samba/DNS をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
検索
|
最終更新
|
ヘルプ
|
ログイン
]
開始行:
「&color(green){''samba-tool domain provision''};」実行時...
-&color(green){''SAMBA_INTERNAL''};
samba内蔵のDNSを使います
-BIND9_FLATFILE
外部のDNS bindを使用するが、その連携はファイルベース
-&color(blue){''BIND9_DLZ''};
こちらも外部のDNS bindを使用するが、連携はbindのdlz機構を...
-NONE
他のsambaADDCをDNSに使用するなら。smb.confに「passdb back...
&color(white,blue){留意}; BIND9_FLATFILE はメニューにあり...
ここでは&color(blue){''BIND9_DLZ''};を選択・切り替えるす...
***方針 [#aaf0f324]
&color(lightseagreen){''RockyLinux8''}; を使います. そし...
&size(10){「&color(red){dlz_dlopen failed to open library...
&size(10){chconなんだろうなぁって思って調べてもうまく動か...
sambaによって求められるbindのバージョンは下記に記載されて...
[[https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End...
これによると現在導入した samba は
#code(nonumber){{
[root@ad ~]# /opt/samba/sbin/samba -V
Version 4.16.0
[root@ad ~]# getenforce
Disabled
[root@ad ~]#
}}
なので、BIND 9.8より新しければいいみたい. だが、用意され...
#code(nonumber){{
[root@ad ~]# ls -l /opt/samba/lib/bind9/
total 300
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_10.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_11.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_12.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_14.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_16.so
[root@ad ~]#
}}
なので、実質 BIND 9.10 以上になりそうである.
幸い &color(lightseagreen){''RockyLinux8''}; でリリースさ...
#code(nonumber){{
[root@ad ~]# dnf info bind
Last metadata expiration check: 3:20:57 ago on Mon 02 May...
Available Packages
Name : bind
Epoch : 32
Version : 9.11.26
Release : 6.el8
Architecture : x86_64
Size : 2.1 M
Source : bind-9.11.26-6.el8.src.rpm
Repository : appstream
Summary : The Berkeley Internet Name Domain (BIND) D...
URL : https://www.isc.org/downloads/bind/
License : MPLv2.0
Description : BIND (Berkeley Internet Name Domain) is an...
: (Domain Name System) protocols. BIND inclu...
: which resolves host names to IP addresses;...
: (routines for applications to use when int...
: tools for verifying that the DNS server is...
[root@ad ~]#
}}
ソースからコンパイルもありますが、パッケージが利用可能な...
&color(white,blue){留意}; bind-chrootは使わないです. &si...
***構築 [#gca9a3df]
#code(nonumber){{
[root@ad ~]# dnf install bind
}}
***sambaページの「Step 4: Provision Samba」から [#oe70c510]
prpvisionの際に「BIND9_DLZ」を指定すると次なる指示書が発...
#code(nonumber){{
[root@ad ~]# /opt/samba/bin/samba-tool domain provision -...
Realm [CHAPERONE.JP]:
Domain [CHAPERONE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, N...
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
(略
See /opt/samba/bind-dns/named.conf for an example configu...
and /opt/samba/bind-dns/named.txt for further documentati...
(略
[root@ad ~]#
}}
1つは既に設置したbindの設定ファイル(/etc/named.conf)にin...
もう一つは指示書.
***bindの調整 [#dbf7b8cf]
dnfでインストールしたbindパッケージの設定ファイル(/etc/na...
#code(diff,nonumber){{
--- /etc/named.conf.20220502 2022-05-02 19:35:30.53375...
+++ /etc/named.conf 2022-05-02 19:41:21.348785567 +0900
@@ -7,16 +7,19 @@
// See /usr/share/doc/bind*/sample/ for example named co...
//
+acl network {
+ 192.168.0.0/24;
+};
options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_sta...
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
- allow-query { localhost; };
+ allow-query { localhost; network; };
/*
- If you are building an AUTHORITATIVE DNS serve...
@@ -40,6 +43,8 @@
/* https://fedoraproject.org/wiki/Changes/CryptoP...
include "/etc/crypto-policies/back-ends/bind.conf...
+ tkey-gssapi-keytab "/opt/samba/bind-dns/dns.keyta...
+ minimal-responses yes;
};
logging {
@@ -57,3 +62,4 @@
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
+include "/opt/samba/bind-dns/named.conf";
}}
それと下記を実行します. &size(10){SELinuxをoffにしたので...
