keytab
-rw-r--r-- 1 root root   982 May 13 21:55 named.conf
-rw-r--r-- 1 root root  2051 May 13 21:55 named.txt

rasp:/var/lib/samba/bind-dns/dns # ls -l sam.ldb
-rw-rw-r-- 1 root named 3620864 May 13 21:55 sam.ldb

Any idea about this read only file system?
Many thanks in advance
Philippe

The error says “Read-only file system: Operations error”

Can you check what “mount | grep -v rw” gives for you, some mounted file system seem to be read-only.

Hello,

here the result

rasp:/var/lib/samba/bind-dns/dns # mount | grep -v rw
efivarfs on /sys/firmware/efi/efivars type efivarfs (ro,nosuid,nodev,noexec,relatime)

Searching via google return a lot of same error related to permission of /var/lib/samba/private/dns (old) but in the samba mailing list I see that “The binddns dir was changed at Samba 4.8.0 from /usr/local/samba/private/dns to /usr/local/samba/bind-dns/dns.”
Even with a normal user I can read the directory and the files therein.
In the samba wiki https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integrationthey warn about apparmor (disabled here) and selinux (not installed)

Regards
Philippe

I see the LDB is the database engine used within Samba, so likely write access is needed.

To double check I would try:

sudo -g GROUP -u USER test -w /file/to/test; echo $?

Also you could try “touch”-ing /var/lib/samba/bind-dns/dns/sam.ldb as named user.

rasp:/var/lib/samba/bind-dns/dns # sudo -g named -u root test -w /var/lib/samba/bind-dns/dns/sam.ldb; echo $?
Sorry, user root is not allowed to execute '/usr/bin/test -w /var/lib/samba/bind-dns/dns/sam.ldb' as root:named on rasp.
1
rasp:/var/lib/samba/bind-dns/dns # sudo -g named -u named test -w /var/lib/samba/bind-dns/dns/sam.ldb; echo $?
0

You are right , there is a problem with this file but I first needed to allow a valid shell for named.

rasp:/etc # su named
named@rasp:/etc>id
uid=44(named) gid=44(named) groups=44(named)
named@rasp:/etc> touch -ing /var/lib/samba/bind-dns/dns/sam.ldb
touch: invalid option -- 'i'
Try 'touch --help' for more information.
named@rasp:/etc> touch -a /var/lib/samba/bind-dns/dns/sam.ldb
touch: setting times of '/var/lib/samba/bind-dns/dns/sam.ldb': Operation not permitted
named@rasp:/etc> ls -l /var/lib/samba/bind-dns/dns/sam.ldb
-rw-rw-r-- 1 root named 3620864 May 13 21:55 /var/lib/samba/bind-dns/dns/sam.ldb
named@rasp:/etc> sudo chown named:named /var/lib/samba/bind-dns/dns/sam.ldb
[sudo] password for root: 
named@rasp:/etc> ls -l /var/lib/samba/bind-dns/dns/sam.ldb
-rw-rw-r-- 1 named named 3620864 May 13 21:55 /var/lib/samba/bind-dns/dns/sam.ldb
named@rasp:/etc> touch -a /var/lib/samba/bind-dns/dns/sam.ldb
named@rasp:/etc>

Very strange that a user in the group is not allowed to do the changes

Trying to start named.service gives the same error.
I did a recursive chown named:named on /var/lib/samba/bind-dns/dns but thereafter still same problem >:(

rasp:/var/lib/samba # ls -l -R /var/lib/samba/bind-dns/*
-rw-r----- 2 root named 490 May 13 21:55 /var/lib/samba/bind-dns/dns.keytab
-rw-r--r-- 1 root root 1009 May 14 09:37 /var/lib/samba/bind-dns/named.conf
-rw-r--r-- 1 root root 2051 May 13 21:55 /var/lib/samba/bind-dns/named.txt
var/lib/samba/bind-dns/dns:
total 3544
-rw-rw-r--  1 named named 3620864 May 13 21:55 sam.ldb
drwxrwxr-x  2 named named    4096 May 13 21:55 sam.ldb.d
/var/lib/samba/bind-dns/dns/sam.ldb.d:
total 25988
-rw-rw---- 1 named named 7061504 May 13 21:55 CN=CONFIGURATION,DC=SAMDOM,DC=PCE23,DC=NET.ldb
-rw-rw---- 1 named named 8437760 May 13 21:55 CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=PCE23,DC=NET.ldb
-rw-rw---- 2 named named 4694016 May 13 21:55 DC=DOMAINDNSZONES,DC=SAMDOM,DC=PCE23,DC=NET.ldb
-rw-rw---- 2 named named 4694016 May 13 21:55 DC=FORESTDNSZONES,DC=SAMDOM,DC=PCE23,DC=NET.ldb
-rw-rw---- 1 named named 1286144 May 13 21:55 DC=SAMDOM,DC=PCE23,DC=NET.ldb
-rw-rw---- 2 named named  421888 May 14 10:11 metadata.tdb

Regards
Philippe

Good write-up, too bad it did not solve the issue.

