Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Installazione e configurazione di Bind-DLZ per Samba-AD —

Nonostante samba venga fornito col suo DNS interno molti  suggeriscono nonostante quest’ultimo acceda direttamente al SAM (database utenti) con massimi permessi  e senza ACL di utilizzare Bind-DLZ, nel mio caso il server è su una rete interna e dietro firewall una compromissione del Bind è difficile; inoltre essendo su una rete nattata è preferibile configurare un forwarder DNS, visto che il nostro chimera fa proprio quello sono a posto e posso cominciare.
Installare bind9 con apt-get install
/etc/init.d/named stop
Modificare /etc/bind/named.conf.options in questo modo:

options {
directory “/var/cache/bind”;

forwarders {
192.168.2.224;
};

dnssec-validation no;
auth-nxdomain no;
listen-on-v6 { any; };
tkey-gssapi-keytab “/var/lib/samba/bind-dns/dns.keytab”;
minimal-responses yes;
};

Modificare /etc/bind/named.conf.local in questo modo:

dlz “myfirm.lan” {
# Per BIND 9.16.0 named -v
database “dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so”;
};

Disabilitare ipv6 in /etc/default/named
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS=”-4 -u bind”

Modificare /etc/samba/smb.conf in questo modo:

[global]
server services = -dns # servizio aggiunto
#dns forwarder = 192.168.2.224 # istruzione commentata
netbios name = CABRINI
realm = MYFIRM.LAN
server role = active directory domain controller
workgroup = MYFIRM
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/myfirm.lan/scripts
read only = No

Creare due directory in /varlib/samba
mkdir -p /var/lib/samba/bind-dns/dns
chmod -R 770 /var/lib/samba/bind-dns
chown -R root:bind /var/lib/samba/bind-dns
Rendere leggibile da named krb5.conf
chown root:bind /etc/krb5.conf
Configurare l’aggiornamento dinamico dei record DNS

samba_upgradedns --dns-backend=BIND9_DLZ

cabrini-bind-DLZ

riavviare samba-ad-dc e bind
/etc/init.d/samba-ad-dc restart
/etc/init.d/named restart

Verifica che bind sia in ascolto sulla 53

root@cabrini:/etc/bind# netstat -tapn | grep 53
tcp        0      0 192.168.3.229:53        0.0.0.0:*               LISTEN      3473/named
tcp        0      0 192.168.3.229:53        0.0.0.0:*               LISTEN      3473/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3473/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3473/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      3473/named
tcp        0      0 0.0.0.0:49153           0.0.0.0:*               LISTEN      3307/samba: task[rp
tcp6       0      0 :::49153                :::*                    LISTEN      3307/samba: task[rp

Verificare query locali e ricorsive
root@cabrini:/etc/bind# dig @localhost google.it

; <<>> DiG 9.16.37-Debian <<>> @localhost google.it
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54597
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 805c77ac60cbcaca01000000644cc60b80a844784a56f37d (good)
;; QUESTION SECTION:
;google.it.                     IN      A

;; ANSWER SECTION:
google.it.              300     IN      A       142.250.184.99

;; Query time: 40 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 29 09:23:55 CEST 2023
;; MSG SIZE  rcvd: 82

root@cabrini:/etc/bind# dig @localhost cabrini.myfirm.lan

; <<>> DiG 9.16.37-Debian <<>> @localhost cabrini.myfirm.lan
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12197
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b9159eda2bd53d9701000000644cc6dbb948d67ea615b1d0 (good)
;; QUESTION SECTION:
;cabrini.myfirm.lan.                IN      A

;; ANSWER SECTION:
cabrini.myfirm.lan. 900     IN      A       192.168.3.229

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 29 09:27:23 CEST 2023
;; MSG SIZE  rcvd: 95

root@cabrini:/etc/bind# dig -t SRV @localhost _ldap._tcp.myfirm.lan

; <<>> DiG 9.16.37-Debian <<>> -t SRV @localhost _ldap._tcp.myfirm.lan
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37855
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0a387ab2332cd15001000000644cc73ce1960667500ef837 (good)
;; QUESTION SECTION:
;_ldap._tcp.myfirm.lan.     IN      SRV

;; ANSWER SECTION:
_ldap._tcp.myfirm.lan. 900  IN      SRV     0 100 389 cabrini.myfirm.lan.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 29 09:29:00 CEST 2023
;; MSG SIZE  rcvd: 124

E ci siamo.
 

Tagged with: | |

Categorised as: Linux | Networking | Samba | Work

Comments are disabled on this post

Comments are closed.

Hide picture