#code(nonumber){{
[root@ad ~]# chcon -t named_conf_t /opt/samba/bind-dns/dn...
}}
***テスト [#d974c084]
まずbindを動かします
#code(nonumber){{
[root@ad ~]# systemctl enable named --now
Created symlink /etc/systemd/system/multi-user.target.wan...
[root@ad ~]#
(テスト)
[root@ad ~]# host -t SRV _ldap._tcp.chaperone.jp.
_ldap._tcp.chaperone.jp has SRV record 0 100 389 ad.chape...
[root@ad ~]# host -t SRV _kerberos._udp.chaperone.jp.
_kerberos._udp.chaperone.jp has SRV record 0 100 88 ad.ch...
[root@ad ~]# host -t A ad.chaperone.jp.
ad.chaperone.jp has address 192.168.0.131
[root@ad ~]# host -t A www.fujitsu.co.jp
www.fujitsu.co.jp has address 80.70.171.77
[root@ad ~]#
}}
別のターミナルで samba を起動させます
#code(nonumber){{
[root@ad ~]# /opt/samba/sbin/samba -i -M single
samba version 4.16.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
binary_smbd_main: samba: using 'single' process model
}}
その上でDNS動的更新のテストを行ってみます
#code(nonumber){{
[root@ad ~]# LANG=C kinit administrator@CHAPERONE.JP
Password for administrator@CHAPERONE.JP:
Warning: Your password will expire in 41 days on Mon Jun ...
[root@ad ~]# nsupdate -g
>
> update add c200.chaperone.jp 100 in a 192.168.0.200
> send
> quit
[root@ad ~]# host c200.chaperone.jp
c200.chaperone.jp has address 192.168.0.200
[root@ad ~]# nsupdate -g
>
> update delete c200.chaperone.jp
> send
> quit
[root@ad ~]# host c200.chaperone.jp
Host c200.chaperone.jp not found: 3(NXDOMAIN)
[root@ad ~]#
}}
DNS backendを「SAMBA_INTERNAL」にした際には表示された「&c...
***この後 [#g81384c8]
ntpの設定やら、smb.conf、samba.serviceの設定は[[samba]]と...
終了行:
「&color(green){''samba-tool domain provision''};」実行時...
-&color(green){''SAMBA_INTERNAL''};
samba内蔵のDNSを使います
-BIND9_FLATFILE
外部のDNS bindを使用するが、その連携はファイルベース
-&color(blue){''BIND9_DLZ''};
こちらも外部のDNS bindを使用するが、連携はbindのdlz機構を...
-NONE
他のsambaADDCをDNSに使用するなら。smb.confに「passdb back...
&color(white,blue){留意}; BIND9_FLATFILE はメニューにあり...
ここでは&color(blue){''BIND9_DLZ''};を選択・切り替えるす...
***方針 [#aaf0f324]
&color(lightseagreen){''RockyLinux8''}; を使います. そし...
&size(10){「&color(red){dlz_dlopen failed to open library...
&size(10){chconなんだろうなぁって思って調べてもうまく動か...
sambaによって求められるbindのバージョンは下記に記載されて...
[[https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End...
これによると現在導入した samba は
#code(nonumber){{
[root@ad ~]# /opt/samba/sbin/samba -V
Version 4.16.0
[root@ad ~]# getenforce
Disabled
[root@ad ~]#
}}
なので、BIND 9.8より新しければいいみたい. だが、用意され...
#code(nonumber){{
[root@ad ~]# ls -l /opt/samba/lib/bind9/
total 300
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_10.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_11.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_12.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_14.so
-rwxr-xr-x. 1 root root 61024 May 2 10:30 dlz_bind9_16.so
[root@ad ~]#
}}
なので、実質 BIND 9.10 以上になりそうである.
幸い &color(lightseagreen){''RockyLinux8''}; でリリースさ...
#code(nonumber){{
[root@ad ~]# dnf info bind
Last metadata expiration check: 3:20:57 ago on Mon 02 May...
Available Packages
Name : bind
Epoch : 32
Version : 9.11.26
Release : 6.el8
Architecture : x86_64
Size : 2.1 M
Source : bind-9.11.26-6.el8.src.rpm
Repository : appstream
Summary : The Berkeley Internet Name Domain (BIND) D...
URL : https://www.isc.org/downloads/bind/
License : MPLv2.0
Description : BIND (Berkeley Internet Name Domain) is an...
: (Domain Name System) protocols. BIND inclu...
