Greetings,
I'm new to the forum and I need to set up a Domain Server using samba4 and BIND99 with automatic DNS update using dns.keytab.
All the settings that do, at the time of performing Samba and DNS tests, did not present an error. However, when accessing the DNS server by Windows 7 RSAT is giving an "access denied" message, when I search in DNS for FreeBSD, the host name added no domain is not appearing in the DNS list.
In short, I can not see DNS through windows, and a DNS PivotTable is not being updated.
To avoid any doubts in the process, I'm a step-by-step how to set up all-inclusive.
I wonder if someone helped me solve the problem.
I thank the attention!
Thank you!
###########################################
PROPOSED STRUCTURE
HOSTNAME: ad
DOMAIN: estudo.local
IP: 172.100.0.254
MASK: 255.255.0.0
GW: 172.100.254.254
DNS1: 172.100.0.254 /* THE FIRST DNS MUST ALWAYS BE THE PROPRIETARY DNS */
DNS2: 172.100.254.254
1) AFTER INSTALLING FREEBSD11, PERFORM UPDATE;
2) CHANGE THE FSTAB CONFIGURATION;
:x
3) RESET THE SYSTEM OR RETURN THE PARTITION
4) CHANGE DNS SETTINGS;
:x
5) CHANGE THE /etc/hosts
:x
6) UPDATES PORTSNAP
7) INSTALLING BIND99
8) INSTALLING SAMBA45
9) MAKE THE PROVISION OF THE DOMAIN
10) LINKING SAMBA4 NAMED.CONF IN NAMED.CONF AND INSERTING DNS.KEYTAB IN NAMED.CONF
:x
11) INSERTING NAMED AND SAMBA IN INITIALIZATION
12) CONFIGURING KERBEROS
:x
13) RESTARTING TO MAKE SURE THE SERVICES WERE INITIALIZED
14) PERFORMING CONFIGURATION TEST
15) TAKING TESTS IN DNS
I'm new to the forum and I need to set up a Domain Server using samba4 and BIND99 with automatic DNS update using dns.keytab.
All the settings that do, at the time of performing Samba and DNS tests, did not present an error. However, when accessing the DNS server by Windows 7 RSAT is giving an "access denied" message, when I search in DNS for FreeBSD, the host name added no domain is not appearing in the DNS list.
In short, I can not see DNS through windows, and a DNS PivotTable is not being updated.
To avoid any doubts in the process, I'm a step-by-step how to set up all-inclusive.
I wonder if someone helped me solve the problem.
I thank the attention!
Thank you!
###########################################
PROPOSED STRUCTURE
HOSTNAME: ad
DOMAIN: estudo.local
IP: 172.100.0.254
MASK: 255.255.0.0
GW: 172.100.254.254
DNS1: 172.100.0.254 /* THE FIRST DNS MUST ALWAYS BE THE PROPRIETARY DNS */
DNS2: 172.100.254.254
1) AFTER INSTALLING FREEBSD11, PERFORM UPDATE;
Code:
root@ad:~ # pkg update
root@ad:~ # pkg upgrade
Code:
root@ad:~ # vi /etc/fstab
# Device Mountpoint FStype Options Dump Pass#
/dev/ada0s1a / ufs rw,acls 1 1
/dev/ada0s1b none swap sw 0 0
3) RESET THE SYSTEM OR RETURN THE PARTITION
Code:
root@ad:~ # reboot
root@ad:~ # mount -o acls /
Code:
root@ad:~ # vi /etc/resolv.conf
search estudo.local
domain estudo.local
nameserver 172.100.0.254
nameserver 172.100.254.254
5) CHANGE THE /etc/hosts
Code:
