BIND 9.5.0 on Windows 2000 unable to rename log file...permission denied

Danny Mayer mayer at gis.net
Thu Sep 18 11:48:45 UTC 2008


atomic at people.net.au wrote:
> Danny Mayer wrote:
>> atomic at people.net.au wrote:
>>   
>>> A very strange thing happened after upgrading from BIND 8.4.6 to 9.5.0. 
>>> We created the "named" user as a service account as required by BIND9, 
>>> then granted full control on everything in the BIND directory (d:\bind) 
>>> to this user, however the named service failed to start due to:
>>>
>>>  > Error 1053: The service did not respond to the start or control 
>>> request in a timely fashion
>>>
>>> There are a bunch of "unable to rename log file...permission denied" 
>>> errors in the Windows Event Log, the exact error messages read:
>>>
>>>  > unable to rename log file '..\\logs\\named.log.5' to 
>>> '..\\logs\\named.log.6': permission denied
>>>  > unable to rename log file '..\\logs\\named.log.6' to 
>>> '..\\logs\\named.log.7': permission denied
>>>  > unable to rename log file '..\\logs\\named.log.7' to 
>>> '..\\logs\\named.log.8': permission denied
>>>  > ...heaps more...
>>>
>>> It became apparent that there are some permission issues writing to the 
>>> log directory (d:\bind\logs), but we checked many times and can confirm 
>>> that "named" user has full control all the way. The next thing we did 
>>> was to rename the log directory to d:\bind\logs_preBIND9 and created a 
>>> new log directory d:\bind\logs, and this time named started successfully.
>>>
>>> We then compared the permissions between d:\bind\logs_preBIND9 and 
>>> d:\bind\logs, they are exactly the same. It seems the problem is still 
>>> there, but because the new log directory is empty so named does not have 
>>> to rename anything and therefore it worked. Chances are as soon as the 
>>> circular log files start to pop up named will stop working.
>>>
>>> Is there a solution to this problem? What extra permissions are required 
>>> to rename the log files when it already has full control? By the way our 
>>> log file setting is "versions 50 size 25M" if that matters.
>>>
>>> Thanks! Peter
>>>     
>> Look at the ISC BIND service and make certain that the service is run
>> under the account you think it is. You can also look at the task manager
>> and check the "Show processes from all users" box and look to see what
>> account named is using. The go into the directory properties, grant all
>> access to the specified account and make sure to specify that it
>> propogate to all subdirectories. From the CMD line type: CACLS * and see
>> what permissions you actually have and post it here. Where does the
>> named.pid file go and does it get written? Also are you sure you have
>> double backslashes (\\) in the directory path in the application event
>> log or did you just type that into your message?
>>
>> Danny
>>   
> Thanks for replying so quickly.
> 
> I have double checked named is running under the intended service 
> account "named", in services console and task manager.
> 
> named.pid is created in d:\bind\etc. Double backslashes as how they 
> appear in the Application Event Viewer. Actually it got me thinking is 
> relative path allowed in BIND9? This is what we have in named.conf and 
> it works fine with BIND8:
> 
>     channel log_file
>     {
>         file "..\\logs\\named.log" versions 50 size 25M;
>         severity info;
>         print-time yes;
>         print-severity yes;
>         print-category yes;
>     };
> 
> TIA. Peter

You should use since backslashes. Double backslashes are only used when
coding. You can also use forward slashes (/) on Windows. It works just
as well. This is probably your problem.

Danny


More information about the bind-users mailing list