gnoovy
03.08.14, 15:02
Hi Zusammen,
ich habe samb4 V. 4.1.9 unter centos 7 mit Bind 9.9.4 erstellt. Als Client habe ich mal ein Windows7 SP1 reingehängt. Das einzige was mich etwas verwirrt ist DDNS. Zuerst wird mir ein denied für die Forward -und Reverse-Lookup-Zone angezeigt, danach werden diese aber trotzdem korrekt aktualisiert.
Kann es sein, dass Windows 7 zuerst eine unsichere DDNS-Aktualisierung versucht und dann erst eine sichere Verbindung und deshalb die Meldung kommt? Bei Windows 8.1 ist mir aufgefallen, dass dieser erst nach einem Neustart oder über ipconfig /registerdns eine Aktualisierung an den Server sendet. Ist das alles normal, oder hab ich da noch einen Fehler drin? Das Bind hab ich selber nochmals neu kompiliert und den Befehl --disable-isc-spnego rausgenommen.
Die DDNS-Aktualisierungen hab ich als Screenshot beigefügt.20649
Sicherheitshalber hier nochmals meine Konfigurationen:
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
listen-on port 53 { 127.0.0.1;192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.178.0/24; };
forwarders { 192.168.178.254; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
/usr/local/samba/private/named.conf
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
zone "winnet.local." IN {
type master;
file "/usr/local/samba/private/dns/winnet.local.zone";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
include "/usr/local/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
zone "178.168.192.in-addr.arpa" in {
type master;
file "/usr/local/samba/private/dns/192.168.178.rev";
update-policy {
grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
};
};
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
/usr/local/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
grant WINNET.LOCAL ms-self * A AAAA;
grant Administrator@WINNET.LOCAL wildcard * A AAAA SRV CNAME;
grant SERVER1$@winnet.local wildcard * A AAAA SRV CNAME;
};
winnet.local.zone
$ORIGIN .
$TTL 604800 ; 1 week
winnet.local IN SOA Server1.winnet.local. hostmaster.winnet.local. (
2014080222 ; serial
172800 ; refresh (2 days)
14400 ; retry (4 hours)
3628800 ; expire (6 weeks)
604800 ; minimum (1 week)
)
NS Server1.winnet.local.
A 192.168.178.130
$ORIGIN winnet.local.
_kerberos TXT "WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
d0ceae4f-5e5a-4970-a16e-0fec149712ea CNAME Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.e8d61e3f-b9d2-4516-9cde-c96ca1059b11.domains SRV 0 100 389 Server1.winnet.local.
gc A 192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 Server1.winnet.local.
_ldap._tcp SRV 0 100 3268 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200 ; 20 minutes
client1 A 192.168.178.200
client2 A 192.168.178.203
$TTL 604800 ; 1 week
Server1 A 192.168.178.130
192.168.178.rev
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA Server1.winnet.local. hostmaster.178.168.192.in-addr.arpa. (
1406996332 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
130 PTR Server1.winnet.local.
$TTL 1200 ; 20 minutes
200 PTR client1.winnet.local.
201 PTR client2.winnet.local.
202 PTR client2.winnet.local.
203 PTR client2.winnet.local.
ich habe samb4 V. 4.1.9 unter centos 7 mit Bind 9.9.4 erstellt. Als Client habe ich mal ein Windows7 SP1 reingehängt. Das einzige was mich etwas verwirrt ist DDNS. Zuerst wird mir ein denied für die Forward -und Reverse-Lookup-Zone angezeigt, danach werden diese aber trotzdem korrekt aktualisiert.
Kann es sein, dass Windows 7 zuerst eine unsichere DDNS-Aktualisierung versucht und dann erst eine sichere Verbindung und deshalb die Meldung kommt? Bei Windows 8.1 ist mir aufgefallen, dass dieser erst nach einem Neustart oder über ipconfig /registerdns eine Aktualisierung an den Server sendet. Ist das alles normal, oder hab ich da noch einen Fehler drin? Das Bind hab ich selber nochmals neu kompiliert und den Befehl --disable-isc-spnego rausgenommen.
Die DDNS-Aktualisierungen hab ich als Screenshot beigefügt.20649
Sicherheitshalber hier nochmals meine Konfigurationen:
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
listen-on port 53 { 127.0.0.1;192.168.178.130; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.178.0/24; };
forwarders { 192.168.178.254; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
/usr/local/samba/private/named.conf
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";
zone "winnet.local." IN {
type master;
file "/usr/local/samba/private/dns/winnet.local.zone";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain controllers
* group. The provision just creates this file as an empty file.
*/
include "/usr/local/samba/private/named.conf.update";
/* we need to use check-names ignore so _msdcs A records can be created */
check-names ignore;
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.123.0/24:
zone "178.168.192.in-addr.arpa" in {
type master;
file "/usr/local/samba/private/dns/192.168.178.rev";
update-policy {
grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
};
};
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
/usr/local/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
grant WINNET.LOCAL ms-self * A AAAA;
grant Administrator@WINNET.LOCAL wildcard * A AAAA SRV CNAME;
grant SERVER1$@winnet.local wildcard * A AAAA SRV CNAME;
};
winnet.local.zone
$ORIGIN .
$TTL 604800 ; 1 week
winnet.local IN SOA Server1.winnet.local. hostmaster.winnet.local. (
2014080222 ; serial
172800 ; refresh (2 days)
14400 ; retry (4 hours)
3628800 ; expire (6 weeks)
604800 ; minimum (1 week)
)
NS Server1.winnet.local.
A 192.168.178.130
$ORIGIN winnet.local.
_kerberos TXT "WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
d0ceae4f-5e5a-4970-a16e-0fec149712ea CNAME Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.e8d61e3f-b9d2-4516-9cde-c96ca1059b11.domains SRV 0 100 389 Server1.winnet.local.
gc A 192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 Server1.winnet.local.
_ldap._tcp SRV 0 100 3268 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc SRV 0 100 3268 Server1.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
_ldap SRV 0 100 389 Server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos SRV 0 100 88 Server1.winnet.local.
_kerberos-master SRV 0 100 88 Server1.winnet.local.
_kpasswd SRV 0 100 464 Server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200 ; 20 minutes
client1 A 192.168.178.200
client2 A 192.168.178.203
$TTL 604800 ; 1 week
Server1 A 192.168.178.130
192.168.178.rev
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA Server1.winnet.local. hostmaster.178.168.192.in-addr.arpa. (
1406996332 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
130 PTR Server1.winnet.local.
$TTL 1200 ; 20 minutes
200 PTR client1.winnet.local.
201 PTR client2.winnet.local.
202 PTR client2.winnet.local.
203 PTR client2.winnet.local.