rndc: connection to remote host closed

  • 7023827
  • 18-Apr-2019
  • 11-May-2019

Environment

Open Enterprise Server 2018 (OES 2018) Linux
Open Enterprise Server 2015 (OES 2015) Linux
Open Enterprise Server 11 (OES 11) Linux
Open Enterprise Server 2 (OES 2) Linux

Situation

When trying to run the "rndc" command on a cluster node that is running a Novell DNS Server resource, it returns the following error:

rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.

Resolution

1) Check as which LUM-enabled user the novell-named process is running:

# ps -ef | grep novell-named | grep -v grep
dnsuser   2617     1  0 Mar30 ?        00:16:51 /opt/novell/named/bin/novell-named -u dnsuser -V DNSVOL

In the above example, the novell-named process is running as LUM-enabled user "dnsuser".

2) Lookup the GID of the LUM-enabled user, for example per "id username":

# id dnsuser
uid=44(dnsuser) gid=605(dnsdhcp-group) groups=44(named)

In the above example the GID of LUM-enabled user "dnsuser" is 605.

3) Assign the GID to /etc/rndc.key:

# chgrp 605 /etc/rndc.key

4) Wait for the next dynamic reconfiguration to complete or stop and start novell-named, for example:

To wait for next dynamic reconfiguation to complete, run...:

# tail -F -n 1 /var/opt/novell/log/named/named.run | grep reconf

...and wait until it displays a line like the following:

"
18-Apr-2019 16:52:55.176 general: dynamicrecon: info: Dynamic reconfiguration completed.
"

You can terminate tail with Ctrl+C afterwards.

Example of restarting novell-named on a cluster node that runs the DNS resource (please note that you can find the lines to terminate novell-named per "killproc" and to start novell-named with the correct -u and -V values in the resource unload and load scripts, which are stored in /var/opt/novell/ncs on the cluster node and which can also can be viewed per iManager):

# PID=`cat /var/opt/novell/run/named/named.pid | head -n 1`; killproc -p /var/opt/novell/run/named/named.pid -TERM; while test -e /proc/$PID; do sleep .1; done; /opt/novell/named/bin/novell-named -u dnsuser -V DNSVOL

Cause

The default UID of /etc/rndc.key is 0 (user root)
The default GID of /etc/rndc.key is 44 (group named)
The default permissions of /etc/rndc.key are 640 (read/write for the UID, read-only for the GID and no permission to others)

novell-named starts as user root and reads /etc/rndc.key during initialization.

If novell-named is started with the option -u username, then it changes its process owner to the uid of the given user upon initialization per setuid().

novell-named reads /etc/rndc.key again during dynamic reconfiguration as the given user. By default dynamic reconfiguration is done every 15 minutes upon startup.

On stand-alone servers, novell-named is started per /etc/init.d/novell-named (until OES 2015 SP1) or per /opt/novell/named/bin/start-novell-named (since OES 2018) with "-u named". named is a system user with UID 44 and GID 44 by default.

In case novell-named is cluster-enabled, the configuration directory etc/opt/novell/named is placed on the resource volume and if this is a NSS volume, the user specified with the "-u" option must be a LUM enabled eDirectory user with sufficient effective rights (Read, Write, File Scan, Create, Erase and Modify) to this subdirectory.

If the GID of the LUM-enabled user does not match the GID of /etc/rndc.key, then novell-named does not have permission to read /etc/rndc.key during dynamic reconfiguraton.

In such case rndc returns the following error when you run it after the first novell-named dynamic reconfiguration has completed:

rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.