On “Very strange that a user in the group is not allowed to do the changes”

named@rasp:/etc> touch -a /var/lib/samba/bind-dns/dns/sam.ldb
touch: setting times of '/var/lib/samba/bind-dns/dns/sam.ldb': Operation not permitted
named@rasp:/etc> ls -l /var/lib/samba/bind-dns/dns/sam.ldb
-rw-rw-r-- 1 root named 3620864 May 13 21:55 /var/lib/samba/bind-dns/dns/sam.ldb

I did not know it either but setting the modification time for a file may only be done by the owner or root, see cannot touch -m a writable file.

I think you should still check how /var/lib is mounted and if those permissions are fine.

Also found here:


binddns dir (G)

This parameters defines the directory samba will use to store the configuration files for bind, such as named.conf. 
NOTE: The bind dns directory needs to be on the same mount point as the private directory!

Default: binddns dir = /var/lib/samba/bind-dns

The raspberry has only one physical disk (64 GB SD card) with the root flesystem and /home

rasp:/var/lib/samba # fdisk -l
Disk /dev/mmcblk0: 59.48 GiB, 63864569856 bytes, 124735488 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x26122794

Device         Boot    Start       End  Sectors  Size Id Type
/dev/mmcblk0p1          2048    514047   512000  250M ef EFI (FAT-12/16/32)
/dev/mmcblk0p2        514048  52942847 52428800   25G 83 Linux
/dev/mmcblk0p3      52942848 124735487 71792640 34.2G 83 Linux
rasp:/var/lib/samba # df -k
Filesystem     1K-blocks    Used Available Use% Mounted on
devtmpfs         1912120       0   1912120   0% /dev
tmpfs            1954744       0   1954744   0% /dev/shm
tmpfs             781900    1468    780432   1% /run
/dev/mmcblk0p2  25626852 6779088  17520660  28% /
tmpfs            1954744      12   1954732   1% /tmp
/dev/mmcblk0p3  35021392  163660  33046532   1% /home
/dev/mmcblk0p1    255724    8872    246852   4% /boot/efi
tmpfs             390948      44    390904   1% /run/user/1000

/var/lib is defined as

rasp:/var/lib/samba # ls -ld /var/lib
drwxr-xr-x 53 root root 4096 May  7 10:44 /var/lib


Regards
Philippe

Okay, also that does not give an hint on what is wrong, it’s getting really weird.

I am far from sure it will give more information but the only thing I would still do it try to run the command that systemd is executing from the command prompt under strace.

ExecStart=/usr/sbin/named -u named -d 9 $NAMED_ARGS

So the command is:

strace -o /tmp/named.log /usr/sbin/named -u named -d 9 $NAMED_ARGS

But that run with under the correct user/group and $NAMES_ARGS filled in.

Another thing you could try is to change the rights so all users have read-write access.

