我有一个运行 Samba 的设备作为 Active Directory 域控制器,使用 BIND_DLZ 作为后端。
最重要的是,我正在运行一个辅助设备,该设备也配置为 Active Directory 域控制器,并使用 BIND_DLZ 作为后端以实现冗余目的。
IP 地址由 ISC DHCP 服务器分配,该服务器能够使用加密密钥 (TSIG) 更新 DNS 资源记录。
不管怎样:谈谈我的问题。
这是我当前的设置
命名的.conf.选项:
options
{
directory "/var/cache/bind";
forwarders {
2001:4860:4860::8888;
2001:4860:4860::8844;
8.8.8.8;
8.8.4.4;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
recursion yes;
};
acl "home-net"
{
127.0.0.1;
192.168.1.0/24;
2001:db8:cafe:beef::/56; # <-- I am using a IPv6 range from Tunnelbroker in real life.
};
view "normal"
{
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.internal";
# Netflix really dislike Tunnelbroker IPv6, so I am dropping any Netflix AAAA ressources records.
include "/etc/bind/netflix-ipv6-blackhole.conf";
match-clients
{
home-net; # <-- Only respond to queries originating from my own network.
};
dnssec-enable yes;
dnssec-validation auto;
allow-query { any; };
allow-query-cache { home-net; };
allow-recursion { home-net; };
forwarders {
8.8.8.8;
8.8.4.4;
2001:4860:4860::8888;
2001:4860:4860::8844;
};
};
命名.conf.内部:
zone "1.168.192.in-addr.arpa"
{
type master;
file "/etc/bind/db.192.168.1.rev";
notify yes;
allow-query { any; };
allow-transfer { xfer; };
# If allow-update is enabled instead of the include named.conf.update line,
# then Dynamic DNS works fine due to ISC DHCP can update the ressource records.
#
# Sadly you can't have both lines enabled. It is either / or.
// allow-update { key ddns-key; };
include "/var/lib/samba/bind-dns/named.conf.update"; # <-- Having issues with THIS line only.
};
include "/var/lib/samba/bind-dns/named.conf";
/var/lib/samba/bind-dns/named.conf:
dlz "AD DNS Zone" {
# For BIND 9.11.x
database "dlopen /usr/lib/arm-linux-gnueabihf/samba/bind9/dlz_bind9_11.so";
};
/var/lib/samba/bind-dns/named.conf.update:
/* this file is auto-generated - do not edit */
update-policy {
grant EXAMPLE.COM ms-self * A AAAA;
grant [email protected] wildcard * A AAAA SRV CNAME;
# Main Active Directory Domain Controller
grant [email protected] wildcard * A AAAA SRV CNAME;
# Backup Active Directory Domain Controller
grant [email protected] wildcard * A AAAA SRV CNAME;
};
如果我尝试使用此配置启动绑定,我会收到一个我无法弄清楚的相当奇怪的错误:
/var/lib/samba/bind-dns/named.conf.update:3: name field not set to placeholder value '.'
有谁能告诉我 named.conf.update 出了什么问题?
答案1
好的,您有两个 Samba AD DC 使用 Bind9 作为 DNS 服务器,并且您在 DNS 方面遇到了问题,我想知道这是否与您的错误绑定文件有关?
一个主要问题是您在平面文件中有反向区域,这是不允许的,您需要创建 AD,您可以使用 samba-tool 来执行此操作。您也不能使用“视图”
尝试这些 bind9 conf 文件:
/etc/bind/named.conf
包括“/etc/bind/named.conf.options”;包括“/etc/bind/named.conf.local”;包括“/etc/bind/named.conf.default-zones”;
/etc/bind/named.conf.options
选项 {
directory "/var/cache/bind";
notify no;
empty-zones-enable no;
allow-query { 127.0.0.1; 192.168.1.0/24; };
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };
forwarders {
2001:4860:4860::8888;
2001:4860:4860::8844;
8.8.8.8;
8.8.4.4;
};
allow-transfer { none; };
dnssec-validation no;
dnssec-enable no;
dnssec-lookaside no;
listen-on-v6 { any; };
listen-on port 53 { 192.168.1.240; };
listen-on port 53 { 192.168.1.240; 127.0.0.1; };
listen-on port 5353 { 127.0.0.1; }; <-- Used for Netflix IPv6 filter only.
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
/etc/bind/named.conf.local
包括“/var/lib/samba/bind-dns/named.conf”;
// Netflix 真的不喜欢 Tunnelbroker IPv6,所以我放弃了任何 Netflix AAAA 资源记录。
包括“/etc/bind/netflix-ipv6-blackhole.conf”;
如果你备份了 /var/lib/samba/bind-dns/named.conf.update 然后从备份中恢复。如果没有,则将其更改为:
/* 此文件是自动生成的 - 请勿编辑 */ update-policy {
grant EXAMPLE.COM ms-self * A AAAA;
grant [email protected] wildcard * A AAAA SRV CNAME;
grant [email protected] wildcard * A AAAA SRV CNAME;
grant [email protected] wildcard * A AAAA SRV CNAME;
};