mirror of
https://github.com/samba-team/samba.git
synced 2025-01-26 10:04:02 +03:00
53b0c44d8c
We changed to ${DNSNAME} (the fully qualified domain name) a while back, and while it's usually functionally idential to the previous setting, this breaks down if there is more than one DNS server. Andrew Bartlett
47 lines
2.5 KiB
Plaintext
47 lines
2.5 KiB
Plaintext
# Additional informations for DNS setup using BIND
|
|
|
|
# If you are running a capable version of BIND and you wish to support secure
|
|
# GSS-TSIG updates, you must make the following configuration changes:
|
|
|
|
# - Insert the following lines into the options {} section of your named.conf
|
|
# file:
|
|
tkey-gssapi-credential "DNS/${DNSNAME}";
|
|
tkey-domain "${REALM}";
|
|
|
|
# - Modify BIND init scripts to pass the location of the generated keytab file.
|
|
# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
|
|
# for this purpose:
|
|
KEYTAB_FILE="${DNS_KEYTAB_ABS}"
|
|
# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
|
|
# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
|
|
# your distribution does not provide a variable like KEYTAB_FILE to pass a
|
|
# keytab file to the BIND daemon, a workaround is to place the following line in
|
|
# BIND's sysconfig file or in the init script for BIND:
|
|
export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
|
|
|
|
# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
|
|
# that most distributions have BIND configured to run under a non-root user
|
|
# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
|
|
# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
|
|
# by the user that BIND run as. If BIND is running as a non-root user, the
|
|
# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
|
|
# read it. Under Fedora 9, execute the following commands:
|
|
chgrp named ${DNS_KEYTAB_ABS}
|
|
chmod g+r ${DNS_KEYTAB_ABS}
|
|
|
|
# - Ensure the BIND zone file(s) that will be dynamically updated are in a
|
|
# directory where the BIND daemon can write. When BIND performs dynamic
|
|
# updates, it not only needs to update the zone file itself but it must also
|
|
# create a journal (.jnl) file to track the dynamic updates as they occur.
|
|
# Under Fedora 9, the /var/named directory can not be written to by the "named"
|
|
# user. However, the directory /var/named/dynamic directory does provide write
|
|
# access. Therefore the zone files were placed under the /var/named/dynamic
|
|
# directory. The file directives in both example zone statements at the
|
|
# beginning of this file were changed by prepending the directory "dynamic/".
|
|
|
|
# - If SELinux is enabled, ensure that all files have the appropriate SELinux
|
|
# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
|
|
# and should have a SELinux type of named_conf_t. This can be set with the
|
|
# following command:
|
|
chcon -t named_conf_t ${DNS_KEYTAB_ABS}
|