Bind failure to start

[ednfran]

I have a strange problem. If my bind is started by the command named -d 9, after logon, this works and the log is ok. But in rc.conf, I have the message TKey:failure and the bind don't start. Some ideas?

 

[DutchDaemon]

...But in rc.conf, I have the message TKey:failure....

Absolutely no idea what this means. How can you have a 'message in rc.conf'?

Is this the base-system BIND, or BIND from ports?

What happens with # /etc/rc.d/named start?

Any error messages in /var/log/messages?

Does /etc/rc.conf contain the line:

named_enable="YES"

?

Etcetra.

We need more information.

 

[ednfran]

Ok.

I have the FreeBSD 8 installed, and I want the Bind 9 with gssapi support, then I do it:

Install the cyrus-sasl2 from the ports, with standard options.

Edit my Makefile from bind96 port, to add the modifications to support gssapi (Changed lines bolded):

	        DLZ_BDB "DLZ BDB driver" off \
		DLZ_LDAP "DLZ LDAP driver" off \
		DLZ_FILESYSTEM "DLZ filesystem driver" off \
[B]		DLZ_STUB "DLZ stub driver" off \
                GSSAPI "Build with GSSAPI for GSS-TSIG" on[/B]

# Just in case
USE_OPENSSL=	yes

...

.else
BIND_DESTETC=	${PREFIX}/etc
.endif

PLIST_SUB+=	BIND_DESTETC="${BIND_DESTETC}"

[B].if defined(WITH_GSSAPI)
CONFIGURE_ARGS+=        --with-gssapi=${KRB5_HOME}
LIB_DEPENDS+=           sasl2.2:${PORTSDIR}/security/cyrus-sasl2
.endif[/B]

MAN1=	dig.1 host.1 isc-config.sh.1 nslookup.1 nsupdate.1
MAN3=	lwres.3 lwres_addr_parse.3 lwres_buffer.3 lwres_buffer_add.3 \

So I install it with the command:

[CMD=""]make KRB5_HOME=/usr/lib install clean[/CMD]

without the replace_base option. When I look for the install options, I have:

BIND 9.6.1-P1 built with '--localstatedir=/var' '--disable-linux-caps' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-
libxml2=/usr/local' '--without-idn' '--enable-threads' '--with-gssapi=/usr/lib' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr
/local/info/' '--build=i386-portbld-freebsd8.0' 'build_alias=i386-portbld-freebsd8.0' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 
'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fno-strict-aliasing'

I have the krb5.keytab file copied in /etc directory, and I can start the file normally with the kinit command. In the file named.conf I have configured the tkey-credential and tkey-domain options.

Now the strange behavior: If I start the named server in shell, with the command [CMD=""]/usr/local/sbin/named -d 9[/CMD], everything is ok, like in the named.run:

