Tuesday, May 26, 2015

OpenLDAP Server / Client Configuration on CentOS 7.X / Redhat 7.X


Step 1: Install the following packages:

 # yum install -y openldap openldap-clients openldap-servers migrationtools

Step 2: Generate a LDAP encrypted password for Manager user  (here redhat):

 # slappasswd -s redhat -n > /etc/openldap/secret-passwd

Step 3: Configure OpenLDAP Server:

 #vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

 #do the following changes

 olcSuffix: dc=goldenjohn,dc=com

 olcRootDN: cn=Manager,dc=goldenjohn,dc=com

 olcRootPW: PASTE YOUR ENCRYPTED PASSWORD HERE from /etc/openldap/secret-passwd

 olcTLSCertificateFile: /etc/pki/CA/cacert.pem

 olcTLSCertificateKeyFile: /etc/pki/CA/private/cakey.pem

 :wq (save abd exit)

Step 4: Configure Monitoring Database Configuration file:

 #vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

 #do the following change

 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=goldenjohn,dc=com" read by * none


 :wq (save and exit)

Step 5: Generate a X509 self sign certificate which is valid for 365 days:

 # openssl req -new -x509 -nodes -out /etc/pki/CA/cacert.pem -keyout /etc/pki/CA/private/cakey.pem -days 365

 Country Name (2 letter code) [XX]: IN

 State or Province Name (full name) []: Chennai 

 Locality Name (eg, city) [Default City]: Tamil Nadu 
 Organization Name (eg, company) [Default Company Ltd]: Goldenjohn, Inc.

 Organizational Unit Name (eg, section) []: IT

 Common Name (eg, your name or your server's hostname) []:ldap.goldenjohn.com

 Email Address []: root@ldap.goldenjohn.com

Step 6: Secure the content of the /etc/pki/CA/ directory:

 # cd /etc/pki/CA/

 # chown ldap:ldap cacert.pem

 # cd /etc/pki/CA/private/

 # chown ldap:ldap cakey.pem

 # chmod 600 cakey.pem

Step 7: Prepare the LDAP database:


 # cp -rvf /usr/share/openldap-servers/DB_CONFIG.example  # chown -R ldap:ldap /var/lib/ldap/

Step 8: Enable LDAPS:

 #vim /etc/sysconfig/slapd

  #Do the following changes

 SLAPD_URLS="ldapi:///   ldap:///   ldaps:///"

 :wq (save and exit)


Step 9: Test the configuration:

 # slaptest -u

Step 10: Start and enable the slapd service at boot:

 # systemctl start slapd

 # systemctl enable slapd

Step 11: Check the LDAP activity:

 # netstat -lt | grep ldap

 #netstat -tunlp | egrep "389|636"


Step 12: To start the configuration of the LDAP server, add the follwing LDAP schemas:

 # cd /etc/openldap/schema

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f collective.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f corba.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f core.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f duaconf.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f dyngroup.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f inetorgperson.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f java.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f misc.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f openldap.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f pmi.ldif

 # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

                        Note : you can add the schema file according to your need 

Step 13: Now use Migration Tools to create LDAP DIT:

 # cd /usr/share/migrationtools

 # vim migrate_common.ph

 #do the following chnages

 on the Line Number 61, change "ou=Groups"
   $NAMINGCONTEXT{'group'}             = "ou=Groups";

 on the Line Number 71, change your domain name
  $DEFAULT_MAIL_DOMAIN = "goldenjohn.com";

 on the line number 74, change your base name
         $DEFAULT_BASE = "dc=goldenjohn,dc=com";

 on the line number 90, change schema value
  $EXTENDED_SCHEMA = 1;


 :wq (save and exit)

Step 14: Generate a base.ldif file for your Domain DIT:

 #./migrate_base.pl > /root/base.ldif

Step 15: Load "base.ldif" into LDAP Database:

 #ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/base.ldif

Step 16: Now Create some users and Groups and migrate it from local database to LDAP database:

