Starting name server BIND Unable to lock file /etc/nam.conf

Good Day, recently applied a security update to OES 11 and now DNS will not start. I found a support note from 2013 that describes the problem exactly, but the solution has no effect.

https://support.microfocus.com/kb/doc.php?id=7011945

Tags:

  • bmcclean wrote:

    >
    > Good Day, recently applied a security update to OES 11 and now DNS
    > will not start. I found a support note from 2013 that describes the
    > problem exactly, but the solution has no effect.
    >
    > https://support.microfocus.com/kb/doc.php?id=7011945


    Have you checked /var/log/messages for any clues?

    What version of OES are you running? Please post the output from this
    command:

    cat /etc/*release


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • Thanks Kevin.

    LSB_VERSION="core-2.0-noarch:core-3.2-noarch:core-4.0-noarch:core-2.0-x86_64:core-3.2-x86_64:core-4.0-x86_64"
    Novell Open Enterprise Server 11 (x86_64)
    VERSION = 11.2
    PATCHLEVEL = 2
    SUSE Linux Enterprise Server 11 (x86_64)
    VERSION = 11
    PATCHLEVEL = 3

    I have the output in the message file from doing the start and stop. Nothing obvious. Am I revealing anything sensitive about my system be posting the log here?

    KBOYLE;2494723 wrote:
    bmcclean wrote:

    >
    > Good Day, recently applied a security update to OES 11 and now DNS
    > will not start. I found a support note from 2013 that describes the
    > problem exactly, but the solution has no effect.
    >
    > https://support.microfocus.com/kb/doc.php?id=7011945


    Have you checked /var/log/messages for any clues?

    What version of OES are you running? Please post the output from this
    command:

    cat /etc/*release


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • bmcclean wrote:

    > Novell Open Enterprise Server 11 (x86_64)
    > VERSION = 11.2
    > PATCHLEVEL = 2


    I guess you know that this is very old and unsupported.

    Please don't post the whole messages file. It's not necessary and may
    contain some private information. I just wanted you to check it to see
    if there was anything obvious.

    You said:
    > recently applied a security update to OES 11


    It would seem that that could have caused your issue.

    What was the patch and how did you apply it?

    Why did you not just apply all outstanding patches?

    Have you considered upgrading... at least to the latest version of
    OES11 which is OES11 SP3?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • Thanks Kevin,

    Yes it is pretty old. I don't have the expertise to upgrade ( especially if it goes south ), and outside contractors that want to deal with in-house systems are becoming rare. I will attempt it one day, or just go the SAAS route. When I looked into it when I moved from a stand-alone server to vmware, seems like there were issues with OES and upgrading, and I had no issues with moving it, so I moved on.

    The patches just popped up at the bottom of the screen, looked there were only 2, so I let them apply. I'm sure there is a log of what they were, but I did not note it at the time. Generally good luck with applying updates and not having issues. This one may be minor, but troublesome.

    there was only 1 line that looked like it might matter. Directory is not writable. I changed the permission in app-armor as the original solution indicated, but no solution. I'm guessing that if the access msg is important, there are more permissions to change.

    configuring command channel from '/etc/rndc.key'
    Feb 1 16:47:05 mars named[9510]: command channel listening on 127.0.0.1#953
    Feb 1 16:47:05 mars named[9510]: configuring command channel from '/etc/rndc.key'
    Feb 1 16:47:05 mars named[9510]: command channel listening on ::1#953
    Feb 1 16:47:05 mars named[9510]: the working directory is not writable
    Feb 1 16:47:05 mars named[9510]: managed-keys-zone: loaded serial 0
    Feb 1 16:47:05 mars named[9510]: zone localhost/IN:


    KBOYLE;2494741 wrote:
    bmcclean wrote:

    > Novell Open Enterprise Server 11 (x86_64)
    > VERSION = 11.2
    > PATCHLEVEL = 2


    I guess you know that this is very old and unsupported.

    Please don't post the whole messages file. It's not necessary and may
    contain some private information. I just wanted you to check it to see
    if there was anything obvious.

    You said:
    > recently applied a security update to OES 11


    It would seem that that could have caused your issue.

    What was the patch and how did you apply it?

    Why did you not just apply all outstanding patches?

