LINUX.ORG.RU
ФорумAdmin

Bind 9.6.1-P2 + dhcp3-server 3.1.2


0

0

Всем привет! Если кто может помогите.

Система: ubuntu-server 9.10 (установлена на виртуальную машину)

В логах вижу такую запись (named[1376]: /etc/bind/db.network.jnl: create: permission denied:

DHCPDISCOVER from 00:16:36:94:e8:e9 via eth0
Mar 6 20:23:59 creepers dhcpd: DHCPOFFER on 192.168.0.200 to 00:16:36:94:e8:e9 (jeepcreep) via eth0
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: signer «rndc-key» approved
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': adding an RR at 'jeepcreep.network.athome' A
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': adding an RR at 'jeepcreep.network.athome' TXT
Mar 6 20:23:59 creepers named[1376]: journal file /etc/bind/db.network.jnl does not exist, creating it
Mar 6 20:23:59 creepers named[1376]: /etc/bind/db.network.jnl: create: permission denied
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': error: journal open failed: unexpected error
Mar 6 20:23:59 creepers dhcpd: Unable to add forward map from jeepcreep.network.athome to 192.168.0.200: timed out
Mar 6 20:23:59 creepers dhcpd: dhcp.c(3997): non-null pointer
Mar 6 20:23:59 creepers dhcpd: DHCPREQUEST for 192.168.0.200 (192.168.0.102) from 00:16:36:94:e8:e9 (jeepcreep) via eth0
Mar 6 20:23:59 creepers dhcpd: DHCPACK on 192.168.0.200 to 00:16:36:94:e8:e9 (jeepcreep) via eth0

Понимаю что запрещен доступ в папку /etc/bind, но когда задаю полный доступ всем пользователям (для эксперимента) лучше не становится.

Ниже перечисляю все конфиги:

[named.conf] ------------------------------------------------------

include «/etc/bind/rndc.key»;
include «/etc/bind/named.conf.options»;
include «/etc/bind/named.conf.local»;
include «/etc/bind/named.conf.default-zones»;

[named.conf.options]-----------------------------------------------

options {
directory «/var/cache/bind»;

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};

controls {
inet 127.0.0.1 allow {localhost; } keys {«rndc-key»; };
};

[named.conf.local] -----------------------------------------------

zone «network.athome» {
type master;
file «/etc/bind/db.network»;
allow-update { key rndc-key; };
notify yes;
};

zone «0.168.192.in-addr.arpa» {
type master;
file «/etc/bind/db.192.168.0»;
allow-update { key rndc-key; };
notify yes;
};

[ named.conf.default-zones]

zone "." {
type hint;
file «/etc/bind/db.root»;
};

zone «localhost» {
type master;
file «/etc/bind/db.local»;
};

zone «127.in-addr.arpa» {
type master;
file «/etc/bind/db.127»;
};

zone «0.in-addr.arpa» {
type master;
file «/etc/bind/db.0»;
};

zone «255.in-addr.arpa» {
type master;
file «/etc/bind/db.255»;
};

Файлы яоны

[db.network]

$TTL 604800 @ IN SOA network.athome. root.network.athome. ( 20100306 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS network.athome. @ IN A 192.168.0.102 creepers IN A 192.168.0.102

[db.192.168.0]

$TTL 604800 @ IN SOA network.athome. root.network.athome. ( 20100306 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS network.athome. 102 IN PTR network.athome. 102 IN PTR creepers.network.athome.

Конфиг файл dhcp сервера

[dhcpd.conf]

authoritative; include «/etc/bind/rndc.key»; server-identifier creepers; ddns-domainname «network.athome»; ddns-rev-domainname «in-addr.arpa»; ddns-update-style interim; ddns-updates on; #ignore client-updates; allow client-updates; default-lease-time 21600; max-lease-time 43200;

option ip-forwarding off;

subnet 192.168.0.0 netmask 255.255.255.0 {

range 192.168.0.200 192.168.0.205; option routers 192.168.0.1; # default gateway option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option domain-name-servers 192.168.0.102, 192.168.0.1; option domain-name «network.athome»;

}

zone network.athome { primary 127.0.0.1; key rndc-key; }

zone 0.168.192.in-addr.arpa { primary 127.0.0.1; key rndc-key; }

Файл apparmor-а

[usr.sbin.named]

/usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice>

capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource,

# /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** rw, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** rw, /var/cache/bind/ rw,

# gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr,

# ssl /etc/ssl/openssl.cnf r,

# dnscvsutil package /var/lib/dnscvsutil/compiled/** rw,

/proc/net/if_inet6 r, /proc/*/net/if_inet6 r, /usr/sbin/named mr, /var/run/named/named.pid w, # support for resolvconf /var/run/named/named.options r,

# some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, /var/log/named/ rw, }

Подскажите как разрешить доступ на создание и изменения журнала зоны.

Заранее благодарен!

>/etc/bind should be read-only for bind

Переложи файлы динамических зон из /etc/bind в /var/lib/bind.

nnz ★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.