16-Jan-2010 16:25:56.627 starting BIND 9.6.1-P1 -d 9
16-Jan-2010 16:25:56.627 built with '--localstatedir=/var' '--disable-linux-caps' '--with-randomdev=/dev/random' '--with-openssl=/usr' '--with-
libxml2=/usr/local' '--without-idn' '--enable-threads' '--with-gssapi=/usr/lib' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr
/local/info/' '--build=i386-portbld-freebsd8.0' 'build_alias=i386-portbld-freebsd8.0' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 
'LDFLAGS= -rpath=/usr/lib:/usr/local/lib' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fno-strict-aliasing'
16-Jan-2010 16:25:56.628 found 1 CPU, using 1 worker thread
16-Jan-2010 16:25:56.628 using up to 4096 sockets
16-Jan-2010 16:25:56.636 loading configuration from '/usr/local/etc/named.conf'
16-Jan-2010 16:25:56.639 set maximum stack size to 67108864: success
16-Jan-2010 16:25:56.639 set maximum data size to 536870912: success
16-Jan-2010 16:25:56.639 set maximum core size to 9223372036854775807: success
16-Jan-2010 16:25:56.639 set maximum open files to -1: success
16-Jan-2010 16:25:56.639 using default UDP/IPv4 port range: [49152, 65535]
16-Jan-2010 16:25:56.639 using default UDP/IPv6 port range: [49152, 65535]
16-Jan-2010 16:25:56.641 listening on IPv4 interface lo0, 127.0.0.1#53
16-Jan-2010 16:25:56.643 clientmgr @0x28cbc000: create
16-Jan-2010 16:25:56.644 clientmgr @0x28cbc000: createclients
16-Jan-2010 16:25:56.644 clientmgr @0x28cbc000: create new
16-Jan-2010 16:25:56.646 client @0x28d28000: create
16-Jan-2010 16:25:56.646 clientmgr @0x28cbc000: createclients
16-Jan-2010 16:25:56.646 clientmgr @0x28cbc000: create new
16-Jan-2010 16:25:56.648 client @0x28d6f000: create
16-Jan-2010 16:25:56.657 res 0x28cc7000: create
16-Jan-2010 16:25:56.660 dns_requestmgr_create
16-Jan-2010 16:25:56.660 dns_requestmgr_create: 0x28cc7fa0
16-Jan-2010 16:25:56.660 dns_requestmgr_whenshutdown
16-Jan-2010 16:25:56.663 res 0x28cc70a0: create
16-Jan-2010 16:25:56.667 dns_requestmgr_create
16-Jan-2010 16:25:56.667 dns_requestmgr_create: 0x28952fa0
16-Jan-2010 16:25:56.667 dns_requestmgr_whenshutdown
16-Jan-2010 16:25:56.668 acquiring credentials for DNS/craprx01srv01.cragroup.ath.cx
16-Jan-2010 16:25:56.668 acquired accept credentials for DNS/craprx01srv01.cragroup.ath.cx
16-Jan-2010 16:26:16.812 gss cred: "host/craprx01srv01.cragroup.ath.cx@CRAGROUP.ATH.CX", GSS_C_ACCEPT, 4294967295
16-Jan-2010 16:26:16.812 command channel listening on 127.0.0.1#953
16-Jan-2010 16:26:16.813 command channel listening on ::1#953

But, if I start by the rc.conf in startup or /etc/rc.d/named, the program start as [CMD=""]named -t /var/named -u bind[/CMD], and I have the messages:

configuring TKEY: failure
loading configuration: failure
exiting (due to fatal error)

The audit file of the error is attached. Thanks for your help.

 

[DutchDaemon]

Do you have a /usr/local/etc/rc.d/named as well? You didn't choose to replace the base system's named, so I assume everything's installed under (and supposed to start from) /usr/local.

 

[J65nko]

You installed a port of bind so you start bind with /usr/local/sbin/named -d 9.

Can I conclude from this that you didn't configure the port to replace the named in base?

/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named.reconfig
/usr/sbin/named.reload

I never installed bind from ports, but if you kept the named in base, you would have to start bind in /usr/local/sbin with something like /usr/local/etc/rc,d/named start isn't it?

 

[ednfran]

If I use the replace_base option, exactly the same problem happens. What makes the program fail is the -t /var/named option. I don't have a /usr/local/etc/rc.d/named, the ports don't create it.

 

[J65nko]

On a FreeBSD 7.2 the default rc.conf entries are

$ grep named /etc/defaults/rc.conf
# named.  It may be possible to run named in a sandbox, man security for
named_enable="NO"               # Run named, the DNS server (or NO).
named_program="/usr/sbin/named" # Path to named, if you want a different one.
#named_flags="-c /etc/namedb/named.conf" # Uncomment for named not in /usr/sbin
named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
named_uid="bind"                # User to run named as
[color=blue]named_chrootdir="/var/named"    # Chroot directory (or "" not to auto-chroot it)[/color]
named_chroot_autoupdate="YES"   # Automatically install/update chrooted
                                # components of named. See /etc/rc.d/named.
named_symlink_enable="YES"      # Symlink the chrooted pid file

Browse that file and put the overrides in "/etc/rc.conf"

 

[ednfran]

Ok, but exists some way to run named chrooted with gss-api support ?

 

[J65nko]

You will have to move the gss-api stuff and its dependencies into the chroot.