 #mkdir /home/guests
 #useradd -d /home/guests/ldapuser1 ldapuser1
 #useradd -d /home/guests/ldapuser2 ldapuser2
 #useradd -d /home/guests/ldapuser3 ldapuser3
 #useradd -d /home/guests/ldapuser4 ldapuser4
 #useradd -d /home/guests/ldapuser5 ldapuser5

 #echo 'password' | passwd --stdin ldapuser1
 #echo 'password' | passwd --stdin ldapuser2
 #echo 'password' | passwd --stdin ldapuser3
 #echo 'password' | passwd --stdin ldapuser4
 #echo 'password' | passwd --stdin ldapuser5

Step 17: Now filter out these Users and Groups and it password from /etc/shadow to different file:

 #getent passwd | tail -n 5 > /root/users

 #getent shadow | tail -n 5 > /root/shadow

 # getent group | tail -n 5 > /root/groups

Step 18: Now you can delete these users from local database:

 #userdel ldapuser1
 #userdel ldapuser2
 #userdel ldapuser3
 #userdel ldapuser4
 #userdel ldapuser5

Step 19: Now you need to create ldif file for these users using migrationtools:

 # cd /usr/share/migrationtools/

 # vim migrate_passwd.pl

 #search /etc/shadow and replace it into /root/shadow on Line Number 188.

 :wq (save and exit)

 # ./migrate_passwd.pl /root/users > /root/users.ldif

 # ./migrate_group.pl /root/groups > /root/groups.ldif

Step 20: Upload these users and groups ldif file into LDAP Database:

 # ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/users.ldif

 # ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/groups.ldif

Step 21: Now search LDAP DIT for all records:

 # ldapsearch -x -b "dc=goldenjohn,dc=com" -H ldap://server1.goldenjohn.com

Step 22: Now share ldapusers home directories via NFS:

 #vim /etc/exports

 #Add the folloiwng line:

 /home/guests    192.168.48.0/255.255.255.0(rw,sync)


 :wq (save and exit)

 #systemctl start nfs

 #systemctl enable nfs

Step 23: Share your CA Certificate to clients via FTP/HTTP:

 #yum install vsftpd httpd -y

 # cp -rvf /etc/pki/CA/cacert.pem /var/ftp/pub/

 # ln -s /var/ftp/pub/ /var/www/html/

 #systemctl start vsftpd

 #systemctl enable vsftpd

 #systemctl start httpd

 #systemctl enable httpd

Step 24: Now Go to the client machine and install the following packages:

 #yum install openldap-clients sssd pam_ldap authconfig-gtk -y

Step 25: Run the "authconfig-gtk" command to configure as a LDAP Client:

 # authconfig-gtk

 Click on "Identity & Authentication" Tab

 Click on drop down menu in "User Account Database" and Select "LDAP"

 in LDAP Search Base DN: dc=goldenjohn,dc=com

 in LDAP Server: ldap://server1.goldenjohn.com

 Select the check Box of "Use TLS to encrypt connections"

 Click "Download CA Certificate"

 In Certificate URL: type http://server1.goldenjohn.com/pub/cacert.pem

 Authentication Protocol: LDAP Password

 Click "OK"


 # getent passwd ldapuser1

Step 26: Now Configure your client machine to access ldapusers  home directory from  
                "server1.goldenjohn.com"

 #yum install autofs -y

 #vim /etc/auto.master

 #add the following line

 /home/guests /etc/auto.guests

 :wq (save and exit)

 #vim /etc/auto.guests

 #add the following line

 * -rw server1.goldenjohn.com:/home/guests/&

 :wq (save and exit)

Step 27: Now start and enable autofs service at boot:

 #systemctl restart autofs

 #systemctl enable autofs

Step 28: Now try to login as ldapuseer on client machine:

 #ssh ldapuser1@client.goldenjohn.com

 Password: password

 [ldapuser1@client.golden.com ~]$


 You may have some issue with Firewall/iptables, So add Ports/Services into firewall or disable it. 


That’s  it you can enjoy with your openldap installation . 
Posted by at 2 comments:

Wednesday, April 15, 2015

Configuring OpenLDAP Server/Client on RHEL 6.X / CentOS 6.X

 


LDAP Server Configuration :
---------------------------

Step 1. Install OpenLDAP packages via YUM

 # yum install openldap*

Step 2. Now generate a encrypted password for Administrator User That is "Manager"

 # slappasswd
                New password: redhat
                Re-enter new password: redhat
                {SSHA}dXK/BmC+DrrbwvAWYaPvA5omy6EqvUnX

                NOTE: You need to copy above generated password

Step 4. Now Configure OpenLDAP Server, so edit the following file

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={2}bdb.ldif"

                olcSuffix: dc=goldenjohn,dc=com

                olcRootDN: cn=Manager,dc=goldenjohn,dc=com

                NOTE: Add these lines in the end of file

                olcRootPW: <PASTE YOUR ENCRYPTED PASSWORD HERE>
                olcTLSCertificateFile: /etc/pki/tls/certs/goldenjohn.pem
                olcTLSCertificateKeyFile: /etc/pki/tls/certs/goldenjohnkey.pem

                :wq (save and exit)

Step 5. Now specify the Monitoring privileges

 # vim /etc/openldap/slapd.d/"cn=config"/"olcDatabase={1}monitor.ldif"

                Inside this file search the following "cn=manager,dc=goldenjohn,dc=com"
                and change this into "cn=Manager,dc=goldenjohn,dc=com"

                :wq (save and exit)

Step 6. Now copy the sample database file

 # cp /usr/share/openldap-servers/DB_CONFIG.goldenjohn /var/lib/ldap/DB_CONFIG

 # chown -R ldap:ldap /var/lib/ldap/

 # updatedb

Step 7.  Configure OpenLDAP to listen on SSL/TLS

 # vim /etc/sysconfig/ldap

                SLAPD_LDAPS=yes #(default is no)

                :wq (save and exit)

Step 8. Now you need to create a certificate for OpenLDAP Server.

 # openssl req -new -x509 -nodes -out /etc/pki/tls/certs/goldenjohn.pem -keyout /etc/pki/tls/certs/goldenjohnkey.pem -days 365

                Country Name (2 letter code) [XX]:IN
                State or Province Name (full name) []:Tamil Nadu
                Locality Name (eg, city) [Default City]:Chennai
                Organization Name (eg, company) [Default Company Ltd]:Goldenjohn, Inc.
                Organizational Unit Name (eg, section) []:IT
                Common Name (eg, your name or your server's hostname) []:ldap.goldenjohn.com
                Email Address []:goldenjohn51@gmail.com

Step 9. You need to change owner and group ownership of certificate and keyfile

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohn.pem

 # chown -Rf root:ldap /etc/pki/tls/certs/goldenjohnkey.pem

 # ls -l /etc/pki/tls/certs/goldenjohn*

Step 10. Start/Restart the service of OpenLDAP

 # service slapd restart

 # chkconfig slapd on

Step 11. Now you need to create base objects in OpenLDAP.

                NOTE: base objects means you have to create dn: for domain name, for OUs, so to creating dn:, you have to defining objectclass.

                there are two ways, (1). you can create it manually (2). you can use migration tools. In this goldenjohn I am using migration tools.

 # yum install migrationtools

 # cd /usr/share/migrationtools/

 # ls

 # vim migrate_common.ph

                on the Line Number 61, change "ou=Groups"
                  $NAMINGCONTEXT{'group'}             = "ou=Groups";

                 on the Line Number 71, change your domain name
                 $DEFAULT_MAIL_DOMAIN = "goldenjohn.com";

                on the line number 74, change your base name
                $DEFAULT_BASE = "dc=goldenjohn,dc=com";

                on the line number 90, change schema value
                $EXTENDED_SCHEMA = 1;

                :wq (save and exit)


                Now generate a base.ldif file for your Domain, use the following:

 # ./migrate_base.pl > /root/base.ldif

                If you want to migrate your local users and groups on LDAP do the following:
                first I am creating 5 local users and groups and then I will migrate to LDAP.

