1 Samba 4 AD DC на Ubuntu Server 12.10 с Bind 9.8.1 в качестве DNS.
Опубликовано 22 Фев 2013 в рубрике «Samba 4»
3. Настройка Kerberos, Bind и AppArmor.
3. Настройка Kerberos, Bind и AppArmor.
Настроим Kerberos. Приведем файл /usr/local/samba/share/setup/krb5.conf
к виду:
[libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true
И заменим им содержимое файла /etc/krb5.conf
Добавим в /etc/bind/named.conf.local
строку
include "/usr/local/samba/private/named.conf";
Также необходимо раскомментировать в файле конфигурации строку dlz
плагина для вашей версии Bind
. Следуйте инструкциям в файле /usr/local/samba/private/named.conf
.
# cat /usr/local/samba/private/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. # This file should be included in your main BIND configuration file # For example with # include "/usr/local/samba/private/named.conf"; # This configures dynamically loadable zones (DLZ) from AD schema # Uncomment only single database line, depending on your BIND version dlz "AD DNS Zone" { # For BIND 9.8.0 database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; # For BIND 9.9.0 # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; };
В той же папке я обнаружил файл с инструкциями.
# cat /usr/local/samba/private/named.txt
# Additional informations for DNS setup using BIND # If you are running a capable version of BIND and you wish to support # secure GSS-TSIG updates, you must make the following configuration # changes: # Steps for BIND 9.8.x and 9.9.x ----------------------------------------- # 1. Insert following lines into the options {} section of your named.conf # file: tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; # # Common Steps for BIND 9.x.x -------------------------------------------- # # 2. Set appropriate ownership and permissions on the dns.keytab file. # Note that the most distributions have BIND configured to run under a # non-root user account. For example, Fedora 9 runs BIND as the user # "named" once the daemon relinquishes its rights. Therefore, the file # dns.keytab must be readable by the user that BIND run as. If BIND # is running as a non-root user, the "dns.keytab" file must have its # permissions altered to allow the daemon to read it. Under Fedora 9, # execute the following commands: chgrp named /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab # 3. Ensure the BIND zone file(s) that will be dynamically updated are in # a directory where the BIND daemon can write. When BIND performs # dynamic updates, it not only needs to update the zone file itself but # it must also create a journal (.jnl) file to track the dynamic updates # as they occur. Under Fedora 9, the /var/named directory can not be # written to by the "named" user. However, the directory /var/named/dynamic # directory does provide write access. Therefore the zone files were # placed under the /var/named/dynamic directory. The file directives in # both example zone statements at the beginning of this file were changed # by prepending the directory "dynamic/". # 4. If SELinux is enabled, ensure that all files have the appropriate # SELinux file contexts. The dns.keytab file must be accessible by the # BIND daemon and should have a SELinux type of named_conf_t. This can be # set with the following command: chcon -t named_conf_t /usr/local/samba/private/dns.keytab
Следуя этой инструкции добавим в файл /etc/bind/named.conf.options
строку
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
получим
# cat /etc/bind/named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; };
Выполним команды:
chgrp bind /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab
Замечание: У меня права на файл и так были установлены верно.
Ваш отзыв