Samba 4.1.9 mit Bind 9.9.4

gnoovy

Eroberer
Beiträge
73
Hi Zusammen,

parallel zu meinem anderen Samba4-Call habe ich Samba4 für dynamische Updates mal mit Bind 9.9.4 aufgesetzt. Eine Sache verstehe ich noch nicht:

Wenn sich die IP-Adresse meines Win7-Clients änder werden korrekt die Forward -und Reverse-Lookup-Zonen, inkl. den JNL-Dateien angelegt / aktualisiert. Allerdings bekomme ich vor der Aktualisierung ein named[20663]: client <IP-adresse>#50226: update '<Zone>' denied.

Ich habe die Zonen / JNL-Dateien nach var/named/dynamic kopiert und der Benutzer named hat Schreibzugriff RW auf die Objekte. Woran kann diese Meldung noch liegen?

/usr/local/samba/private/named.conf

Code:
zone "winnet.local." IN {
	type master;
	file "/var/named/dynamic/winnet.local.zone";
	/*
	 * the list of principals and what they can change is created
	 * dynamically by Samba, based on the membership of the domain controllers
	 * group. The provision just creates this file as an empty file.
	 */
	include "/usr/local/samba/private/named.conf.update";

	/* we need to use check-names ignore so _msdcs A records can be created */
	check-names ignore;
};
zone "178.168.192.in-addr.arpa" in {
	type master;
	file "/var/named/dynamic/192.168.178.rev";
	update-policy {
		grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
	};
};

/etc/named.conf

Code:
options {
	listen-on port 53 { 192.168.178.130; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { 192.168.178.0/24; };
	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; 
	forwarders { 192.168.178.254; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";

Forward-Lookup-Zone

Code:
$ORIGIN .
$TTL 604800	; 1 week
winnet.local		IN SOA	Server1.winnet.local. hostmaster.winnet.local. (
				2014072926 ; serial
				172800     ; refresh (2 days)
				14400      ; retry (4 hours)
				3628800    ; expire (6 weeks)
				604800     ; minimum (1 week)
				)
			NS	Server1.winnet.local.
$TTL 900	; 15 minutes
			A	192.168.178.130
$ORIGIN winnet.local.
$TTL 604800	; 1 week
_kerberos		TXT	"WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
$TTL 900	; 15 minutes
554fad70-a814-483c-a9a7-fa67ea7e4bad CNAME server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos		SRV	0 100 88 server1.winnet.local.
_ldap			SRV	0 100 389 server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos		SRV	0 100 88 server1.winnet.local.
_ldap			SRV	0 100 389 server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.20c04c98-7a95-462f-b982-76eff4247d24.domains	SRV 0 100 389 server1.winnet.local.
gc			A	192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 server1.winnet.local.
_ldap._tcp		SRV	0 100 3268 server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc		SRV	0 100 389 server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc			SRV	0 100 3268 server1.winnet.local.
_kerberos		SRV	0 100 88 server1.winnet.local.
_ldap			SRV	0 100 389 server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc			SRV	0 100 3268 server1.winnet.local.
_kerberos		SRV	0 100 88 server1.winnet.local.
$TTL 604800	; 1 week
_kerberos-master	SRV	0 100 88 Server1.winnet.local.
$TTL 900	; 15 minutes
_kpasswd		SRV	0 100 464 server1.winnet.local.
_ldap			SRV	0 100 389 server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos		SRV	0 100 88 server1.winnet.local.
$TTL 604800	; 1 week
_kerberos-master	SRV	0 100 88 Server1.winnet.local.
$TTL 900	; 15 minutes
_kpasswd		SRV	0 100 464 server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200	; 20 minutes
client1			A	192.168.178.126
$TTL 900	; 15 minutes
Server1			A	192.168.178.130

Reverse-Lookup-Zone

Code:
$ORIGIN .
$TTL 38400	; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA	Server1.winnet.local. hostmaster.winnet.local.178.168.192.in-addr.arpa. (
				1406672547 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				38400      ; minimum (10 hours 40 minutes)
				)
			NS	Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
$TTL 1200	; 20 minutes
126			PTR	client1.winnet.local.
$TTL 38400	; 10 hours 40 minutes
130			PTR	Server1.winnet.local.
 

Ähnliche Themen

samba4 und bind9 auf raspbian - bind stürzt ständig ab

Samba 4 Gast Zugang unter Ubuntu funktioniert nicht

Windows clients können nicht mehr auf lange laufendes System zugreifen

Falsche Rechte gesetzt beim Anlegen von Ordnern via Samba-Client

Debian squeeze, Webmin, Samba Freigaben

Oben