 # mkdir /home/guests
 # useradd -d /home/guests/goldenjohn1 goldenjohn1
 # useradd -d /home/guests/goldenjohn2 goldenjohn2
 # useradd -d /home/guests/goldenjohn3 goldenjohn3
 # useradd -d /home/guests/goldenjohn4 goldenjohn4
 # useradd -d /home/guests/goldenjohn5 goldenjohn5

 # passwd goldenjohn1
 # passwd goldenjohn2
 # passwd goldenjohn3
 # passwd goldenjohn4
 # passwd goldenjohn5

Now you need to filter out these users from /etc/passwd to another file:

 # getent passwd | tail -n 5 > /root/users

Now you need to filter out password information from /etc/shadow to another file:

 # getent shadow | tail -n 5 > /root/passwords

Now you need to filter out user groups from /etc/group to another file:

# getent group | tail -n 5 > /root/groups

Now you have to generate ldif file of these filtered out files of users, passwords, and groups

So Open the following file to change the location of password file

# vim migrate_passwd.pl

Inside this file search /etc/shadow and change it to /root/passwords and then save and exit.

NOTE: "/etc/shadow" will be available approx the line number of 188.

Now generate a ldif file for users

# ./migrate_passwd.pl /root/users > /root/users.ldif

Now Generate a ldif file for groups

# ./migrate_group.pl /root/groups > /root/groups.ldif

Step 12. Now it' time to upload these ldif file to LDAP Server

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/base.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/users.ldif

# ldapadd -x -W -D "cn=Manager,dc=goldenjohn,dc=com" -f /root/groups.ldif

NOTE: It will as a password of "Manager", you have to type the password which you generated in encrypted format.

Now you can use "ldapsearch" command

# ldapsearch -x -b "dc=goldenjohn,dc=com"

Step 13. Now you need to share LDAP Users Home Directories via NFS they can mount the home directory on client machine.

#vim /etc/exports

/home/guests    192.168.48.0/255.255.255.0(rw,sync)

:wq (save and exit)

# service nfs start 

# service rpcbind start

# chkconfig nfs on

# service iptables stop
               
# chkconfig iptables off


LDAP Client Configuration:
--------------------------

 # yum install -y openldap-clients nss-pam-ldapd nss_ldap autofs nfs-utils

 # authconfig --enableforcelegacy --update

 # authconfig --enableldap --enableldapauth --ldapserver="ldap.goldenjohn.com" --ldapbasedn="dc=goldenjohn,dc=com" --update


(If you enabling lower version centos 5.8 ldap means follow below
authconfig --enableforcelegacy --disableldaptls --update)

 NOTE : Put the LDAP server certificate into the /etc/openldap/cacerts directory.

 # authconfig --enableldaptls --update

 # getent passwd goldenjohn1

 # service nfs start 

 # service rpcbind start

 # service autofs start

 # vim /etc/auto.master

                /home/guests    /etc/auto.guests

                :wq

 # vim /etc/auto.guests

                *       -rw     ldap.goldenjohn.com:/home/guests/&

                :wq

 # service autofs reload

# service nslcd restart


confirm the setup in client machine

I changed the /etc/openldap/ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.goldenjohn.com/
BASE dc=goldenjohn,dc=com
TLS_REQCERT allow

 # su - goldenjohn1


That's it enjoy with openldap installation ...
Posted by at 3 comments:

Thursday, March 26, 2015

View systemd information

VIEW systemd INFORMATION

This is for redhat 7 

systemctl list-dependencies
Show a unit’s dependencies
systemctl list-sockets
List sockets and what activates
systemctl list-jobs
View active systemd jobs
systemctl list-unit-files
See unit files and their states
systemctl list-units
Show if units are loaded/active
systemctl get-default
List default target (like run level)

Posted by at No comments:

Tuesday, March 24, 2015

Setting Up DNS Server On CentOS 7



DNS Server Installation
Scenario
For the purpose of this tutorial, I will be using three nodes. One will be acting as Master DNS server, the second system will be acting as Secondary DNS, and the third will be our DNS client. Here are my three systems details.

