[SOLVED] Starting named, permission denied

Issues related to applications and software problems
Post Reply
rarebearnm
Posts: 24
Joined: 2012/01/17 05:57:31

[SOLVED] Starting named, permission denied

Post by rarebearnm » 2012/01/31 06:20:04

I am having trouble getting named to start on a CentOS 6.1 server. I've set up named in this environment multiple times, but this time its failing to start.

When I run service named start, I get [Failed]. The /var/log/messages for it is: attached

From the logs it appears to a permission issue.

I ran named-checkconf /etc/named.conf, and it was clean.
Version for named is: BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6

Permission for /etc/named.conf is: -rw-r-----. 1 named named 1372 Jan 30 22:08 named.conf I have changed owner from root to named, this does not make a difference. Fails the same both ways.

Copies of /etc/named.conf; init.d/named; permissions for /var/named/*; /var/log/messages are all attached for reference.


When I installed the OS I did include under Infrastructure Servers, option for bind and chroot/bind (what ever the exact wording was??). Do I have the wrong version of /etc/init.d/named installed? The exact same host and reverse files have been used on other servers. So has the named.conf file. I just moved those files in a tar ball from another working server, that is now gone. This has always worked for me before. I threw in a echo line in /etc/init.d/named to show the value of $named_conf that was being loaded, and it was /etc/named.conf.

Any idea what is wrong here?

/var/log/messages


Jan 30 22:14:11 NS1 named[24485]: starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6 -u named -t /var/named/chroot
Jan 30 22:14:11 NS1 named[24485]: built with '--build=x86_64-unknown-linux-gnu' '--host=x86_64-unknown-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Jan 30 22:14:11 NS1 named[24485]: adjusted limit on open files from 1024 to 1048576
Jan 30 22:14:11 NS1 named[24485]: found 4 CPUs, using 4 worker threads
Jan 30 22:14:11 NS1 named[24485]: using up to 4096 sockets
Jan 30 22:14:11 NS1 named[24485]: loading configuration from '/etc/named.conf'
Jan 30 22:14:11 NS1 named[24485]: none:0: open: /etc/named.conf: permission denied
Jan 30 22:14:11 NS1 named[24485]: loading configuration: permission denied
Jan 30 22:14:11 NS1 named[24485]: exiting (due to fatal error)

[code]/etc/named.conf

//
// named.conf
// For SWC external Internet DNS
// 12/30/2011
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 172.16.2.199; };
// query-source address 172.16.2.199 port 53;
directory "/var/named";
version "??????";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;
forwarders { 4.2.2.1; 4.2.2.2; 8.8.8.8; };
dnssec-enable yes;
// dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
key KatonTrailer {
algorithm "hmac-md5";
secret "xtHHRptkvDWwQWCwZ72zZrsrAe6QP15jVFLRMPh48vyj9NF5mt3yDOGkr+Ny9MT7ttAe4fsZmnVYIL7NSkMYPg==";
};

server xxx.xxx.xxx.xxx {
keys {
"KatonTrailer";
};
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "xx.xx.xx.in-addr.arpa" IN {
type master;
file "swc.rev";
notify YES;
};

zone "swc.edu" IN {
type master;
file "swc.hosts";
notify YES
;
};



------------------------------------------------------------------

/etc/init.d/named

#!/bin/bash
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 13 87
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

### BEGIN INIT INFO
# Provides: $named
# Required-Start: $local_fs $network $syslog
# Required-Stop: $local_fs $network $syslog
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
# Short-Description: start|stop|status|restart|try-restart|reload|force-reload DNS server
# Description: control ISC BIND implementation of DNS server
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

[ -r /etc/sysconfig/named ] && . /etc/sysconfig/named

RETVAL=0
export KRB5_KTNAME=${KEYTAB_FILE:-/etc/named.keytab}

named='named'
if [ -x /usr/sbin/named-sdb ]; then
named='named-sdb'
fi

# Don't kill named during clean-up
NAMED_SHUTDOWN_TIMEOUT=${NAMED_SHUTDOWN_TIMEOUT:-25}

if [ -n "$ROOTDIR" ]; then
ROOTDIR=`echo $ROOTDIR | sed 's#//*#/#g;s#/$##'`;
rdl=`/usr/bin/readlink $ROOTDIR`;
if [ -n "$rdl" ]; then
ROOTDIR="$rdl";
fi;
fi