root@ad:~ # vi /etc/hosts
# $FreeBSD: releng/11.0/etc/hosts 109997 2003-01-28 21:29:23Z dbaker $
#
# Host Database
#
# This file should contain the addresses and aliases for local hosts that
# share this file. Replace 'my.domain' below with the domainname of your
# machine.
#
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
#
#
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
172.100.0.254 ad ad.estudo.local
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
# In case you want to be able to connect to the Internet, you need
# real official assigned numbers. Do not try to invent your own network
# numbers but instead get one from your network provider (if any) or
# from your regional registry (ARIN, APNIC, LACNIC, RIPE NCC, or AfriNIC.)
6) UPDATES PORTSNAP
Code:
root@ad:~ # portsnap fetch update extract
Code:
root@ad:~ # cd /usr/ports/dns/bind99
root@ad:/usr/ports/dns/bind99 # make config-recursive
OPTIONS MARKED FOR bind99-9.0.10
DOCS
IDN
IPV6
RPZ_NSDNAME
RPZ_NSIP
RRL
SIGCHASE
SSL
THREADS
DLZ_BDB
DLZ_FILESYSTEM
DLZ_STUB
GSSAPI_BASE
OPTIONS MARKED FOR libxml2-2.9.4
SCHEMA
THREADS
VALID
OPTIONS MARKED FOR gmake-4.2.1_1
NLS
OPTIONS MARKED FOR gettext-tools-0.19.8.1
DOCS
THREADS
OPTIONS MARKED FOR idnkit-1.0_6
DOCS
RUN THE COMMAND BELOW AGAIN
root@ad:/usr/ports/dns/bind99 # make config-recursive
OPTIONS MARKED FOR db5-5.3.28_6
CRYPTO
DOCS
root@ad:/usr/ports/dns/bind99 # make && make install clean && rehash
Code:
root@ad:/usr/ports/dns/bind99 # cd /usr/ports/net/samba45
root@ad:/usr/ports/net/samba45 # make config-recursive
OPTIONS MARKED FOR samba45-4.5.8
ADS
AD_DC
DEBUG
DOCS
FAM
LDAP
QUOTAS
SYSLOG
UTMP
BIND99
OPTIONS MARKED FOR libarchive-3.3.1,1
LZ4
LZO
OPTIONS MARKED FOR lzo2-2.10_1
DOCS
EXAMPLES
OPTIONS MARKED FOR perl5-5.24.1_1
DTRACE
MULTIPLICITY
PERL_64BITINT
PTHREAD
THREADS
OPTIONS MARKED FOR py27-dnspython-1.15.0
EXAMPLES
OPTIONS MARKED FOR python27-2.7.13_3
IPV6
LIBFFI
NLS
PYMALLOC
THREADS
UCS4
OPTIONS MARKED FOR libffi-3.2.1
OPTIONS MARKED FOR m4-1.4.18,1
EXAMPLES
OPTIONS MARKED FOR texinfo-6.1.20160425_1,1
NLS
OPTIONS MARKED FOR help2man-1.47.4
NLS
OPTIONS MARKED FOR tcl86-8.6.6_2
DTRACE
MODULES
THREADS
OPTIONS MARKED FOR readline-6.3.8_1
DOCS
TERMCAP
OPTIONS MARKED FOR sqlite3-3.18.0
DBSTAT
EXTENSION
FTS3_TOKEN
FTS4
METADATA
SECURE_DELETE
STSHELL
THREADS
UNLOCK_NOTIFY
URI
UNICODE61
RTREE
READLINES
TS1
OPTIONS MARKED FOR py27-pip-9.0.1
DOCS
OPTIONS MARKED FOR py27-Jinja2-2.9.5
BABEL
EXAMPLES
OPTIONS MARKED FOR py27-Babel-2.3.4
DOCS
OPTIONS MARKED FOR py27-docutils-0.13.1
OPTIONS MARKED FOR py27-snowballstemmer-1.2.0_1
PYSTEMMER
OPTIONS MARKED FOR ca_root_nss-3.30.2
ETCSYMLINK
OPTIONS MARKED FOR py27-virtualenv-15.1.0
DOCS
OPTIONS MARKED FOR git-2.12.1_1
CONTRIB
CURL
CVS
GITWEB
ICONV
NLS
P4
PCRE
PERL
SEND_EMAIL
SUBTREE
OPTIONS MARKED FOR curl-7.54.0
CA_BUNDLE
COOKIES
DOCS
EXAMPLES
HTTP2
IPV6
PROXY
TLS_SRP
GSSAPI_BASE
THREADED_RESOLVER
OPENSSL
OPTIONS MARKED FOR xmlto-0.0.28
DOCS
OPTIONS MARKED FOR bash-4.4.12_2
COLONBREAKSWORDS
DOCS
HELP
NLS
OPTIONS MARKED FOR bison-3.0.4,1
DOCS
EXAMPLES
NLS
OPTIONS MARKED FOR getopt-1.1.6
DOCS
NLS
OPTIONS MARKED FOR libxslt-1.1.29_1
CRYPTO
OPTIONS MARKED FOR libgcrypt-1.7.6
DOCS
OPTIONS MARKED FOR libgpg-error-1.27
DOCS
NLS
OPTIONS MARKED FOR docbook-xsl-1.76.1_3
DOCS
ECLIPSE
EPUB
EXTENSIONS
HIGHLIGHTING
HTMLHELP
JAVAHELP
PROFILING
ROUNDTRIP
SLIDES
TEMPLATE
TESTS
TOOLS
WEBSITE
XHTML11
OPTIONS MARKED FOR xmlcatmgr-2.2_2
DOCS
OPTIONS MARKED FOR w3m-0.5.3.20170102
DOCS
NLS
OPTIONS MARKED FOR boehm-gc-7.6.0
DOCS
OPTIONS MARKED FOR libatomic_ops-7.4.4
DOCS
OPTIONS MARKED FOR pcre-8.40
DOCS
MAN3
STACK_RECURSION
