(4)Sambaサーバーの設定追加
DNSサーバーOnlyの設定に追加、変更する必要があります。
/etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; # include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.internal-zones"; include "/etc/bind/rndc.key";
named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
# 問い合わせを許可する範囲
allow-query { localhost; 192.168.1.0/24; };
# ゾーン情報の転送を許可する範囲 ( セカンダリDNSがいる場合は、その場所/範囲 )
allow-transfer { localhost; 192.168.1.0/24; };
# 再帰検索を許可する範囲
allow-recursion { localhost; 192.168.1.0/24; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
# listen-on-v6 { any; };
listen-on-v6 { none; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; //←必須①
forwarders { 192.168.1.1; }; //外部へのnameserverのIPアドレス
//dnssec-validation no;
};
named.conf.internal-zones
# 内部向けの定義を記述
view "internal" {
# 指定範囲内のホストが内部向けの定義を参照
match-clients {
localhost;
192.168.1.0/24;
};
# 内部向け正引き情報を定義
zone "it-ishin.com" {
type master;
//file "/etc/bind/it-ishin.com.lan";
//include "/var/lib/samba/private/named.conf";
file "/var/lib/samba/private/dns/it-ishin.com.zone";
include "/var/lib/samba/private/named.conf.update";
//file "/usr/local/samba/private/dns/it-ishin.com.zone";
//include "/usr/local/samba/private/named.conf.update";
check-names ignore;
//allow-update { 192.168.1.0/24; };
};
# 内部向け逆引き情報を定義 *注
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/1.168.192.db";
//allow-update { 192.168.1.0/24; };
};
include "/etc/bind/named.conf.default-zones";
};
【訂正】内部向け正引き情報のところで、「//」でコメント化したところは、ソースコードからコンパイルした場合の設定です。
named.conf.internal-zones
; -*- zone -*-
; generated by provision.pl
$ORIGIN it-ishin.com.
$TTL 1W
@ IN SOA ubuntu01 hostmaster (
2014051823 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS ubuntu01
IN AAAA 2001:c90:8205:8b41:4ee6:76ff:fed8:1566
IN A 192.168.1.2
;
ubuntu01 IN A 192.168.1.2
ubuntu02 IN A 192.168.1.3
ubuntu03 IN A 192.168.1.4
ubuntu04 IN A 192.168.1.6
www IN A 192.168.1.5
www2 IN A 192.168.1.5
mail IN A 192.168.1.5
gc._msdcs IN A 192.168.1.2
gc._msdcs IN AAAA 2001:c90:8205:8b41:4ee6:76ff:fed8:1566
7f737d78-c04f-4b1a-9048-ed3f90162fd5._msdcs IN CNAME ubuntu01
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 ubuntu01
_gc._tcp.Default-First-Site-Name._sites IN SRV 0 100 3268 ubuntu01
_ldap._tcp.gc._msdcs IN SRV 0 100 3268 ubuntu01
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 3268 ubuntu01
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 ubuntu01
_ldap._tcp.dc._msdcs IN SRV 0 100 389 ubuntu01
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 ubuntu01
_ldap._tcp.218ddf01-32a9-4d83-9ceb-069fef66e98e.domains._msdcs IN SRV 0 100 389 ubuntu01
_ldap._tcp.Default-First-Site-Name._sites IN SRV 0 100 389 ubuntu01
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389 ubuntu01
;
; krb5 servers
_kerberos._tcp IN SRV 0 100 88 ubuntu01
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 ubuntu01
_kerberos._tcp.Default-First-Site-Name._sites IN SRV 0 100 88 ubuntu01
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 ubuntu01
_kerberos._udp IN SRV 0 100 88 ubuntu01
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 ubuntu01
_kerberos-master._udp IN SRV 0 100 88 ubuntu01
;
; kpasswd
_kpasswd._tcp IN SRV 0 100 464 ubuntu01
_kpasswd._udp IN SRV 0 100 464 ubuntu01
;
; heimdal 'find realm for host' hack
_kerberos IN TXT IT-ISHIN.COM
(5)ADDC構築のテスト
sysv-rc-confをインストールし、sambaとsamba-dc-$デーモンの起動にチェクを入れ、再起動して下さい。良くは分かりませんが、/etc/initd./sambaにはnmbdデーモンの起動を指示していますが、ps ax | grep nmbdでは、起動を確認できません。最低限のテストは次のようになります。
【追記】/etc/apparmor.d/usr.named.confに設定を追加し、Apparmorを再起動しておく必要があるようです。$ sudo service bind9 restartでbindの再起動に失敗する場合は試してみて下さい。一番最下の方のコメントで囲んだ箇所は、ソースコードからコンパイルした場合の設定です。
# vim:syntax=apparmor
# Last Modified: Fri Jun 1 16:43:22 2007
#include <tunables/global>
/usr/sbin/named {
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
# /var/cache/bind is for slave/stub data, since we're not the origin of it.
# See /usr/share/doc/bind9/README.Debian.gz
/etc/bind/** r,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
# gssapi
/etc/krb5.keytab kr,
/etc/bind/krb5.keytab kr,
# ssl
/etc/ssl/openssl.cnf r,
# GeoIP data files for GeoIP ACLs
/usr/share/GeoIP/** r,
# dnscvsutil package
/var/lib/dnscvsutil/compiled/** rw,
/proc/net/if_inet6 r,
/proc/*/net/if_inet6 r,
/usr/sbin/named mr,
/{,var/}run/named/named.pid w,
/{,var/}run/named/session.key w,
# support for resolvconf
/{,var/}run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
/var/log/named/** rw,
/var/log/named/ rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
# for Samba
/var/lib/samba/lib/** rm,
/var/lib/samba/private/dns.keytab r,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/named.conf.update r,
/var/lib/samba/private/dns/** rwk,
# Samba4 FLATFILE and Active Directory Zones (default source installation)
#/usr/local/samba/lib/** rw,
#/usr/local/samba/private/dns.keytab r,
#/usr/local/samba/private/named.conf r,
#/usr/local/samba/private/named.conf.update r,
#/usr/local/samba/private/dns/** rwk,
}
DNSのテスト。
michiaki@ubuntu01:~$ nslookup -type=SRV _ldap._tcp.it-ishin.com. Server: 192.168.1.2 Address: 192.168.1.2#53 _ldap._tcp.it-ishin.com service = 0 100 389 ubuntu01.it-ishin.com. michiaki@ubuntu01:~$
smbclient //UBUNTU01/sysvol -UAdministratorのテスト
【注意】下記のテストを行うためには、$ sudo smbpasswd -a Admininstatorで管理者をSambaユーザーとして登録する必要があるようです。NT_STATUS_LOGON_FAILEDのエラーに見舞われた場合は、試してみて下さい。
michiaki@ubuntu01:~$ smbclient //UBUNTU01/sysvol -UAdministrator Enter Administrator's password: Domain=[IT-ISHIN] OS=[Unix] Server=[Samba 4.1.6-Ubuntu] smb: \> ls . D 0 Sun May 18 23:08:18 2014 .. D 0 Thu May 22 00:29:50 2014 it-ishin.com D 0 Sun May 18 23:08:24 2014 56506 blocks of size 33553920. 51246 blocks available smb: \> exit michiaki@ubuntu01:~$