Bind9 issues when upgrading from ubuntu 14.04 LTS to 16.04.1 LTS

If you like myself have begun the upgrade to 16.04.1 LTS from 14.04 LTS you will likely find a number of configuration issues post upgrade. One such issue is that your Bind9 / Samba integrated AD solution no longer works. A quick look over the logs using a grep (e.g. grep -I “named” /var/log/messages) will produce an output similar to this

Aug 26 07:36:07 AServer named[3594]: —————————————————-
Aug 26 07:36:07 AServer named[3594]: BIND 9 is maintained by Internet Systems Consortium,
Aug 26 07:36:07 AServer named[3594]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Aug 26 07:36:07 AServer named[3594]: corporation.  Support and training for BIND 9 are
Aug 26 07:36:07 AServer named[3594]: available at https://www.isc.org/support
Aug 26 07:36:07 AServer named[3594]: —————————————————-
Aug 26 07:36:07 AServer named[3594]: adjusted limit on open files from 4096 to 1048576
Aug 26 07:36:07 AServer named[3594]: found 2 CPUs, using 2 worker threads
Aug 26 07:36:07 AServer named[3594]: using 2 UDP listeners per interface
Aug 26 07:36:07 AServer named[3594]: using up to 4096 sockets
Aug 26 07:36:07 AServer named[3594]: loading configuration from ‘/etc/bind/named.conf’
Aug 26 07:36:07 AServer named[3594]: /etc/bind/named.conf:10: open: /var/lib/samba/private/named.conf: permission denied
Aug 26 07:36:07 AServer named[3594]: loading configuration: permission denied
Aug 26 07:36:07 AServer named[3594]: exiting (due to fatal error)

The issue above is clearly a permissions issue (Right!??), the first issue you will discover is that bind no longer runs as root (its now running as bind). So that’s the first thing to fix. The lazy man’s approach here is to chmod x+o until your bind daemon can read the file, no points for guessing what was done here.

Items I found needed fixing were:-
– fix the permissions for named.conf in private
– fix permissions in /etc/bind

In addition to this 16.04 introduces AppArmor, so you will need to add / check rules for this. I did find a forum post which details the answer below. Original Post http://askubuntu.com/questions/203042/having-problems-getting-samba4-and-bind9-working-together-because-of-apparmor

vi /etc/apparmor.d/local/usr.sbin.named

# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns.keytab kwr,
/usr/lib/samba/** m,
/var/lib/samba/private/dns/** krw,
/var/tmp/** krw,
/dev/urandom rw,

From memory I restarted AppArmor at this point

sudo systemctl restart AppArmor

Once you have those pesky permissions sorted you’re going to be under the belief that all is well and you would be wrong. However if your messages output looks similar to below your on the right track.

