BIND 9.5.0 on Windows 2000 unable to rename log file...permission denied

Thu Sep 18 04:03:36 UTC 2008

In message <48D1CF1D.80908 at people.net.au>, "atomic at people.net.au" writes:
> Danny Mayer wrote:
> > atomic at people.net.au wrote:
> >   
> >> A very strange thing happened after upgrading from BIND 8.4.6 to 9.5.0. 
> >> We created the "named" user as a service account as required by BIND9, 
> >> then granted full control on everything in the BIND directory (d:\bind) 
> >> to this user, however the named service failed to start due to:
> >>
> >>  > Error 1053: The service did not respond to the start or control 
> >> request in a timely fashion
> >>
> >> There are a bunch of "unable to rename log file...permission denied" 
> >> errors in the Windows Event Log, the exact error messages read:
> >>
> >>  > unable to rename log file '..\\logs\\named.log.5' to 
> >> '..\\logs\\named.log.6': permission denied
> >>  > unable to rename log file '..\\logs\\named.log.6' to 
> >> '..\\logs\\named.log.7': permission denied
> >>  > unable to rename log file '..\\logs\\named.log.7' to 
> >> '..\\logs\\named.log.8': permission denied
> >>  > ...heaps more...
> >>
> >> It became apparent that there are some permission issues writing to the 
> >> log directory (d:\bind\logs), but we checked many times and can confirm 
> >> that "named" user has full control all the way. The next thing we did 
> >> was to rename the log directory to d:\bind\logs_preBIND9 and created a 
> >> new log directory d:\bind\logs, and this time named started successfully.
> >>
> >> We then compared the permissions between d:\bind\logs_preBIND9 and 
> >> d:\bind\logs, they are exactly the same. It seems the problem is still 
> >> there, but because the new log directory is empty so named does not have 
> >> to rename anything and therefore it worked. Chances are as soon as the 
> >> circular log files start to pop up named will stop working.
> >>
> >> Is there a solution to this problem? What extra permissions are required 
> >> to rename the log files when it already has full control? By the way our 
> >> log file setting is "versions 50 size 25M" if that matters.
> >>
> >> Thanks! Peter
> >>     
> >
> > Look at the ISC BIND service and make certain that the service is run
> > under the account you think it is. You can also look at the task manager
> > and check the "Show processes from all users" box and look to see what
> > account named is using. The go into the directory properties, grant all
> > access to the specified account and make sure to specify that it
> > propogate to all subdirectories. From the CMD line type: CACLS * and see
> > what permissions you actually have and post it here. Where does the
> > named.pid file go and does it get written? Also are you sure you have
> > double backslashes (\\) in the directory path in the application event
> > log or did you just type that into your message?
> >
> > Danny
> >   
> Thanks for replying so quickly.
> 
> I have double checked named is running under the intended service 
> account "named", in services console and task manager.
> 
> named.pid is created in d:\bind\etc. Double backslashes as how they 
> appear in the Application Event Viewer. Actually it got me thinking is 
> relative path allowed in BIND9? This is what we have in named.conf and 
> it works fine with BIND8:
> 
>     channel log_file
>     {
>         file "..\\logs\\named.log" versions 50 size 25M;
>         severity info;
>         print-time yes;
>         print-severity yes;
>         print-category yes;
>     };
> 
> TIA. Peter

	Relative paths work.  You will also need to set directory
	in options.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org