G
gnoovy
Eroberer
Hi Zusammen,
parallel zu meinem anderen Samba4-Call habe ich Samba4 für dynamische Updates mal mit Bind 9.9.4 aufgesetzt. Eine Sache verstehe ich noch nicht:
Wenn sich die IP-Adresse meines Win7-Clients änder werden korrekt die Forward -und Reverse-Lookup-Zonen, inkl. den JNL-Dateien angelegt / aktualisiert. Allerdings bekomme ich vor der Aktualisierung ein named[20663]: client <IP-adresse>#50226: update '<Zone>' denied.
Ich habe die Zonen / JNL-Dateien nach var/named/dynamic kopiert und der Benutzer named hat Schreibzugriff RW auf die Objekte. Woran kann diese Meldung noch liegen?
/usr/local/samba/private/named.conf
/etc/named.conf
Forward-Lookup-Zone
Reverse-Lookup-Zone
parallel zu meinem anderen Samba4-Call habe ich Samba4 für dynamische Updates mal mit Bind 9.9.4 aufgesetzt. Eine Sache verstehe ich noch nicht:
Wenn sich die IP-Adresse meines Win7-Clients änder werden korrekt die Forward -und Reverse-Lookup-Zonen, inkl. den JNL-Dateien angelegt / aktualisiert. Allerdings bekomme ich vor der Aktualisierung ein named[20663]: client <IP-adresse>#50226: update '<Zone>' denied.
Ich habe die Zonen / JNL-Dateien nach var/named/dynamic kopiert und der Benutzer named hat Schreibzugriff RW auf die Objekte. Woran kann diese Meldung noch liegen?
/usr/local/samba/private/named.conf
Code:
zone "winnet.local." IN {
type master;
file "/var/named/dynamic/winnet.local.zone";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
include "/usr/local/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
zone "178.168.192.in-addr.arpa" in {
type master;
file "/var/named/dynamic/192.168.178.rev";
update-policy {
grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
};
};
/etc/named.conf
Code:
options {
listen-on port 53 { 192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.178.0/24; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
forwarders { 192.168.178.254; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
Forward-Lookup-Zone
Code:
$ORIGIN .
$TTL 604800 ; 1 week
winnet.local IN SOA Server1.winnet.local. hostmaster.winnet.local. (
2014072926 ; serial
172800 ; refresh (2 days)
14400 ; retry (4 hours)
3628800 ; expire (6 weeks)
604800 ; minimum (1 week)
)
NS Server1.winnet.local.
$TTL 900 ; 15 minutes
A 192.168.178.130
$ORIGIN winnet.local.
$TTL 604800 ; 1 week
_kerberos TXT "WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
$TTL 900 ; 15 minutes
554fad70-a814-483c-a9a7-fa67ea7e4bad CNAME server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 server1.winnet.local.
_ldap SRV 0 100 389 server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 server1.winnet.local.
_ldap SRV 0 100 389 server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.20c04c98-7a95-462f-b982-76eff4247d24.domains SRV 0 100 389 server1.winnet.local.
gc A 192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 server1.winnet.local.
_ldap._tcp SRV 0 100 3268 server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc SRV 0 100 389 server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc SRV 0 100 3268 server1.winnet.local.
_kerberos SRV 0 100 88 server1.winnet.local.
_ldap SRV 0 100 389 server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc SRV 0 100 3268 server1.winnet.local.
_kerberos SRV 0 100 88 server1.winnet.local.
$TTL 604800 ; 1 week
_kerberos-master SRV 0 100 88 Server1.winnet.local.
$TTL 900 ; 15 minutes
_kpasswd SRV 0 100 464 server1.winnet.local.
_ldap SRV 0 100 389 server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos SRV 0 100 88 server1.winnet.local.
$TTL 604800 ; 1 week
_kerberos-master SRV 0 100 88 Server1.winnet.local.
$TTL 900 ; 15 minutes
_kpasswd SRV 0 100 464 server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200 ; 20 minutes
client1 A 192.168.178.126
$TTL 900 ; 15 minutes
Server1 A 192.168.178.130
Reverse-Lookup-Zone
Code:
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA Server1.winnet.local. hostmaster.winnet.local.178.168.192.in-addr.arpa. (
1406672547 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
$TTL 1200 ; 20 minutes
126 PTR client1.winnet.local.
$TTL 38400 ; 10 hours 40 minutes
130 PTR Server1.winnet.local.