OPTIONS MARKED FOR cvsps-2.1_2
DOCS
OPTIONS MARKED FOR p5-Authen-SASL-2.16_1
KERBEROS
OPTIONS MARKED FOR p5-GSSAPI-0.28_1
GSSAPI_BASE
OPTIONS MARKED FOR bzr-2.7.0_1
CA_BUNDLE
SFTP
OPTIONS MARKED FOR py27-paramiko-2.0.5
EXAMPLES
OPTIONS MARKED FOR py27-enum34-1.1.6
DOCS
OPTIONS MARKED FOR talloc-2.1.9
OPTIONS MARKED FOR tevent-0.9.31
OPTIONS MARKED FOR tdb-1.3.12,1
OPTIONS MARKED FOR ldb-1.1.29_1
OPTIONS MARKED FOR popt-1.16_2
NLS
OPTIONS MARKED FOR openldap-client-2.4.44
OPTIONS MARKED FOR gnutls-3.5.11
DOCS
EXAMPLES
IDN
NLS
P11KIT
TPM
ZLIB
OPTIONS MARKED FOR gmp-6.1.2
OPTIONS MARKED FOR nettle-3.3
DOCS
EXAMPLES
OPTIONS MARKED FOR libtasn1-4.10
DOCS
OPTIONS MARKED FOR libunistring-0.9.7
DOCS
OPTIONS MARKED FOR trousers-0.3.14_1
OPTIONS MARKED FOR cmake-3.8.0
DOCS
MANPAGES
OPTIONS MARKED FOR rhash-1.3.4
DOCS
OPTIONS MARKED FOR gamin-0.1.10_9
RUN_AS_EUID
OPTIONS MARKED FOR glib-2.50.2_1,1
OPTIONS MARKED FOR libiconv-1.14_10
DOCS
ENCODINGS
root@ad:/usr/ports/net/samba45 # make && make install clean && rehash
Code:
root@ad:/usr/ports/net/samba45 # samba-tool domain provision --use-rfc2307 --interactive
Realm [ESTUDO.LOCAL]:
Domain [ESTUDO]:
Server Role (dc, member, standalone) [dc]:
DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=estudo,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=estudo,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/db/samba4/private/named.conf for an example configuration include file for BIND
and /var/db/samba4/private/named.txt for further documentation required for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: ESTUDO
DNS Domain: estudo.local
DOMAIN SID: S-1-5-21-812769385-2631176092-429983996
Code:
root@ad:~ # cd
root@ad:~ # vi /usr/local/etc/namedb/named.conf
.
.
.
options {
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; any; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
8.8.8.8;
};
.
.
.
include "/var/db/samba4/private/named.conf";
Code:
root@ad:~ # chgrp bind /var/db/samba4/private/dns.keytab
root@ad:~ # chmod g+r /var/db/samba4/private/dns.keytab
Code:
root@ad:~ # echo 'named_enable="YES"' >> /etc/rc.conf
root@ad:~ # echo 'samba_server_enable="YES"' >> /etc/rc.conf
Code:
root@ad:~ # ln -s /usr/local/share/samba45/setup/krb5.conf /etc/
root@ad:~ # vi /etc/krb5.conf
[libdefaults]
default_realm = ESTUDO.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
13) RESTARTING TO MAKE SURE THE SERVICES WERE INITIALIZED
Code:
root@ad:~ # reboot
Code:
root@ad:~ # smbclient //localhost/netlogon -Uadministrator
Enter administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
smb: \> quit
root@ad:~ # smbclient -L localhost -UAdministrator
Enter Administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.5.8)
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@ad:~ # smbclient //localhost/netlogon -UAdministrator'' -c 'ls'
Enter Administrator's password:
Domain=[ESTUDO] OS=[Windows 6.1] Server=[Samba 4.5.8]
. D 0 Sat May 13 14:38:48 2017
.. D 0 Sat May 13 14:39:08 2017
30450780 blocks of size 1024. 25318944 blocks available
Code:
root@ad:~ # samba_dnsupdate --verbose
root@ad:~ # host -t SRV _ldap._tcp.estudo.local
_ldap._tcp.estudo.local has SRV record 0 100 389 ad.estudo.local.
root@ad:~ # host -t SRV _kerberos._udp.estudo.local
_kerberos._udp.estudo.local has SRV record 0 100 88 ad.estudo.local.
root@ad:~ # host -t A ad.estudo.local
ad.estudo.local has address 172.100.0.254
root@ad:~ # kinit administrator
administrator@ESTUDO.LOCAL's Password:
root@ad:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@ESTUDO.LOCAL
Issued Expires Principal
May 13 16:11:31 2017 May 14 02:11:31 2017 krbtgt/ESTUDO.LOCAL@ESTUDO.LOCAL
Last edited: