Your message dated Fri, 26 Apr 2019 09:18:38 +0000 with message-id <e1hjx0a-000eph...@fasolo.debian.org> and subject line Bug#927827: fixed in bind9 1:9.11.5.P4+dfsg-4 has caused the Debian Bug report #927827, regarding bind9: Please add "/var/lib/samba/bind-dns/** rwk," to to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 927827: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927827 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: samba Version: 2:4.9.5+dfsg-3 Severity: grave Hi, I upgraded a DC from stretch to buster, and DNS for AD (via bind9_dlz) started failing in strange ways. (In particular, when I changed the IP address of the DC, samba-tool dns query would return the correct addresses, but actual DNS lookups would return the old ones.) It turns out that upstream, bind9_dlz data has moved from /var/lib/samba/private to /var/lib/samba/bind-dns; however, there's no notice about this anywhere, and the path does not exist in Debian. (Thus, the .conf file in use didn't even mention the BIND 9.11 .so file, much less load it.) Furthermore, if you try to remedy this problem yourself by mkdir-ing the new directory and running samba_dnsupgrade, BIND will no longer start due to AppArmor policies being out of date: [84419.640664] audit: type=1400 audit(1555945763.230:88): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9043 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 [84486.581899] audit: type=1400 audit(1555945830.170:89): apparmor="DENIED" operation="open" profile="/usr/sbin/named" name="/var/lib/samba/bind-dns/named.conf" pid=9171 comm="isc-worker0000" requested_mask="r" denied_mask="r" fsuid=111 ouid=0 Given that AppArmor now seems to be default on in buster, this breaks the functionality completely, even for new installations (not just for upgrades from stretch). I would suppose that postinst needs to check whether BIND9_DLZ is in use, and if so, run samba_upgradedns --dns-backend=BIND9_DLZ and then finally pop up a message saying that the admin will have to change the .conf path in named.conf.local. And the AppArmor profile will need to be fixed. Even after this, I had to run samba_dnsupdate once with --use-samba-tool, and then it would finally run without “dns_tkey_gssnegotiate: TKEY is unacceptable” the next time. -- System Information: Debian Release: buster/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing-debug'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.0.6 (SMP w/40 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_NO:en_US:en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages samba depends on: ii adduser 3.118 ii dpkg 1.19.6 ii init-system-helpers 1.56+nmu1 ii libbsd0 0.9.1-2 ii libc6 2.28-8 ii libldb1 2:1.5.1+really1.4.6-3 ii libpam-modules 1.3.1-5 ii libpam-runtime 1.3.1-5 ii libpopt0 1.16-12 ii libpython2.7 2.7.16-2 ii libtalloc2 2.1.14-2 ii libtdb1 1.3.16-2+b1 ii libtevent0 0.9.37-1 ii libwbclient0 2:4.9.5+dfsg-3 ii lsb-base 10.2019031300 ii procps 2:3.3.15-2 ii python 2.7.16-1 pn python-dnspython <none> pn python-samba <none> ii python2.7 2.7.16-2 pn samba-common <none> pn samba-common-bin <none> ii samba-libs 2:4.9.5+dfsg-3 pn tdb-tools <none> ii update-inetd 4.49 Versions of packages samba recommends: ii attr 1:2.4.48-4 ii logrotate 3.14.0-4 pn samba-dsdb-modules <none> pn samba-vfs-modules <none> Versions of packages samba suggests: pn bind9 <none> pn bind9utils <none> pn ctdb <none> pn ldb-tools <none> ii ntp 1:4.2.8p12+dfsg-4 pn smbldap-tools <none> pn ufw <none> pn winbind <none>