Thanks,

I had already added debug level 9 when calling the dlz_bind_16.so

    # For BIND 9.16.x
     database "dlopen /usr/lib64/samba/bind9/dlz_bind9_16.so -d 9";


this gives more information in journalctl but the same error

May 17 09:04:50 rasp named[30629]: starting BIND 9.16.12 (Stable Release) <id:aeb943d>
May 17 09:04:50 rasp named[30629]: running on Linux aarch64 5.12.0-2-default #1 SMP Thu Apr 29 12:08:56 UTC 2021 (c4830af)
May 17 09:04:50 rasp named[30629]: built with '--host=aarch64-suse-linux-gnu' '--build=aarch64-suse-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/u>
May 17 09:04:50 rasp named[30629]: running as: named -u named -d 9
May 17 09:04:50 rasp named[30629]: compiled by GCC 10.3.0
May 17 09:04:50 rasp named[30629]: compiled with OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
May 17 09:04:50 rasp named[30629]: linked to OpenSSL version: OpenSSL 1.1.1k  25 Mar 2021
May 17 09:04:50 rasp named[30629]: compiled with libxml2 version: 2.9.10
May 17 09:04:50 rasp named[30629]: linked to libxml2 version: 20910
May 17 09:04:50 rasp named[30629]: compiled with json-c version: 0.15
May 17 09:04:50 rasp named[30629]: linked to json-c version: 0.15
May 17 09:04:50 rasp named[30629]: compiled with zlib version: 1.2.11
May 17 09:04:50 rasp named[30629]: linked to zlib version: 1.2.11
May 17 09:04:50 rasp named[30629]: ----------------------------------------------------
May 17 09:04:50 rasp named[30629]: BIND 9 is maintained by Internet Systems Consortium,
May 17 09:04:50 rasp named[30629]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 17 09:04:50 rasp named[30629]: corporation.  Support and training for BIND 9 are
May 17 09:04:50 rasp named[30629]: available at https://www.isc.org/support
May 17 09:04:50 rasp named[30629]: ----------------------------------------------------
May 17 09:04:50 rasp named[30629]: adjusted limit on open files from 524288 to 1048576
May 17 09:04:50 rasp named[30629]: found 4 CPUs, using 4 worker threads
May 17 09:04:50 rasp named[30629]: using 4 UDP listeners per interface
May 17 09:04:50 rasp named[30629]: using up to 21000 sockets
May 17 09:04:50 rasp named[30629]: loading configuration from '/etc/named.conf'
May 17 09:04:50 rasp named[30629]: reading built-in trust anchors from file '/etc/bind.keys'
May 17 09:04:50 rasp named[30629]: using default UDP/IPv4 port range: [32768, 60999]
May 17 09:04:50 rasp named[30629]: using default UDP/IPv6 port range: [32768, 60999]
May 17 09:04:50 rasp named[30629]: listening on IPv4 interface lo, 127.0.0.1#53
May 17 09:04:50 rasp named[30629]: listening on IPv4 interface eth0, 192.168.1.91#53
May 17 09:04:50 rasp named[30629]: generating session key for dynamic DNS
May 17 09:04:50 rasp named[30629]: sizing zone task pool based on 9 zones
May 17 09:04:50 rasp named[30629]: Loading 'AD DNS Zone' using driver dlopen
May 17 09:04:50 rasp named[30629]: samba_dlz: INFO: Current debug levels:
May 17 09:04:50 rasp named[30629]: samba_dlz:   all: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   tdb: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   printdrivers: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   lanman: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   smb: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   rpc_parse: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   rpc_srv: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   rpc_cli: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   passdb: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   sam: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   auth: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   winbind: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   vfs: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   idmap: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   quota: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   acls: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   locking: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   msdfs: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dmapi: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   registry: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   scavenger: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dns: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   ldb: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   tevent: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   auth_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   auth_json_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   kerberos: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   drs_repl: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   smb2: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   smb2_credits: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_json_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_password_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_password_json_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_transaction_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_transaction_json_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_group_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz:   dsdb_group_json_audit: 9
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'gssapi_spnego' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'gssapi_krb5' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'spnego' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'schannel' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'naclrpc_as_system' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'ntlmssp' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'http_basic' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'http_ntlm' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'http_negotiate' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'krb5' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
May 17 09:04:50 rasp named[30629]: samba_dlz: ldb: ltdb: tdb(/var/lib/samba/bind-dns/dns/sam.ldb): tdb_open_ex: could not open file /var/lib/samba/bind-dns/dns/sam.ldb: Read-only file system
May 17 09:04:50 rasp named[30629]: samba_dlz:
May 17 09:04:50 rasp named[30629]: samba_dlz: ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system
May 17 09:04:50 rasp named[30629]: samba_dlz: ldb: Failed to connect to '/var/lib/samba/bind-dns/dns/sam.ldb' with backend 'tdb': Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system
May 17 09:04:50 rasp named[30629]: samba_dlz: Failed to connect to Failed to connect to /var/lib/samba/bind-dns/dns/sam.ldb: Unable to open tdb '/var/lib/samba/bind-dns/dns/sam.ldb': Read-only file system: Operations error
May 17 09:04:50 rasp named[30629]: samba_dlz: FAILED dlz_create call result=25 #refs=0
May 17 09:04:50 rasp named[30629]: dlz_dlopen of 'AD DNS Zone' failed
May 17 09:04:50 rasp named[30629]: SDLZ driver failed to load.
May 17 09:04:50 rasp named[30629]: DLZ driver failed to load.
May 17 09:04:50 rasp named[30629]: loading configuration: failure
May 17 09:04:50 rasp named[30629]: exiting (due to fatal error)
May 17 09:04:50 rasp systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
May 17 09:04:50 rasp systemd[1]: named.service: Failed with result 'exit-code'.
May 17 09:04:50 rasp systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).

