BIND 9.5.0 on Windows 2000 unable to rename log file...permission denied
atomic at people.net.au
atomic at people.net.au
Fri Sep 19 02:48:41 UTC 2008
Danny Mayer wrote:
> atomic at people.net.au wrote:
>
>> Danny Mayer wrote:
>>
>>> atomic at people.net.au wrote:
>>>
>>>
>>>> A very strange thing happened after upgrading from BIND 8.4.6 to 9.5.0.
>>>> We created the "named" user as a service account as required by BIND9,
>>>> then granted full control on everything in the BIND directory (d:\bind)
>>>> to this user, however the named service failed to start due to:
>>>>
>>>> > Error 1053: The service did not respond to the start or control
>>>> request in a timely fashion
>>>>
>>>> There are a bunch of "unable to rename log file...permission denied"
>>>> errors in the Windows Event Log, the exact error messages read:
>>>>
>>>> > unable to rename log file '..\\logs\\named.log.5' to
>>>> '..\\logs\\named.log.6': permission denied
>>>> > unable to rename log file '..\\logs\\named.log.6' to
>>>> '..\\logs\\named.log.7': permission denied
>>>> > unable to rename log file '..\\logs\\named.log.7' to
>>>> '..\\logs\\named.log.8': permission denied
>>>> > ...heaps more...
>>>>
>>>> It became apparent that there are some permission issues writing to the
>>>> log directory (d:\bind\logs), but we checked many times and can confirm
>>>> that "named" user has full control all the way. The next thing we did
>>>> was to rename the log directory to d:\bind\logs_preBIND9 and created a
>>>> new log directory d:\bind\logs, and this time named started successfully.
>>>>
>>>> We then compared the permissions between d:\bind\logs_preBIND9 and
>>>> d:\bind\logs, they are exactly the same. It seems the problem is still
>>>> there, but because the new log directory is empty so named does not have
>>>> to rename anything and therefore it worked. Chances are as soon as the
>>>> circular log files start to pop up named will stop working.
>>>>
>>>> Is there a solution to this problem? What extra permissions are required
>>>> to rename the log files when it already has full control? By the way our
>>>> log file setting is "versions 50 size 25M" if that matters.
>>>>
>>>> Thanks! Peter
>>>>
>>>>
>>> Look at the ISC BIND service and make certain that the service is run
>>> under the account you think it is. You can also look at the task manager
>>> and check the "Show processes from all users" box and look to see what
>>> account named is using. The go into the directory properties, grant all
>>> access to the specified account and make sure to specify that it
>>> propogate to all subdirectories. From the CMD line type: CACLS * and see
>>> what permissions you actually have and post it here. Where does the
>>> named.pid file go and does it get written? Also are you sure you have
>>> double backslashes (\\) in the directory path in the application event
>>> log or did you just type that into your message?
>>>
>>> Danny
>>>
>>>
>> Thanks for replying so quickly.
>>
>> I have double checked named is running under the intended service
>> account "named", in services console and task manager.
>>
>> named.pid is created in d:\bind\etc. Double backslashes as how they
>> appear in the Application Event Viewer. Actually it got me thinking is
>> relative path allowed in BIND9? This is what we have in named.conf and
>> it works fine with BIND8:
>>
>> channel log_file
>> {
>> file "..\\logs\\named.log" versions 50 size 25M;
>> severity info;
>> print-time yes;
>> print-severity yes;
>> print-category yes;
>> };
>>
>> TIA. Peter
>>
>
> You should use since backslashes. Double backslashes are only used when
> coding. You can also use forward slashes (/) on Windows. It works just
> as well. This is probably your problem.
>
> Danny
>
>
Changing to single backslash seems to have fix the problem, thanks for
that! But still the behavior was rather odd, it seems use of double
backslashes (post BIND9) does not work when renaming the log file to an
already existing one, otherwise it works fine.
More information about the bind-users
mailing list