ROOTDIR_MOUNT='/etc/named /etc/pki/dnssec-keys /var/named /etc/named.conf
/etc/named.dnssec.keys /etc/named.rfc1912.zones /etc/rndc.conf /etc/rndc.key
/usr/lib64/bind /usr/lib/bind /etc/named.iscdlv.key'

mount_chroot_conf()
{
if [ -n "$ROOTDIR" ]; then
for all in $ROOTDIR_MOUNT; do
# Skip nonexistant files
[ -e "$all" ] || continue

# If mount source is a file
if ! [ -d "$all" ]; then
# mount it only if it is not present in chroot or it is empty
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
touch "$ROOTDIR$all"
mount --bind "$all" "$ROOTDIR$all"
fi
else
# Mount source is a directory. Mount it only if directory in chroot is
# empty.
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
mount --bind "$all" "$ROOTDIR$all"
fi
fi
done
fi
}

umount_chroot_conf()
{
for all in $ROOTDIR_MOUNT; do
# Check if file is mount target. Do not use /proc/mounts because detecting
# of modified mounted files can fail.
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
umount "$ROOTDIR$all"
# Remove temporary created files
[ -f "$all" ] && rm -f "$ROOTDIR$all"
fi
done
}

# Check if all what named needs running
start()
{
[ "$EUID" != "0" ] && exit 4

# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network

# Check that networking is up
[ "${NETWORKING}" = "no" ] && exit 1


[ -x /usr/sbin/"$named" ] || exit 5

# Handle -c option
previous_option='unspecified';
for a in $OPTIONS; do
if [ $previous_option = '-c' ]; then
named_conf=$a;
fi;
previous_option=$a;
done;

#named_conf=${named_conf:-/etc/named.conf};
echo "****named.conf $named_conf"

mount_chroot_conf

if [ ! -r $ROOTDIR$named_conf ]; then
echo 'Cannot find configuration file. You could create it by system-config-bind'
exit 6;
fi;

# all pre-start is done, lets start named
echo -n $"Starting named: "
if [ -n "`/sbin/pidof -o %PPID "$named"`" ]; then
echo -n $"named: already running"
success
echo
exit 0;
fi;

ckcf_options='-z'; # enable named-checkzone for each zone (9.3.1+) !
if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then
OPTIONS="${OPTIONS} -t ${ROOTDIR}"
ckcf_options="$ckcf_options -t ${ROOTDIR}";
[ -s /etc/localtime ] && cp -fp /etc/localtime ${ROOTDIR}/etc/localtime;
fi

RETVAL=0
# check if configuration is correct
if [ -x /usr/sbin/named-checkconf ] && [ -x /usr/sbin/named-checkzone ] && /usr/sbin/named-checkconf $ckcf_options ${named_conf} >/dev/null 2>&1; then

daemon /usr/sbin/"$named" -u named ${OPTIONS};
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
rm -f /var/run/{named,named-sdb}.pid;
ln -s $ROOTDIR/var/run/named/"$named".pid /var/run/"$named".pid;
fi;

if [ -n "`/sbin/pidof -o %PPID "$named"`" ]; then
# Verify that named actually started (JM 2006-10-04)
if [ ! -e $ROOTDIR/var/run/named/"$named".pid ]; then
# If there is not a file containing the PID of the now running named daemon then create it (JM 2006-10-04)
echo `/sbin/pidof -o %PPID "$named"` > $ROOTDIR/var/run/named/"$named".pid;
fi;
fi;
else
named_err="`/usr/sbin/named-checkconf $ckcf_options $named_conf 2>&1`";
echo
echo "Error in named configuration:";
echo "$named_err";
failure
echo
[ -x /usr/bin/logger ] && echo "$named_err" | /usr/bin/logger -pdaemon.error -tnamed;
umount_chroot_conf
exit 2;
fi;
echo
if [ $RETVAL -eq 0 ]; then
touch /var/lock/subsys/named;
else
umount_chroot_conf
exit 7;
fi
return 0;
}

stop() {
[ "$EUID" != "0" ] && exit 4

# Stop daemons.
echo -n $"Stopping named: "
[ -x /usr/sbin/rndc ] && /usr/sbin/rndc stop >/dev/null 2>&1;
RETVAL=$?
# was rndc successful?
[ "$RETVAL" -eq 0 ] || killproc "$named" -TERM >/dev/null 2>&1

timeout=0
RETVAL=0
while /sbin/pidof -o %PPID "$named" >/dev/null; do
if [ $timeout -ge $NAMED_SHUTDOWN_TIMEOUT ]; then
RETVAL=1
break
else
sleep 2 && echo -n "."
timeout=$((timeout+2))
fi;
done

umount_chroot_conf

# remove pid files
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/named
rm -f /var/run/{named,named-sdb}.pid
fi;

if [ $RETVAL -eq 0 ]; then
success
else
failure
RETVAL=1
fi;
echo
return $RETVAL
}