--- End Message ---
--- Begin Message ---Source: bind9 Source-Version: 1:9.11.5.P4+dfsg-4 We believe that the bug you reported is fixed in the latest version of bind9, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 927...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ondřej Surý <ond...@debian.org> (supplier of updated bind9 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 26 Apr 2019 08:33:13 +0000 Source: bind9 Architecture: source Version: 1:9.11.5.P4+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian DNS Team <team+...@tracker.debian.org> Changed-By: Ondřej Surý <ond...@debian.org> Closes: 927827 927932 927962 Changes: bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium . [ Bernhard Schmidt ] * AppArmor: Also add /var/lib/samba/bind-dns/dns/** (Closes: #927827) . [ Ondřej Surý ] * [CVE-2018-5743]: Limiting simultaneous TCP clients is ineffective (Closes: #927932) * Update symbols file for new symbol in libisc * Enable EDDSA again, but disable broken Ed448 support (Closes: #927962) Checksums-Sha1: 1518620ebadac8956d140d38a5da40628c89b798 4056 bind9_9.11.5.P4+dfsg-4.dsc 9c792c441040a214a1657161936016c4c8ed39d3 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz 1a16bda35783571b6155fd0f40304cec35c88d99 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo Checksums-Sha256: 6d7155f0300229105b86d4579793f3185c146d67d1946b3ea97558b21ba04b33 4056 bind9_9.11.5.P4+dfsg-4.dsc 4e25ff9e6b2fc28b96050e3f221f39cc85008c8945a8a38bf8b3edc78e18fbe4 103424 bind9_9.11.5.P4+dfsg-4.debian.tar.xz c5b83416c21022767414b78c4ebc8e99e276c36f9ee3bcc5f4cacf7dee1f90ab 19521 bind9_9.11.5.P4+dfsg-4_amd64.buildinfo Files: dca09f33c9a24e426e94b75b515ac0e1 4056 net optional bind9_9.11.5.P4+dfsg-4.dsc a2ebc8f64a7397658c35c48e578a0508 103424 net optional bind9_9.11.5.P4+dfsg-4.debian.tar.xz a332ae8395a0ff00ab5853ec50c5e7b3 19521 net optional bind9_9.11.5.P4+dfsg-4_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEw2Gx4wKVQ+vGJel9g3Kkd++uWcIFAlzCyOFfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEMz NjFCMUUzMDI5NTQzRUJDNjI1RTk3RDgzNzJBNDc3RUZBRTU5QzIACgkQg3Kkd++u WcI5/g//UF7vFm5oDq8WjN8aOFf6Iq7DXkzcH6xPKcGJYDcS5bN4ykOGWAluGai/ bVJbQxBe9vc9LPmPx8j/dwY3TJ6XKxD1j3PKyNaY0EAvLhlXwlSCrISh4px7R/wI 6GvP89qXLG62B96Mgz9OdFdA+RR/HM2kSrLj+pc2E38bxwpBUxAMeFkQMLofvhem F/zhqnSg3v3aLV6c/CRSvYuLW3dftybYc7Hbafv40RtsABFi6O+eMvbs6NPb1D1z lKhg/ShmX3WyLl439xAhkwlKTpZFIfn9Uu5002zaYXFxrhUsmPB8eknA47KLwFBc APYwyoALxrTdEjxLrJR6aIpAJWkm3uC2e8nv/rfU4LI0AlWCPGngTGdwoWnEWuqV M8L3ogkVwrcKXYITn2RTh3ZuCgCH39YiYftZuSrfmcYpg3R7Djuxm/5nuMatEJJ1 av21jo8iA+w4ZU1bWK7jcfP0BL6vKzH7hjlJh2LEwm38socYDtk6ZY3yV6ru9xHX /wcdFWme7Tc4MnFINIFZ9ohWAI0sz0fiN0xM/lR3kOA085awQ/Z4EtMXXsXXiDYa aaBlIMJ9tZbSv5Ivra0rJpqYcKWqxid0vGkohF6th6vC6k0ZIFWg7fhB/JZwB4C7 qX2zu9+SdK16GtIVEW5gfhdkY8fhwEYG8guD9l+PpPpnA+ncYco= =tJrB -----END PGP SIGNATURE-----
--- End Message ---