I have also changed the directories via “chmod 777” for /var/lib/samba/bind-dns/dns and /var/lib/samba/bind-dns/dns/sam.ldb.d: no success

Aboiut strace: NAMED_ARGS is defined in /etc/sysconfig/named as “”
I loaded strace -o /tmp/named.log /usr/sbin/named -u named -d 9 but the log file contains only the open of the needed librairies and end with

getuid()                                = 0
setgid(44)                              = 0
setuid(44)                              = 0
prctl(PR_SET_DUMPABLE, SUID_DUMP_USER)  = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=0, permitted=1<<CAP_CHOWN|1<<CAP_DAC_READ_SEARCH|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_CHROOT|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
getuid()                                = 44
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, NULL) = 0
capget({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
getuid()                                = 44
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=0}, {effective=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, permitted=1<<CAP_NET_BIND_SERVICE|1<<CAP_SYS_RESOURCE, inheritable=0}) = 0
mmap(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffa660d000
pipe2([5, 6], 0)                        = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xffffa66b80e0) = 30808
close(6)                                = 0
read(5, "", 1)                          = 0
exit_group(1)                           = ?
+++ exited with 1 +++

but journalctl data for this load is different

...
May 17 09:21:47 rasp named[30808]: samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted
May 17 09:21:47 rasp named[30808]: samba_dlz:
May 17 09:21:47 rasp named[30808]: samba_dlz: schema_fsmo_init: we are master[yes] updates allowed[no]
May 17 09:21:47 rasp named[30808]: samba_dlz: started for DN DC=samdom,DC=pce23,DC=net
May 17 09:21:47 rasp named[30808]: samba_dlz: starting configure
May 17 09:21:47 rasp named[30808]: samba_dlz: Failed to configure zone 'samdom.pce23.net'
May 17 09:21:47 rasp named[30808]: loading configuration: already exists
May 17 09:21:47 rasp named[30808]: exiting (due to fatal error)

I checked for a zone file in /var/lib/named/dyn but this doesn’t exist and AFAIK it must be created and maintained by samba
in named.conf I have the definition for the zone “samdom.pce23.net

zone "samdom.pce23.net" in {
        type master;
        file "dyn/samdom.pce23.net";
        also-notify { 192.168.1.120; };
        notify yes;
        allow-transfer  { 192.168.1.120; };
        allow-query  { 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; };
};

I’m lost here. Maybe I’ll open a bug report

Regards
Philippe

Yes, I am also lost, only thing what you could still try is add “-f” as strace argument, maybe that gives more output.

Opening a bug report makes sense.

Had time to have a better look.

It is surprising the run with strace is different from the one without. It looks like the one under strace is stopped early, is that also your observation?

I see the uid and gid are set, both to 44. I assume that is the named user and named group, but can you check (“id -n -u 44” and “getent group 44”)

Hello,

yes these are the id and group of named

rasp:/tmp # id -n -u 44
named
rasp:/tmp # getent group 44
named:x:44:

Starting strace with option -f I see that named exits and the log is very big (> 2MB). Journalctl shows the same lines related to the configure of the zone

May 18 11:12:58 rasp named[6109]: samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted
May 18 11:12:58 rasp named[6109]: samba_dlz:
May 18 11:12:59 rasp named[6109]: samba_dlz: schema_fsmo_init: we are master[yes] updates allowed[no]
May 18 11:12:59 rasp named[6109]: samba_dlz: started for DN DC=samdom,DC=pce23,DC=net
May 18 11:12:59 rasp named[6109]: samba_dlz: starting configure
May 18 11:12:59 rasp named[6109]: samba_dlz: Failed to configure zone 'samdom.pce23.net'
May 18 11:12:59 rasp named[6109]: loading configuration: already exists
May 18 11:12:59 rasp named[6109]: exiting (due to fatal error)

in the strace log file I see

6516  newfstatat(AT_FDCWD, "/var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb", {st_mode=S_IFREG|0660, st_size=421888, ...}, 0) = 0
6516  epoll_create1(0)                  = 65
6516  fcntl(65, F_GETFD)                = 0
6516  fcntl(65, F_SETFD, FD_CLOEXEC)    = 0
6516  getpid()                          = 6511
6516  getpid()                          = 6511
6516  mprotect(0xffff8c414000, 8192, PROT_READ|PROT_WRITE) = 0
6516  mprotect(0xffff8c416000, 24576, PROT_READ|PROT_WRITE) = 0
6516  mprotect(0xffff8c41c000, 28672, PROT_READ|PROT_WRITE) = 0
6516  mprotect(0xffff8c423000, 28672, PROT_READ|PROT_WRITE) = 0
6516  mprotect(0xffff8c42a000, 36864, PROT_READ|PROT_WRITE) = 0
6516  mprotect(0xffff8c433000, 4096, PROT_READ|PROT_WRITE) = 0

last line is repeated more 2000 times. This occurs for different files in /var/lib/samba/bind-dns/dns

I created a bug report
https://bugzilla.opensuse.org/show_bug.cgi?id=1186201

Regards

I am not really surprised of these mprotect lines, named is just marking a piece of memory only readable/writable (and not executable). That is probably a security feature so that buffer overflows can not lead to arbitrary/injected data to be executed.