rhstatus() {
[ -x /usr/sbin/rndc ] && /usr/sbin/rndc status;
status /usr/sbin/"$named";
return $?
}
restart() {
stop
start
}
reload() {
[ "$EUID" != "0" ] && exit

echo -n $"Reloading "$named": "
p=`/sbin/pidof -o %PPID "$named"`
RETVAL=$?
if [ "$RETVAL" -eq 0 ]; then
/usr/sbin/rndc reload >/dev/null 2>&1 || /bin/kill -HUP $p;
RETVAL=$?
fi
[ "$RETVAL" -eq 0 ] && success $"$named reload" || failure $"$named reload"
echo
return $RETVAL
}

# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus;
RETVAL=$?
;;
restart)
restart
;;
condrestart|try-restart)
if [ -e /var/lock/subsys/named ]; then restart; fi
;;
reload)
reload
;;
force-reload)
if ! reload; then restart; fi
;;
*)
echo $"Usage: $0 {start|stop|status|restart|try-restart|reload|force-reload}"
[ "x$1" = "x" ] && exit 0
exit 2
esac

exit $RETVAL


---------------------------------------------------------------
ls -al /var/named/*

-rw-r-----. 1 root named 1892 Jan 30 13:01 named/named.ca
-rw-r-----. 1 root named 152 Jan 30 13:01 named/named.empty
-rw-r-----. 1 root named 152 Jan 30 13:01 named/named.localhost
-rw-r-----. 1 root named 168 Jan 30 13:01 named/named.loopback
-rw-r--r--. 1 root named 622 Jan 30 13:01 named/swc.hosts
-rw-r--r--. 1 root named 325 Jan 30 13:01 named/swc.rev

named/chroot:
total 24
drwxr-x---. 6 root named 4096 Jan 30 12:20 .
drwxr-x---. 6 root named 4096 Jan 30 13:01 ..
drwxr-x---. 2 root named 4096 Jan 30 13:01 dev
drwxr-x---. 4 root named 4096 Jan 30 13:01 etc
drwxr-xr-x. 3 root root 4096 Jan 30 12:20 usr
drwxr-x---. 6 root named 4096 Jan 30 12:20 var

named/data:
total 152
drwxrwx---. 2 named named 4096 Jan 30 13:01 .
drwxr-x---. 6 root named 4096 Jan 30 13:01 ..
-rw-r--r--. 1 root root 4834 Jan 30 13:01 named.run
-rw-r--r--. 1 root root 97609 Jan 30 13:01 named.run-20120101
-rw-r--r--. 1 root root 39448 Jan 30 13:01 named.run-20120108

named/dynamic:
total 16
drwxrwx---. 2 named named 4096 Jan 30 13:01 .
drwxr-x---. 6 root named 4096 Jan 30 13:01 ..
-rw-r--r--. 1 root root 739 Jan 30 13:01 managed-keys.bind
-rw-r--r--. 1 root root 1278 Jan 30 13:01 managed-keys.bind.jnl

named/slaves:
total 8
drwxrwx---. 2 named named 4096 Nov 10 2010 .
drwxr-x---. 6 root named 4096 Jan 30 13:01 ..[/code][Moderator edit: Added [i]code[/i] tags to preserve formatting.]

User avatar
TrevorH
Forum Moderator
Posts: 28865
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Starting named, permission denied

Post by TrevorH » 2012/01/31 07:02:52

If you installed bind-chroot then all files are relative to /var/named/chroot so /etc/named.conf is /var/named/chroot/etc/named.conf.

You may want to use the -Z switch to ls to make sure that your selinux contexts for the files are correct.

rarebearnm
Posts: 24
Joined: 2012/01/17 05:57:31

Re: Starting named, permission denied

Post by rarebearnm » 2012/01/31 07:18:32

Problem solved.

I saved copies of my named.conf and /var/named/hosts (forward and reverse)files.
ran yum remove bind
cd /var/named
rm -Rf * (be carefull)
ran yum install bind
copied my named.conf and /var/named host files back
service named start

The service started right up no issue. Dig testing was perfect.

Bottom line: do not select the chroot option at OS install if you do want to use it. chroot is good for most cases.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

[SOLVED] Starting named, permission denied

Post by pschaff » 2012/01/31 11:22:06

Thanks for reporting back. Marking this thread [SOLVED] for posterity.

For future reference - please review [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=28726&forum=54]Readme First[/url] and use http://pastebin.centos.org for long content, if required.

Post Reply

Return to “CentOS 6 - Software Support”