Saludos a todos.
Estoy cacharreando el alpha 13, como lo he hecho ya con los anteriores,
a ver qué tiene de nuevo.
Me he encontrado que interactúa con el DNS de una forma más actualizada,
y (como era de esperar) que me quedado perdido.
Versiones anteriores, como por ejemplo el alpha 8 (cito de memoria, tal
vez el 10 o el 11 lo hicieran también), generaban mediante el script
provision.pl una información de zona para añadirle al DNS que estuviera
funcionando en el ámbito. Algo como:
; -*- zone -*-
; generated by provision.pl
$ORIGIN dominio.co.cu.
$TTL 1W
@ IN SOA @ hostmaster (
2007121818 ; serial
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum
IN NS servidor
IN A 192.168.0.8
;
servidor IN A 192.168.0.8
72adddc9-ae48-47a3-9937-0609c662c53df._msdcs IN CNAME servidor
;
; global catalog servers
_gc._tcp IN SRV 0 100 3268 servidor
_ldap._tcp.gc._msdcs IN SRV 0 100 389 servidor
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs IN SRV 0 100 389
servidor
;
; ldap servers
_ldap._tcp IN SRV 0 100 389 servidor
_ldap._tcp.dc._msdcs IN SRV 0 100 389 servidor
_ldap._tcp.pdc._msdcs IN SRV 0 100 389 servidor
_ldap._tcp.ad008960-df36-45e7-8501-88fd48acb494.domains._msdcs IN SRV
0 100 389 servidor
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 389
servidor
;
; krb5 servers
_kerberos._tcp IN SRV 0 100 88 servidor
_kerberos._tcp.dc._msdcs IN SRV 0 100 88 servidor
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs IN SRV 0 100 88 servidor
_kerberos._udp IN SRV 0 100 88 servidor
; MIT kpasswd likes to lookup this name on password change
_kerberos-master._tcp IN SRV 0 100 88 servidor
_kerberos-master._udp IN SRV 0 100 88 servidor
;
; kpasswd
_kpasswd._tcp IN SRV 0 100 464 servidor
_kpasswd._udp IN SRV 0 100 464 servidor
;
; heimdal 'find realm for host' hack
_kerberos IN TXT dominio.co.cu
Añadiendo eso al DNS el Samba 4 me funcionaba perfectamente.
Ahora el alpha 13 aprovecha la posibilidad de usar en BIND 9.x el update_policy:
(esta es la propuesta que hace el alpha 13)
# This file should be included in your main BIND configuration file
#
# For example with
# include "${NAMED_CONF}";
zone "${DNSDOMAIN}." IN {
type master;
file "${ZONE_FILE}";
/*
* the list of principals and what they can change is created
* dynamically by Samba, based on the membership of the domain
controllers
* group. The provision just creates this file as an empty file.
*/
include "${NAMED_CONF_UPDATE}";
/* we need to use check-names ignore so _msdcs A records can be created
*/
check-names ignore;
};
# The reverse zone configuration is optional. The following example assumes a
# subnet of 192.168.0.0/24:
zone "0.168.192.in-addr.arpa" in {
type master;
file "0.168.192.in-addr.arpa.zone";
update-policy {
grant ${REALM_WC} wildcard *.0.168.192.in-addr.arpa. PTR;
};
};
# Note that the reverse zone file is not created during the provision process.
# The most recent BIND versions (9.5.0a5 or later) support secure GSS-TSIG
# updates. If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
La línea grant ${REALM_WC} wildcard me tiene confuso. No sé realmente qué poner
ahí, y
en consecuencia cuando lanzo al Samba 4 con, por ejemplo, ./samba -i -M single
se queja:
servidor:/etc/bind# servidor:/usr/local/samba/sbin# ./samba -i -M single
samba version 4.0.0alpha13 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
samba: using 'single' process model
FIXME: Using new system session for hdb
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 276, in <module>
/usr/local/samba/sbin/samba_dnsupdate: if not check_dns_name(d):
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 161, in check_dns_name
/usr/local/samba/sbin/samba_dnsupdate: ans =
resolver.query(normalised_name, d.type)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
line 733, in query
/usr/local/samba/sbin/samba_dnsupdate: return
get_default_resolver().query(qname, rdtype, rdclass, tcp, source)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
line 673, in query
/usr/local/samba/sbin/samba_dnsupdate: answer = Answer(qname, rdtype,
rdclass, response)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/lib/python2.5/site-packages/samba/external/dns/resolver.py",
line 121, in __init__
/usr/local/samba/sbin/samba_dnsupdate: raise NoAnswer
/usr/local/samba/sbin/samba_dnsupdate: dns.resolver.NoAnswer
../dsdb/dns/dns_update.c:249: Failed DNS update - NT_STATUS_ACCESS_DENIED
Testing kcctpl_create_intersite_connections
Una consulta al servidor con
servidor:/home/alberto# net --server 192.168.0.8 -Uadministrator%Contrasena1
ads lookup kdc
Me responde:
desarrollo:/home/alberto# net --server 192.168.0.8 -Uadministrator%Contrasena1
ads lookup kdc
Information for Domain Controller: 192.168.0.8
Response Type: SAMLOGON
GUID: 72adddc9-ae48-47a3-9937-0609c662c53d
Flags:
Is a PDC: yes
Is a GC of the forest: yes
Is an LDAP server: yes
Supports DS: yes
Is running a KDC: yes
Is running time services: yes
Is the closest DC: yes
Is writable: yes
Has a hardware clock: yes
Is a non-domain NC serviced by LDAP server: no
Forest: dominio.co.cu
Domain: dominio.co.cu
Domain Controller: servidor.dominio.co.cu
Pre-Win2k Domain: PART-LAN
Pre-Win2k Hostname: \\SERVIDOR
Server Site Name : Default-First-Site-Name
Client Site Name : Default-First-Site-Name
NT Version: 5
LMNT Token: ffff
LM20 Token: ffff
Pero la consulta:
servidor:/home/alberto# net --server 192.168.0.8 -Uadministrator%Contrasena1
ads user info administrator
falla con:
[2010/10/19 09:03:17, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password administra...@dominio.co.cu failed: Cannot resolve
network address for KDC in requested realm
[2010/10/19 09:03:17, 0] libads/kerberos.c:ads_kinit_password(356)
kerberos_kinit_password administra...@dominio.co.cu failed: Cannot resolve
network address for KDC in requested realm
Estoy necesitado de un buen consejo.... ;-)
--
MSc. Alberto García Fumero
Usuario Linux 97 318
Las autoridades sanitarias advierten:
El uso prolongado de Windows puede provocar dependencia
--
Este mensaje ha sido analizado por MailScanner en Partagas
en busca de virus y otros contenidos peligrosos,
y se considera que est� limpio.
______________________________________________________________________
Lista de correos del Grupo de Usuarios de Tecnologías Libres de Cuba.
Gutl-l@jovenclub.cu
http://listas.jovenclub.cu/cgi-bin/mailman/listinfo/gutl-l
