# configure bind9 not jailed



## igorino (Jul 6, 2013)

Hello

How can I install or configure dns/bind98 or dns/bind99 (on FreeBSD 9.1) not to run in jails? I'm asking this because a Samba4 installation with _BIND_ requires an unjailed _BIND_ environment. The script /etc/rc.d/named doesn*'*t like the addition of

```
named_chrootdir=""
named_pidfile="[PID PATH]"
...
```
in /etc/rc.conf, it seems that script was made only for a jailed environment. What is the proper way to set _BIND 9_ to run unjailed?

Thank you*.*


----------



## ShelLuser (Jul 6, 2013)

igorino said:
			
		

> How can I install or configure bind98 or bind99 (on FreeBSD 9.1) not to run in jails? I'm asking this because a samba4 installation with bind requires an unjailed bind environment.


Actually that isn't perse true. Although from what I've read so far it doesn't appear to be very straightforward, it should be doable to point Samba to the chrooted B_IND_ environment.

So, for example, if Samba uses /usr/local/samba/private/named.conf then you could also try and point this to something like /var/named/usr/local/samba/private/named.conf, thus becoming accessible within the B_IND_ chroot.

Running both processes in a chrooted environment does indeed seem impossible, but I can't even be sure about that since I haven't really given that much thought.



			
				igorino said:
			
		

> The script /etc/rc.d/named doesnt like the addition of named_chrootdir="" named_pidfile="[PID PATH]" ... in /etc/rc.conf, it seems that script was made only for a jailed environment. What is the proper way to set bind9 to run unjailed?


To my knowledge this is indeed unsupported in the B_IND_ version which is part of the FreeBSD base system. Therefore you should grab B_IND_ from the ports collection, for example dns/bind98 (if you wish to keep using the same version).

With this version you'll need to explicitly specify the chroot point using the named_chrootdir option in /usr/local/etc/rc.conf. Don't use the option and B_IND_ won't be running in a chroot environment (as far as I know; I'm using the version of the base system myself).


----------



## igorino (Jul 6, 2013)

ShelLuser said:
			
		

> So, for example, if Samba uses /usr/local/samba/private/named.conf then you could also try and point this to something like /var/named/usr/local/samba/private/named.conf, thus becoming accessible within the BIND chroot.


Understood, I'll try that later*. B*esides I guess there _are_ more files that BIND need access to. I'm relying on the statements of a howto about the D_NS_ BIND backend from the samba.org wiki Dns-backend_bind*.*


----------



## igorino (Jul 7, 2013)

I had no success making hard links, nor editing /etc/mtree/BIND.chroot.dist (added so much entries that there was no reason to have a jail at all). I ended up installing the port dns/bind98 and inserting 
	
	



```
named_chrootdir=""
```
 in /etc/rc.conf (since I marked REPLACE_BASE option in that port) instead.

Thank you very much @ShelLuser!


----------



## NuLL3rr0r (Jul 7, 2013)

Actually as @ShelLuser pointed out by default BIND runs unjailed and you don't have to do anything special. I just have 
	
	



```
named_enable="YES"
```
 in /etc/rc.conf and it runs unjailed.

But what puzzles me is, I can't understand why you have installed dns/bind98?


----------



## kpa (Jul 7, 2013)

The default BIND in the base system run chroot(1)ed by default but you don't notice it right away because the configuration directory /etc/namedb is a symbolic link to the chroot directory under /var/named.


----------



## NuLL3rr0r (Jul 7, 2013)

kpa said:
			
		

> The default BIND in the base system run chroot(1)ed by default but you don't notice it right away because the configuration directory /etc/namedb is a symbolic link to the chroot directory under /var/named.



Thanks for pointing that out. I wasn't aware of that.


----------



## ShelLuser (Jul 8, 2013)

NuLL3rr0r said:
			
		

> Actually as @ShelLuser pointed out by default BIND runs unjailed


Uhm, that's not what I pointed out up there :\


----------



## NuLL3rr0r (Jul 8, 2013)

ShelLuser said:
			
		

> Uhm, that's not what I pointed out up there :\



Sorry, my mistake. I remember it was midnight here and I was sleepy while reading this thread. So, I inferred the wrong point/idea from your answer.

Sorry, If I bothered you.


----------



## Savagedlight (Jul 8, 2013)

I'd just like to point out that chroot(8) isn't the same as jail(8). The sooner this confusion is cleared up, the better. 

Since it's not run in a jail, there shouldn't be anything preventing Samba from doing its thing with Bind, as long as Samba isn't chrooted or jailed.


----------

