Configurar BIND como DNS de SAMBA 4 Domain Controller

Configurar BIND como DNS de SAMBA 4 Domain Controller

Samba 4 tiene la opcion de utilizar como backend DNS a bind, esto es recomendable en ambientes con gran cantidad de clientes

Para esto se deben seguir los siguientes pasos:

Definir BIND como backend DNS

# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/EXAMPLE.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-linuxdc account
See /usr/local/samba/private/named.conf for an example configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.

Deshabilitar el servicio DNS en samba

Editar la configuracion del samba y agregar server services = -dns en la seccion global

# vi /usr/local/samba/etc/smb.conf
# Global parameters
[global]
    netbios name = LINUXDC
    realm = EXAMPLE.COM
    workgroup = EXAMPLE
    server role = active directory domain controller
    server services = -dns

[netlogon]
    path = /usr/local/samba/var/locks/sysvol/example.com/scripts
    read only = No

[sysvol]
    path = /usr/local/samba/var/locks/sysvol
    read only = No
# systemctl daemon-reload

En caso de utilizar SeLinux debemos cambiar las etiquetas de los archivos generados por samba para que el servicio named pueda acceder a los mismos

semanage fcontext -a -t named_conf_t "/usr/local/samba/share/setup/named.conf.dlz"

semanage fcontext -a -t named_conf_t "/usr/local/samba/private/dns.keytab"

semanage fcontext -a -t named_cache_t "/usr/local/samba/private/dns/(.*)?"

restorecon -Rv /usr/local/samba/

En caso de que tengamos samba version superior a 4.8, también sera necesario correr los siguientes comandos

semanage fcontext -a -t named_cache_t "/usr/local/samba/bind-dns/dns/(.*)?"
restorecon -Rv /usr/local/samba/

Configurar bind

# cat <<EOF > /etc/named.conf
// named.conf
options {
    listen-on port 53   { any; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file     "/var/named/data/named_stats.txt";
    memstatistics-file  "/var/named/data/named_mem_stats.txt";
    allow-query         { any; };
    recursion yes;
    forwarders          { 8.8.8.8; 8.8.4.4; };
    allow-recursion     { 10.100.1.0/24; 192.168.1.0/24; };

    dnssec-enable       yes;
    dnssec-validation   yes;

    bindkeys-file       "/etc/named.iscdlv.key";

    managed-keys-directory  "/var/named/dynamic";

    pid-file            "/run/named/named.pid";
    session-keyfile     "/run/named/session.key";
    // Samba DNS key
    tkey-gssapi-keytab  "/usr/local/samba/private/dns.keytab";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};

// Samba DNS zones
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
    # For BIND 9.9.x
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
    # For BIND 9.10.x
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
};
EOF

Habilitamos los servicios para que inicien cada vez que se prende el equipo

systemctl enable smb named ntpd

En caso de tener el firewall habilitado se deben abrir los puertos necesarios para el DNS

firewall-cmd --add-service=dns --permanent 
firewall-cmd --reload 

Iniciar y habilitar los servicios

Para que los cambios sean efectivos es necesario reiniciar el servicio de SAMBA

systemctl restart smb

Luego iniciamos el named

systemctl start named

Deja un comentario