Environment
Open Enterprise Server 2018 (OES 2018) Linux
Open Enterprise Server 2015 (OES 2015) LinuxOpen Enterprise Server 11 (OES 11) Linux
Open Enterprise Server 2 (OES 2) Linux
Situation
When trying to run the "rndc" command on a cluster node that is running a Novell DNS Server resource, it returns the following error:
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
Resolution
1) Check as which LUM-enabled user the novell-named process is running:
# ps -ef | grep novell-named | grep -v grep
dnsuser 2617 1 0 Mar30 ? 00:16:51 /opt/novell/named/bin/novell-named -u dnsuser -V DNSVOL
In the above example, the novell-named process is running as LUM-enabled user "dnsuser".
2) Lookup the GID of the LUM-enabled user, for example per "id username":
# id dnsuser
uid=44(dnsuser) gid=605(dnsdhcp-group) groups=44(named)
In the above example the GID of LUM-enabled user "dnsuser" is 605.
3) Assign the GID to /etc/rndc.key:
# chgrp 605 /etc/rndc.key
4) Wait for the next dynamic reconfiguration to complete or stop and start novell-named, for example:
To wait for next dynamic reconfiguation to complete, run...:
# tail -F -n 1 /var/opt/novell/log/named/named.run | grep reconf
...and wait until it displays a line like the following:
"
18-Apr-2019 16:52:55.176 general: dynamicrecon: info: Dynamic reconfiguration completed.
"
You can terminate tail with Ctrl+C afterwards.
Example of restarting novell-named on a cluster node that runs the DNS resource (please note that you can find the lines to terminate novell-named per "killproc" and to start novell-named with the correct -u and -V values in the resource unload and load scripts, which are stored in /var/opt/novell/ncs on the cluster node and which can also can be viewed per iManager):
# PID=`cat /var/opt/novell/run/named/named.pid | head -n 1`; killproc -p /var/opt/novell/run/named/named.pid -TERM; while test -e /proc/$PID; do sleep .1; done; /opt/novell/named/bin/novell-named -u dnsuser -V DNSVOL
Cause
The default UID of /etc/rndc.key is 0 (user root)
The default GID of /etc/rndc.key is 44 (group named)
The default permissions of /etc/rndc.key are 640 (read/write for the UID, read-only for the GID and no permission to others)
novell-named starts as user root and reads /etc/rndc.key during initialization.
If novell-named is started with the option -u username, then it changes its process owner to the uid of the given user upon initialization per setuid().
novell-named reads /etc/rndc.key again during dynamic reconfiguration as the given user. By default dynamic reconfiguration is done every 15 minutes upon startup.
On stand-alone servers, novell-named is started per /etc/init.d/novell-named (until OES 2015 SP1) or per /opt/novell/named/bin/start-novell-named (since OES 2018) with "-u named". named is a system user with UID 44 and GID 44 by default.
In case novell-named is cluster-enabled, the configuration directory etc/opt/novell/named is placed on the resource volume and if this is a NSS volume, the user specified with the "-u" option must be a LUM enabled eDirectory user with sufficient effective rights (Read, Write, File Scan, Create, Erase and Modify) to this subdirectory.
If the GID of the LUM-enabled user does not match the GID of /etc/rndc.key, then novell-named does not have permission to read /etc/rndc.key during dynamic reconfiguraton.
In such case rndc returns the following error when you run it after the first novell-named dynamic reconfiguration has completed:
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
The default GID of /etc/rndc.key is 44 (group named)
The default permissions of /etc/rndc.key are 640 (read/write for the UID, read-only for the GID and no permission to others)
novell-named starts as user root and reads /etc/rndc.key during initialization.
If novell-named is started with the option -u username, then it changes its process owner to the uid of the given user upon initialization per setuid().
novell-named reads /etc/rndc.key again during dynamic reconfiguration as the given user. By default dynamic reconfiguration is done every 15 minutes upon startup.
On stand-alone servers, novell-named is started per /etc/init.d/novell-named (until OES 2015 SP1) or per /opt/novell/named/bin/start-novell-named (since OES 2018) with "-u named". named is a system user with UID 44 and GID 44 by default.
In case novell-named is cluster-enabled, the configuration directory etc/opt/novell/named is placed on the resource volume and if this is a NSS volume, the user specified with the "-u" option must be a LUM enabled eDirectory user with sufficient effective rights (Read, Write, File Scan, Create, Erase and Modify) to this subdirectory.
If the GID of the LUM-enabled user does not match the GID of /etc/rndc.key, then novell-named does not have permission to read /etc/rndc.key during dynamic reconfiguraton.
In such case rndc returns the following error when you run it after the first novell-named dynamic reconfiguration has completed:
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.