3. Настройка Kerberos, Bind и AppArmor.

3. Настройка Kerberos, Bind и AppArmor.

Настроим Kerberos. Приведем файл /usr/local/samba/share/setup/krb5.conf к виду:

default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

И заменим им содержимое файла /etc/krb5.conf

Добавим в /etc/bind/named.conf.local строку

include "/usr/local/samba/private/named.conf";

Также необходимо раскомментировать в файле конфигурации строку dlz плагина для вашей версии Bind. Следуйте инструкциям в файле /usr/local/samba/private/named.conf.

# cat /usr/local/samba/private/named.conf 
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support. 
# This file should be included in your main BIND configuration file 
# For example with 
# include "/usr/local/samba/private/named.conf"; 
# This configures dynamically loadable zones (DLZ) from AD schema 
# Uncomment only single database line, depending on your BIND version 
dlz "AD DNS Zone" { 
    # For BIND 9.8.0 
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so"; 
   # For BIND 9.9.0 
    # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; 

В той же папке я обнаружил файл с инструкциями.

# cat /usr/local/samba/private/named.txt 
# Additional informations for DNS setup using BIND 
# If you are running a capable version of BIND and you wish to support 
# secure GSS-TSIG updates, you must make the following configuration 
# changes: 
# Steps for BIND 9.8.x and 9.9.x ----------------------------------------- 
# 1. Insert following lines into the options {} section of your named.conf 
#    file: 
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; 

# Common Steps for BIND 9.x.x -------------------------------------------- 

# 2. Set appropriate ownership and permissions on the dns.keytab file.  
#    Note that the most distributions have BIND configured to run under a 
#    non-root user account.  For example, Fedora 9 runs BIND as the user 
#    "named" once the daemon relinquishes its rights.  Therefore, the file 
#    dns.keytab must be readable by the user that BIND run as.  If BIND 
#    is running as a non-root user, the "dns.keytab" file must have its 
#    permissions altered to allow the daemon to read it.  Under Fedora 9, 
#    execute the following commands: 
chgrp named /usr/local/samba/private/dns.keytab 
chmod g+r /usr/local/samba/private/dns.keytab 

# 3. Ensure the BIND zone file(s) that will be dynamically updated are in 
#    a directory where the BIND daemon can write.  When BIND performs 
#    dynamic updates, it not only needs to update the zone file itself but 
#    it must also create a journal (.jnl) file to track the dynamic updates 
#    as they occur.  Under Fedora 9, the /var/named directory can not be 
#    written to by the "named" user.  However, the directory /var/named/dynamic 
#    directory does provide write access.  Therefore the zone files were 
#    placed under the /var/named/dynamic directory.  The file directives in 
#    both example zone statements at the beginning of this file were changed 
#    by prepending the directory "dynamic/". 

# 4. If SELinux is enabled, ensure that all files have the appropriate 
#    SELinux file contexts.  The dns.keytab file must be accessible by the 
#    BIND daemon and should have a SELinux type of named_conf_t.  This can be 
#    set with the following command: 
chcon -t named_conf_t /usr/local/samba/private/dns.keytab 

Следуя этой инструкции добавим в файл /etc/bind/named.conf.options строку

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";


# cat /etc/bind/named.conf.options 
options { 
	directory "/var/cache/bind"; 

	// If there is a firewall between you and nameservers you want 
	// to talk to, you may need to fix the firewall to allow multiple 
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113 

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder. 

	// forwarders { 
	// }; 

	// If BIND logs error messages about the root key being expired, 
	// you will need to update your keys.  See https://www.isc.org/bind-keys 
	dnssec-validation auto; 

	auth-nxdomain no;    # conform to RFC1035 
	listen-on-v6 { any; }; 
	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; 

Выполним команды:

chgrp bind /usr/local/samba/private/dns.keytab 
chmod g+r /usr/local/samba/private/dns.keytab

Замечание: У меня права на файл и так были установлены верно.