If find it highly remarkable that something different happens running under strace then running it normal.

Okay, I had a look at Setting up a BIND DNS Server - SambaWiki and there I read:

To create a named group using GID 25:

groupadd -g 25 named

To create a named account with UID 25, primary group named, home directory /var/named/, and without a valid shell:

useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named

And I see this 25 is the Unix default. For you named is 44 and while I can not see a good reason for that to be a problem, I would change it to 25.

I see there are also two ways to have Samba run DNS, did you try both?

Hello,

Changing the user and group id implies that I must thereafter change owner and group in a lot of directory/files. Not easy. Maybe by removing named package and reinstall after creating the user named with this group.

Yes Samba can use internal dns or bind_dlz. I choose the bind-dlz because I had already bind running as a slave for my main server.

In the meantime I removed samba-ad-dc, samba and samba-winbind, and I deleted all directories and files in var/lib/samba. Removed the line include “var/lib/samba/bind-dns/named.conf” in /etc/named.conf==> systemctl start named is then successfully.
Therafter I reinstalled the samba packages. After provision of the samba server and reinserting the include in /etc/named.conf the same error occurs. so the problem is in instruction

database "dlopen /usr/lib64/samba/bind9/dlz_bind9_16.so"

Many thanks
Philippe

Hi, the reason of the read only filesystem error is named systemd unit file restricts the paths named can write to:


# grep "ReadWritePaths" /usr/lib/systemd/system/named.service
ReadWritePaths=/var/lib/named /run/named

To workaround the problem you can add an override:


# systemctl edit named

This will open an editor. Write:


[Service]
ReadWritePaths=/var/lib/named /run/named /var/lib/samba/bind-dns

After saving the override named should start.

Many thanks for this info. Your workaround works :slight_smile:

rasp:/usr/lib/systemd/system # systemctl start named
rasp:/usr/lib/systemd/system # systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2021-05-24 14:24:46 CEST; 12s ago
    Process: 27291 ExecStartPre=/usr/libexec/bind/named.prep (code=exited, status=0/SUCCESS)
    Process: 27297 ExecStart=/usr/sbin/named -u named -d 9 $NAMED_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 27298 (named)
      Tasks: 14 (limit: 4482)
        CPU: 722ms
     CGroup: /system.slice/named.service
             └─27298 /usr/sbin/named -u named -d 9
...
May 24 14:24:46 rasp named[27298]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
May 24 14:24:46 rasp named[27298]: resolver priming query complete

but i was unable to do it via systemctl

rasp:/etc/systemd/system # systemctl edit named
Editing "/etc/systemd/system/named.service.d/override.conf" canceled: temporary file is empty

the file was empty==> not found . I found named.service in /etc/system/system/multi-user.target.wants but could not edit it via systemctl edit

rasp:/etc/systemd/system/multi-user.target.wants # ls -al named*
lrwxrwxrwx 1 root root 37 May 13 15:55 named.service -> /usr/lib/systemd/system/named.service

rasp:/etc/systemd/system/multi-user.target.wants # systemctl edit multi-user.target.wants/named.service
Invalid unit name "multi-user.target.wants/named.service" escaped as "multi-user.target.wants-named.service" (maybe you should use systemd-escape?).
No files found for multi-user.target.wants-named.service.
Run 'systemctl edit --force --full multi-user.target.wants-named.service' to create a new unit.

rasp:/ # systemctl edit /etc/systemd/system/multi-user.target.wants/named.service
No files found for etc-systemd-system-multi\x2duser.target.wants-named.service.mount.
Run 'systemctl edit --force --full etc-systemd-system-multi\x2duser.target.wants-named.service.mount' to create a new unit.

The man systemctl edit is not helpfull
Editing it via vim changes directly in /usr/lib/systemd/system. I’ll need checking the service after each update >:(.

I need also updating the bug report. The path “/var/lib/samba/bind-dns” must be added in named.service which is not simple I think.

Many thanks again
Philippe