: which resolves host names to IP addresses;...
: (routines for applications to use when int...
: tools for verifying that the DNS server is...
[root@ad ~]#
}}
ソースからコンパイルもありますが、パッケージが利用可能な...
&color(white,blue){留意}; bind-chrootは使わないです. &si...
***構築 [#gca9a3df]
#code(nonumber){{
[root@ad ~]# dnf install bind
}}
***sambaページの「Step 4: Provision Samba」から [#oe70c510]
prpvisionの際に「BIND9_DLZ」を指定すると次なる指示書が発...
#code(nonumber){{
[root@ad ~]# /opt/samba/bin/samba-tool domain provision -...
Realm [CHAPERONE.JP]:
Domain [CHAPERONE]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, N...
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
(略
See /opt/samba/bind-dns/named.conf for an example configu...
and /opt/samba/bind-dns/named.txt for further documentati...
(略
[root@ad ~]#
}}
1つは既に設置したbindの設定ファイル(/etc/named.conf)にin...
もう一つは指示書.
***bindの調整 [#dbf7b8cf]
dnfでインストールしたbindパッケージの設定ファイル(/etc/na...
#code(diff,nonumber){{
--- /etc/named.conf.20220502 2022-05-02 19:35:30.53375...
+++ /etc/named.conf 2022-05-02 19:41:21.348785567 +0900
@@ -7,16 +7,19 @@
// See /usr/share/doc/bind*/sample/ for example named co...
//
+acl network {
+ 192.168.0.0/24;
+};
options {
- listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
+ listen-on port 53 { any; };
+ listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_sta...
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
- allow-query { localhost; };
+ allow-query { localhost; network; };
/*
- If you are building an AUTHORITATIVE DNS serve...
@@ -40,6 +43,8 @@
/* https://fedoraproject.org/wiki/Changes/CryptoP...
include "/etc/crypto-policies/back-ends/bind.conf...
+ tkey-gssapi-keytab "/opt/samba/bind-dns/dns.keyta...
+ minimal-responses yes;
};
logging {
@@ -57,3 +62,4 @@
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
+include "/opt/samba/bind-dns/named.conf";
}}
それと下記を実行します. &size(10){SELinuxをoffにしたので...
#code(nonumber){{
[root@ad ~]# chcon -t named_conf_t /opt/samba/bind-dns/dn...
}}
***テスト [#d974c084]
まずbindを動かします
#code(nonumber){{
[root@ad ~]# systemctl enable named --now
Created symlink /etc/systemd/system/multi-user.target.wan...
[root@ad ~]#
(テスト)
[root@ad ~]# host -t SRV _ldap._tcp.chaperone.jp.
_ldap._tcp.chaperone.jp has SRV record 0 100 389 ad.chape...
[root@ad ~]# host -t SRV _kerberos._udp.chaperone.jp.
_kerberos._udp.chaperone.jp has SRV record 0 100 88 ad.ch...
[root@ad ~]# host -t A ad.chaperone.jp.
ad.chaperone.jp has address 192.168.0.131
[root@ad ~]# host -t A www.fujitsu.co.jp
www.fujitsu.co.jp has address 80.70.171.77
[root@ad ~]#
}}
別のターミナルで samba を起動させます
#code(nonumber){{
[root@ad ~]# /opt/samba/sbin/samba -i -M single
samba version 4.16.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2022
binary_smbd_main: samba: using 'single' process model
}}
その上でDNS動的更新のテストを行ってみます
#code(nonumber){{
[root@ad ~]# LANG=C kinit administrator@CHAPERONE.JP
Password for administrator@CHAPERONE.JP:
Warning: Your password will expire in 41 days on Mon Jun ...
[root@ad ~]# nsupdate -g
>
> update add c200.chaperone.jp 100 in a 192.168.0.200
> send
> quit
[root@ad ~]# host c200.chaperone.jp
c200.chaperone.jp has address 192.168.0.200
[root@ad ~]# nsupdate -g
>
> update delete c200.chaperone.jp
> send
> quit
[root@ad ~]# host c200.chaperone.jp
Host c200.chaperone.jp not found: 3(NXDOMAIN)
[root@ad ~]#
}}
DNS backendを「SAMBA_INTERNAL」にした際には表示された「&c...
***この後 [#g81384c8]
ntpの設定やら、smb.conf、samba.serviceの設定は[[samba]]と...
ページ名:
1
![[PukiWiki]](image/picc.png "[PukiWiki]")
