Zone transfer, could not set file modification time / permission denied - Proxmox / Ubuntu 12LTS / Virtualmin

mars-vie · March 17, 2014, 12:28pm

Hello!

We have 2 container on a Proxmox host system, each Ubuntu V12 LTS + Virtualmin/Webmin latest.
VM1 and VM2 are set up with BIND - vice versa master/slave.

Zone transfers do work if BIND ist stopped and started again or if you do a system reboot.
If a zone file is altered, the master notifies the slave, but I get a permission denied error in daemon.log on the slave machine:

zone domain.com/IN: refresh:
could not set file modification time of ‘/var/lib/bind/domain.com.hosts’: permission denied

The owner for zone files (user:group) is set to root:bind (BIND, Module Config, zone file options).
I changed group/owner to root:bind on the slave /var/lib/bind - did not help.

Are there special permission requirements for /var/lib/bind and etc/bind?

Does anybody has encountered the same problems?
Any hints?

Thanks in advance!
Mars

Locutus · March 17, 2014, 12:34pm

The ownership for the hosts files in /var/lib/bind should be “bind:bind”, at least that’s what they are on my Ubuntu systems.

I recall similar issues a while ago, which I solved by changing the default ownership for new zones in the Webmin config to “bind:bind” (Webmin -> Servers -> BIND -> Module Config -> Zone file options -> Owner for zone files". Existing zone files you need to “chown” manually.

mars-vie · March 17, 2014, 5:52pm

Thanks Locutus,
I chowned the /var/lib/bind directories but still the same error.

The only thing I did not test yet is setting permissions to 777 (now 775).
I setup RNDC again, checked the Webmin Servers Index/BIND Cluster Slave Servers, changed the owner for zone files, …

I’m clueless and grateful for every tip!

Thanks!

Locutus · March 17, 2014, 6:54pm

You wouldn’t want to set those files to 777, because then any user on the system can modify them, since everyone has access to /var/lib/bind.

Please make sure that the all the files in /var/lib/bind have “bind:bind” as owner, and that they get re-created with that owner when the slave updates the zone.

You should not require RNDC for a simple zone update (after it was changed on the master), because that’s something the BIND instances on both servers do by themselves thru the DNS protocol.

Also, I just noticed in your initial post you said that you found the errors in “daemon.log”. I’m sorry, but I’m not familiar with that logfile on an Ubuntu system. Is it specifically from BIND? Or did you mean the syslog file?

mars-vie · March 18, 2014, 3:04pm

Hello Locutus,

it took a while - but now the zone transfer works!
Setting the owner to “bind:bind” did it.

Thanks a lot!
Mars

PS: daemon.log ist the BIND logfile in /var/log