Primary (Master) DNS Server Details:
Operating System     : CentOS 7 minimal server
Hostname             : masterdns.goldenjohn.local
IP Address           : 192.168.1.101/24

Secondary (Slave) DNS Server Details:
Operating System     : CentOS 7 minimal server
Hostname             : secondarydns.goldenjohn.local
IP Address           : 192.168.1.102/24

Client Details:
Operating System     : CentOS 6.5 Desktop  
Hostname             : client.goldenjohn.local
IP Address           : 192.168.1.103/24



Setup Primary (Master) DNS Server
Install bind9 packages on your server.
yum install bind bind-utils -y

1. Configure DNS Server

Edit ‘/etc/named.conf’ file.
vi /etc/named.conf



Add the lines as shown in bold:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { 127.0.0.1; 192.168.1.101;}; ### Master DNS IP ###
#    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ###
    allow-transfer{ localhost; 192.168.1.102; };   ### Slave DNS IP ###

    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "goldenjohn.local" IN {
type master;
file "forward.goldenjohn";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "reverse.goldenjohn";
allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";







2. Create Zone files
Create forward and reverse zone files which we mentioned in the ‘/etc/named.conf’ file.
2.1 Create Forward Zone
Create forward.goldenjohn file in the ‘/var/named’ directory.
vi /var/named/forward.goldenjohn
Add the following lines:
$TTL 86400
@   IN  SOA     masterdns.goldenjohn.local. root.goldenjohn.local. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@       IN  NS          masterdns.goldenjohn.local.
@       IN  NS          secondarydns.goldenjohn.local.
@       IN  A           192.168.1.101
@       IN  A           192.168.1.102
@       IN  A           192.168.1.103
masterdns       IN  A   192.168.1.101
secondarydns    IN  A   192.168.1.102
client          IN  A   192.168.1.103






2.2 Create Reverse Zone
Create reverse.goldenjohn file in the ‘/var/named’ directory.
vi /var/named/reverse.goldenjohn
Add the following lines:
$TTL 86400
@   IN  SOA     masterdns.goldenjohn.local. root.goldenjohn.local. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
@       IN  NS          masterdns.goldenjohn.local.
@       IN  NS          secondarydns.goldenjohn.local.
@       IN  PTR         goldenjohn.local.
masterdns       IN  A   192.168.1.101
secondarydns    IN  A   192.168.1.102
client          IN  A   192.168.1.103
101     IN  PTR         masterdns.goldenjohn.local.
102     IN  PTR         secondarydns.goldenjohn.local.
103     IN  PTR         client.goldenjohn.local.


3. Start the DNS service
Enable and start DNS service:
systemctl enable named
systemctl start named



4. Firewall Configuration
We must allow the DNS service default port 53 through firewall.
firewall-cmd --permanent --add-port=53/tcp



5. Restart Firewall
firewall-cmd --reload


6. Configuring Permissions, Ownership, and SELinux
Run the following commands one by one:
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf



7. Test DNS configuration and zone files for any syntax errors
Check DNS default configuration file:
named-checkconf /etc/named.conf
If it returns nothing, your configuration file is valid.
Check Forward zone:
named-checkzone goldenjohn.local /var/named/forward.goldenjohn
Sample output:
zone goldenjohn.local/IN: loaded serial 2011071001
OK
Check reverse zone:
named-checkzone goldenjohn.local /var/named/reverse.goldenjohn 
Sample Output:
zone goldenjohn.local/IN: loaded serial 2011071001
OK
Add the DNS Server details in your network interface config file.
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp0s3"
UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa"
ONBOOT="yes"
HWADDR="08:00:27:19:68:73"
IPADDR0="192.168.1.101"
PREFIX0="24"
GATEWAY0="192.168.1.1"
DNS="192.168.1.101"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
Edit file /etc/resolv.conf,
vi /etc/resolv.conf
Add the name server ip address:
nameserver      192.168.1.101
Save and close the file.
Restart network service:
systemctl restart network


8. Test DNS Server
dig masterdns.goldenjohn.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> masterdns.goldenjohn.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25179
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.goldenjohn.local.    IN    A

;; ANSWER SECTION:
masterdns.goldenjohn.local. 86400    IN    A    192.168.1.101

;; AUTHORITY SECTION:
goldenjohn.local.        86400    IN    NS    secondarydns.goldenjohn.local.
goldenjohn.local.        86400    IN    NS    masterdns.goldenjohn.local.

