◆SAMBA内蔵DNSからBINDへDNSの変更
SAMBA内蔵のDNSは設定が容易ですが、レコードの登録機能と、DNSフォワーディング機能しかないのですが、BINDを利用するとSAMBAに加えBINDの設定も必要になりますが、BINDならばリゾルバキャッシュやスタブゾーンなど、Samba4内蔵DNSがサポートしていない機能も使用できるようになる利点があります。
以下に
SamabaでActive Directory構築② ドメインコントローラーの追加で構築したSAMBAサーバーを使用して、BINDへDNSの変更を行います。
◆BIND等の設定
$ sudo apt-get install bind9 bind9utils
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/AD.CO.JP.zone (normal)
DNS partitions already exist
Adding dns-dc1 account
check_spn_alias_collision: trying to add SPN 'DNS/dc1.ad.co.jp' on 'CN=dns-dc1,CN=Users,DC=ad,DC=co,DC=jp' when 'host/dc1.ad.co.jp' is on 'CN=DC1,OU=Domain Controllers,DC=ad,DC=co,DC=jp'
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.
$ sudo named -v
BIND 9.18.28-0ubuntu0.24.04.1-Ubuntu (Extended Support Version) <id:>
$ sudo vi /etc/bind/named.conf
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_12.so";
# For BIND 9.14.x
# database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_14.so";
# For BIND 9.16.x
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
};
options {
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
minimal-responses yes;
};
;EOF
$ sudo ls -al /etc/krb5.conf
-rw-r--r-- 1 root root 173 Oct 14 17:55 /etc/krb5.conf
$ sudo chown root:bind /etc/krb5.conf #bindユーザーに読み取り可能な設定に変更
$ sudo ls -al /etc/krb5.conf
-rw-r--r-- 1 root bind 173 Oct 14 17:55 /etc/krb5.conf
$ which nsupdate #ユーティリティがドメインコントローラーに存在することを確認。
/usr/bin/nsupdate
$ sudo named-checkconf #BINDの設定が有効であることを確認する。出力が無い場合は正常
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ #BIND9_DLZバックエンドへ自動再構成
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/AD.CO.JP.zone (normal)
DNS partitions already exist
dns-dc1 account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.
# sudo init 6 #再起動しないと正常動作しない?
#dc2も再起動しないと以下の様なエラーが出る
$ sudo samba-tool drs showrepl
(前略)
DC=ForestDnsZones,DC=ad,DC=co,DC=jp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 053ab0e8-ef92-446c-b90a-869cdb669824
Last attempt @ Mon Oct 28 16:47:21 2024 UTC failed, result 121 (WERR_SEM_TIMEOUT)
2 consecutive failure(s).
Last success @ NTTIME(0)
#又、ユーザーを追加しても同期されないっぽい
◆dc1から動作確認
$ host -t A dc1.ad.co.jp
dc1.ad.co.jp has address 10.0.1.10
dc1.ad.co.jp has address 192.168.128.10
$ host -t SRV _kerberos._udp.ad.co.jp
_kerberos._udp.ad.co.jp has SRV record 0 100 88 dc1.ad.co.jp.
_kerberos._udp.ad.co.jp has SRV record 0 100 88 dc2.ad.co.jp.
$ host -t SRV _ldap._tcp.ad.co.jp
_ldap._tcp.ad.co.jp has SRV record 0 100 389 dc1.ad.co.jp.
_ldap._tcp.ad.co.jp has SRV record 0 100 389 dc2.ad.co.jp.
$ smbclient -L localhost -U%
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.19.5-Ubuntu)
SMB1 disabled -- no workgroup available
~ sudo samba-tool domain level show
Domain and forest function level for domain 'DC=ad,DC=co,DC=jp'
Forest function level: (Windows) 2008 R2
Domain function level: (Windows) 2008 R2
Lowest function level of a DC: (Windows) 2008 R2
c1:~$ sudo samba-tool drs showrepl
Default-First-Site-Name\DC1
DSA Options: 0x00000001
DSA object GUID: 2c69c819-28cd-4700-827e-b7afbc253708
DSA invocationId: e40865d1-2515-4027-a71a-4d00c1fd182d
==== INBOUND NEIGHBORS ====
DC=ForestDnsZones,DC=ad,DC=co,DC=jp
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 053ab0e8-ef92-446c-b90a-869cdb669824
Last attempt @ Mon Oct 28 16:56:31 2024 UTC was successful
0 consecutive failure(s).
Last success @ Mon Oct 28 16:56:31 2024 UTC
(中略)
==== KCC CONNECTION OBJECTS ====
Connection --
Connection name: 9056e4e7-95ed-4612-ac4e-79f131aa2fbe
Enabled : TRUE
Server DNS name : dc2.ad.co.jp
Server DN name : CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=co,DC=jp
TransportType: RPC
options: 0x00000001
Warning: No NC replicated for Connection!
dc1:~$ sudo samba-tool user add testuser10 Passw0rd #testuser10の追加
User 'testuser10' added successfully
dc1:~$ sudo samba-tool user list #testuser10が追加されていることを確認
testuser2
dc2user
Guest
dns-dc1
krbtgt
dc1user
testuser1
dc20user
Administrator
testuser10
◆dc2から動作確認
dc2:~$ sudo samba-tool user list #testuser10が追加されていることを確認
testuser2
dc2user
Guest
dns-dc1
krbtgt
dc1user
testuser1
dc20user
Administrator
testuser10
dc2:~$ sudo samba-tool user delete testuser10 #testuser10削除
Deleted user testuser10
dc2:~$ sudo samba-tool user list
testuser2
dc2user
Guest
dns-dc1
testuser20
krbtgt
dc1user
testuser1
dc20user
Administrator
◆dc1から動作確認
dc1:~$ sudo samba-tool user list #testuser10が削除されていることを確認
testuser2
dc2user
Guest
dns-dc1
testuser20
krbtgt
dc1user
testuser1
dc20user
Administrator
