(4)Sambaサーバーの設定追加
DNSサーバーOnlyの設定に追加、変更する必要があります。
/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; # include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.internal-zones"; include "/etc/bind/rndc.key";
named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== # 問い合わせを許可する範囲 allow-query { localhost; 192.168.1.0/24; }; # ゾーン情報の転送を許可する範囲 ( セカンダリDNSがいる場合は、その場所/範囲 ) allow-transfer { localhost; 192.168.1.0/24; }; # 再帰検索を許可する範囲 allow-recursion { localhost; 192.168.1.0/24; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 # listen-on-v6 { any; }; listen-on-v6 { none; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; //←必須① forwarders { 192.168.1.1; }; //外部へのnameserverのIPアドレス //dnssec-validation no; };
named.conf.internal-zones
# 内部向けの定義を記述 view "internal" { # 指定範囲内のホストが内部向けの定義を参照 match-clients { localhost; 192.168.1.0/24; }; # 内部向け正引き情報を定義 zone "it-ishin.com" { type master; //file "/etc/bind/it-ishin.com.lan"; //include "/var/lib/samba/private/named.conf"; file "/var/lib/samba/private/dns/it-ishin.com.zone"; include "/var/lib/samba/private/named.conf.update"; //file "/usr/local/samba/private/dns/it-ishin.com.zone"; //include "/usr/local/samba/private/named.conf.update"; check-names ignore; //allow-update { 192.168.1.0/24; }; }; # 内部向け逆引き情報を定義 *注 zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/1.168.192.db"; //allow-update { 192.168.1.0/24; }; }; include "/etc/bind/named.conf.default-zones"; };
【訂正】内部向け正引き情報のところで、「//」でコメント化したところは、ソースコードからコンパイルした場合の設定です。
named.conf.internal-zones
; -*- zone -*- ; generated by provision.pl $ORIGIN it-ishin.com. $TTL 1W @ IN SOA ubuntu01 hostmaster ( 2014051823 ; serial 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS ubuntu01 IN AAAA 2001:c90:8205:8b41:4ee6:76ff:fed8:1566 IN A 192.168.1.2 ; ubuntu01 IN A 192.168.1.2 ubuntu02 IN A 192.168.1.3 ubuntu03 IN A 192.168.1.4 ubuntu04 IN A 192.168.1.6 www IN A 192.168.1.5 www2 IN A 192.168.1.5 mail IN A 192.168.1.5 gc._msdcs IN A 192.168.1.2 gc._msdcs IN AAAA 2001:c90:8205:8b41:4ee6:76ff:fed8:1566 7f737d78-c04f-4b1a-9048-ed3f90162fd5._msdcs IN CNAME ubuntu01 ; ; global catalog servers _gc._tcp IN SRV 0 100 3268 ubuntu01 _gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 ubuntu01 _ldap._tcp.gc._msdcs IN SRV 0 100 3268 ubuntu01 _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 ubuntu01 ; ; ldap servers _ldap._tcp IN SRV 0 100 389 ubuntu01 _ldap._tcp.dc._msdcs IN SRV 0 100 389 ubuntu01 _ldap._tcp.pdc._msdcs IN SRV 0 100 389 ubuntu01 _ldap._tcp.218ddf01-32a9-4d83-9ceb-069fef66e98e.domains._msdcs IN SRV 0 100 389 ubuntu01 _ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 ubuntu01 _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 ubuntu01 ; ; krb5 servers _kerberos._tcp IN SRV 0 100 88 ubuntu01 _kerberos._tcp.dc._msdcs IN SRV 0 100 88 ubuntu01 _kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 ubuntu01 _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 ubuntu01 _kerberos._udp IN SRV 0 100 88 ubuntu01 ; MIT kpasswd likes to lookup this name on password change _kerberos-master._tcp IN SRV 0 100 88 ubuntu01 _kerberos-master._udp IN SRV 0 100 88 ubuntu01 ; ; kpasswd _kpasswd._tcp IN SRV 0 100 464 ubuntu01 _kpasswd._udp IN SRV 0 100 464 ubuntu01 ; ; heimdal 'find realm for host' hack _kerberos IN TXT IT-ISHIN.COM
(5)ADDC構築のテスト
sysv-rc-confをインストールし、sambaとsamba-dc-$デーモンの起動にチェクを入れ、再起動して下さい。良くは分かりませんが、/etc/initd./sambaにはnmbdデーモンの起動を指示していますが、ps ax | grep nmbdでは、起動を確認できません。最低限のテストは次のようになります。
【追記】/etc/apparmor.d/usr.named.confに設定を追加し、Apparmorを再起動しておく必要があるようです。$ sudo service bind9 restartでbindの再起動に失敗する場合は試してみて下さい。一番最下の方のコメントで囲んだ箇所は、ソースコードからコンパイルした場合の設定です。
# vim:syntax=apparmor # Last Modified: Fri Jun 1 16:43:22 2007 #include <tunables/global> /usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, # ssl /etc/ssl/openssl.cnf r, # GeoIP data files for GeoIP ACLs /usr/share/GeoIP/** r, # dnscvsutil package /var/lib/dnscvsutil/compiled/** rw, /proc/net/if_inet6 r, /proc/*/net/if_inet6 r, /usr/sbin/named mr, /{,var/}run/named/named.pid w, /{,var/}run/named/session.key w, # support for resolvconf /{,var/}run/named/named.options r, # some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, /var/log/named/ rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.sbin.named> # for Samba /var/lib/samba/lib/** rm, /var/lib/samba/private/dns.keytab r, /var/lib/samba/private/named.conf r, /var/lib/samba/private/named.conf.update r, /var/lib/samba/private/dns/** rwk, # Samba4 FLATFILE and Active Directory Zones (default source installation) #/usr/local/samba/lib/** rw, #/usr/local/samba/private/dns.keytab r, #/usr/local/samba/private/named.conf r, #/usr/local/samba/private/named.conf.update r, #/usr/local/samba/private/dns/** rwk, }
DNSのテスト。
michiaki@ubuntu01:~$ nslookup -type=SRV _ldap._tcp.it-ishin.com. Server: 192.168.1.2 Address: 192.168.1.2#53 _ldap._tcp.it-ishin.com service = 0 100 389 ubuntu01.it-ishin.com. michiaki@ubuntu01:~$
smbclient //UBUNTU01/sysvol -UAdministratorのテスト
【注意】下記のテストを行うためには、$ sudo smbpasswd -a Admininstatorで管理者をSambaユーザーとして登録する必要があるようです。NT_STATUS_LOGON_FAILEDのエラーに見舞われた場合は、試してみて下さい。
michiaki@ubuntu01:~$ smbclient //UBUNTU01/sysvol -UAdministrator Enter Administrator's password: Domain=[IT-ISHIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] smb: \> ls . D 0 Sun May 18 23:08:18 2014 .. D 0 Thu May 22 00:29:50 2014 it-ishin.com D 0 Sun May 18 23:08:24 2014 56506 blocks of size 33553920. 51246 blocks available smb: \> exit michiaki@ubuntu01:~$