    Have you considered upgrading... at least to the latest version of
    OES11 which is OES11 SP3?

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • bmcclean wrote:

    > I changed the permission in app-armor as the original solution
    > indicated, but no solution.


    It's possible that was not the problem... :-(

    Have a look at /var/opt/novell/log/named/named.run and see if there are
    any error messages or any clues.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • Nothing notable. They didn't have obvious warnings and exactly the same as all the old logs.

    If this process is unable to get a lock on a file, is there a way to see what other lock may be keeping it from doing that?

    KBOYLE;2494801 wrote:
    bmcclean wrote:

    > I changed the permission in app-armor as the original solution
    > indicated, but no solution.


    It's possible that was not the problem... :-(

    Have a look at /var/opt/novell/log/named/named.run and see if there are
    any error messages or any clues.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • bmcclean wrote:

    > Nothing notable. They didn't have obvious warnings and exactly the
    > same as all the old logs.
    >
    > If this process is unable to get a lock on a file, is there a way to
    > see what other lock may be keeping it from doing that?



    There were a number if reasons why DNS wouldn't start. The correct
    solution will depend on the actual cause.

    Why do you believe the process is unable to get a lock on a file? Have
    you seen any messages indicating such? Without determining the actual
    cause, whatever you try is just hit and miss.

    The easiest thing to try is to apply all outstanding patches or, better
    yet, outstanding service packs to resolve known OES11 issues.

    Other than that, here are some documents that may help:

    TID 7012947 - Novell DNS fails to start - Unable to read locator
    reference from NCP server
    https://support.microfocus.com/kb/doc.php?id=7012947

    TID 7006446 - DNS fails to start - CASA Credential Not found
    https://support.microfocus.com/kb/doc.php?id=7006446

    Novell DNS CASA Repair Tool
    https://www.novell.com/communities/coolsolutions/cool_tools/novell-dns-casa-repair-tool/#comments

    Common Proxy CASA Repair Tool
    https://www.novell.com/communities/coolsolutions/cool_tools/common-proxy-casa-repair-tool/


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • 'Starting name server BIND Unable to lock file /etc/nam.conf.
    permission denied.'

    rcnamed status shows running. Stop and start dns and I get the above.

    But lookups do not use the local server, they go to outside servers.

    pings can find the local server running DNS. That same ip shows up at the top of the list in the DHCP DNS numbers on local clients.
    pings cannot find entries in the local DNS.

    Maybe DNS is starting but just not functioning the way it did.

    KBOYLE;2494985 wrote:
    bmcclean wrote:

    > Nothing notable. They didn't have obvious warnings and exactly the
    > same as all the old logs.
    >
    > If this process is unable to get a lock on a file, is there a way to
    > see what other lock may be keeping it from doing that?



    There were a number if reasons why DNS wouldn't start. The correct
    solution will depend on the actual cause.

    Why do you believe the process is unable to get a lock on a file? Have
    you seen any messages indicating such? Without determining the actual
    cause, whatever you try is just hit and miss.

    The easiest thing to try is to apply all outstanding patches or, better
    yet, outstanding service packs to resolve known OES11 issues.

    Other than that, here are some documents that may help:

    TID 7012947 - Novell DNS fails to start - Unable to read locator
    reference from NCP server
    https://support.microfocus.com/kb/doc.php?id=7012947

    TID 7006446 - DNS fails to start - CASA Credential Not found
    https://support.microfocus.com/kb/doc.php?id=7006446

    Novell DNS CASA Repair Tool
    https://www.novell.com/communities/coolsolutions/cool_tools/novell-dns-casa-repair-tool/#comments

    Common Proxy CASA Repair Tool
    https://www.novell.com/communities/coolsolutions/cool_tools/common-proxy-casa-repair-tool/


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • bmcclean wrote:

    > rcnamed status shows running. Stop and start dns and I get the above.


    On OES servers you need to use "rcnovell-named" not "rcnamed".

    Try this and let me know what happens:

    rcnamed stop
    rcnovell-named start


    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.
  • bmcclean wrote:

    > pings cannot find entries in the local DNS.


    Use nslookup from your OES server or Windows workstation to verify that
    a specific DNS server is returning the correct result.

    "man nslookup" will show what options are available.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.