Aug 26 07:45:07 AServer named[3841]: —————————————————-
Aug 26 07:45:07 AServer named[3841]: BIND 9 is maintained by Internet Systems Consortium,
Aug 26 07:45:07 AServer named[3841]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Aug 26 07:45:07 AServer named[3841]: corporation.  Support and training for BIND 9 are
Aug 26 07:45:07 AServer named[3841]: available at https://www.isc.org/support
Aug 26 07:45:07 AServer named[3841]: —————————————————-
Aug 26 07:45:07 AServer named[3841]: adjusted limit on open files from 4096 to 1048576
Aug 26 07:45:07 AServer named[3841]: found 2 CPUs, using 2 worker threads
Aug 26 07:45:07 AServer named[3841]: using 2 UDP listeners per interface
Aug 26 07:45:07 AServer named[3841]: using up to 4096 sockets
Aug 26 07:45:07 AServer named[3841]: loading configuration from ‘/etc/bind/named.conf’
Aug 26 07:45:07 AServer named[3841]: reading built-in trusted keys from file ‘/etc/bind/bind.keys’
Aug 26 07:45:07 AServer named[3841]: initializing GeoIP Country (IPv4) (type 1) DB
Aug 26 07:45:07 AServer named[3841]: GEO-106FREE 20160408 Bu
Aug 26 07:45:07 AServer named[3841]: initializing GeoIP Country (IPv6) (type 12) DB
Aug 26 07:45:07 AServer named[3841]: GEO-106FREE 20160408 Bu
Aug 26 07:45:07 AServer named[3841]: GeoIP City (IPv4) (type 2) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP City (IPv4) (type 6) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP City (IPv6) (type 30) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP City (IPv6) (type 31) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP Region (type 3) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP Region (type 7) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP ISP (type 4) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP Org (type 5) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP AS (type 9) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP Domain (type 11) DB not available
Aug 26 07:45:07 AServer named[3841]: GeoIP NetSpeed (type 10) DB not available
Aug 26 07:45:07 AServer named[3841]: using default UDP/IPv4 port range: [32768, 60999]
Aug 26 07:45:07 AServer named[3841]: using default UDP/IPv6 port range: [32768, 60999]
Aug 26 07:45:07 AServer named[3841]: listening on IPv6 interfaces, port 53
Aug 26 07:45:07 AServer named[3841]: listening on IPv4 interface lo, 127.0.0.1#53
Aug 26 07:45:07 AServer named[3841]: listening on IPv4 interface eth0, 172.16.100.235#53
Aug 26 07:45:07 AServer named[3841]: generating session key for dynamic DNS
Aug 26 07:45:07 AServer named[3841]: sizing zone task pool based on 5 zones
Aug 26 07:45:07 AServer named[3841]: Loading ‘AD DNS Zone’ using driver dlopen
Aug 26 07:45:07 AServer named[3841]: dlz_dlopen: /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so: incorrect driver API version 2, requires 3
Aug 26 07:45:07 AServer named[3841]: dlz_dlopen of ‘AD DNS Zone’ failed
Aug 26 07:45:07 AServer named[3841]: SDLZ driver failed to load.
Aug 26 07:45:07 AServer named[3841]: DLZ driver failed to load.
Aug 26 07:45:07 AServer named[3841]: loading configuration: failure
Aug 26 07:45:07 AServer named[3841]: exiting (due to fatal error)

In the above log you can see the issue…. (Psst I have highlighted it for you). You will need to update the conf file with the new library to account for the new version of bind you are now running. Below is the file edit in bold you need to make and then restart bind.

vi /var/lib/samba/private/named.conf

# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include “/var/lib/samba/private/named.conf”;
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz “AD DNS Zone” {
# For BIND 9.8.0
# database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so”;

# For BIND 9.9.0
# database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so”;

# For BIND 9.10.0
database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so”;
};

* Please note in the above config there are no line break between bind9 and /dlz

From here your bind server should start and your back in business!

2 Comments

  1. Hi,
    I was wondering how you got rid of the error “named[3841]: DLZ driver failed to load.”

    When I install bind9 on ubuntu 16.04 it installs a version that does not seem to be compiled with dlopen so it is not supposed to work.

    • Chris Russell

      July 25, 2017 at 9:55 pm

      Sorry for the late reply Dime. To resolve that you need to take a look in /var/lib/samba/private/named.conf your library needs to match your bind version. For example in the output below I have commented out every library with the exception of 9.10 which matches the install version I have.

      # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
      #
      # This file should be included in your main BIND configuration file
      #
      # For example with
      # include “/var/lib/samba/private/named.conf”;

      #
      # This configures dynamically loadable zones (DLZ) from AD schema
      # Uncomment only single database line, depending on your BIND version
      #
      dlz “AD DNS Zone” {
      # For BIND 9.8.0
      # database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so”;

      # For BIND 9.9.0
      # database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so”;

      # For BIND 9.10.0
      database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so”;
      };

Leave a Reply

Your email address will not be published.

*

© 2017

Theme by Anders NorenUp ↑