;; ADDITIONAL SECTION:
secondarydns.goldenjohn.local. 86400 IN    A    192.168.1.102

;; Query time: 0 msec
;; SERVER: 192.168.1.101#53(192.168.1.101)
;; WHEN: Wed Aug 20 16:20:46 IST 2014
;; MSG SIZE  rcvd: 125
nslookup goldenjohn.local
Sample Output:
Server:        192.168.1.101
Address:    192.168.1.101#53

Name:    goldenjohn.local
Address: 192.168.1.103
Name:    goldenjohn.local
Address: 192.168.1.101
Name:    goldenjohn.local
Address: 192.168.1.102
Now the Primary DNS server is ready to use.
It is time to configure our Secondary DNS server.



Setup Secondary(Slave) DNS Server

Install bind packages using the following command:
yum install bind bind-utils -y

1. Configure Slave DNS Server
Edit file ‘/etc/named.conf’:
vi /etc/named.conf
Make the changes as shown in bold.
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.1.102; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { localhost; 192.168.1.0/24; };
.
.
.
.
zone "." IN {
type hint;
file "named.ca";
};
zone "goldenjohn.local" IN {
type slave;
file "slaves/goldenjohn.fwd";
masters { 192.168.1.101; };
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/goldenjohn.rev";
masters { 192.168.1.101; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


2. Start the DNS Service
systemctl enable named
systemctl start named
Now the forward and reverse zones are automatically replicated from Master DNS server to ‘/var/named/slaves/’ in Secondary DNS server.
ls /var/named/slaves/
Sample Output:
goldenjohn.fwd  goldenjohn.rev

3. Add the DNS Server details
Add the DNS Server details in your network interface config file.
vi /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
NAME="enp0s3"
UUID="5d0428b3-6af2-4f6b-9fe3-4250cd839efa"
ONBOOT="yes"
HWADDR="08:00:27:19:68:73"
IPADDR0="192.168.1.102"
PREFIX0="24"
GATEWAY0="192.168.1.1"
DNS1="192.168.1.101"
DNS2="192.168.1.102"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
Edit file /etc/resolv.conf,
vi /etc/resolv.conf
Add the name server ip address:
nameserver      192.168.1.101
nameserver      192.168.1.102
Save and close the file.
Restart network service:
systemctl restart network


4. Firewall Configuration
We must allow the DNS service default port 53 through firewall.
firewall-cmd --permanent --add-port=53/tcp

5. Restart Firewall
firewall-cmd --reload

6. Configuring Permissions, Ownership, and SELinux
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

7. Test DNS Server
dig masterdns.goldenjohn.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> masterdns.goldenjohn.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.goldenjohn.local.    IN    A

;; ANSWER SECTION:
masterdns.goldenjohn.local. 86400    IN    A    192.168.1.101

;; AUTHORITY SECTION:
goldenjohn.local.        86400    IN    NS    masterdns.goldenjohn.local.
goldenjohn.local.        86400    IN    NS    secondarydns.goldenjohn.local.

;; ADDITIONAL SECTION:
secondarydns.goldenjohn.local. 86400 IN    A    192.168.1.102

;; Query time: 0 msec
;; SERVER: 192.168.1.102#53(192.168.1.102)
;; WHEN: Wed Aug 20 17:04:30 IST 2014
;; MSG SIZE  rcvd: 125
dig secondarydns.goldenjohn.local
Sample Output:
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> secondarydns.goldenjohn.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60819
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secondarydns.goldenjohn.local.    IN    A

;; ANSWER SECTION:
secondarydns.goldenjohn.local. 86400 IN    A    192.168.1.102

;; AUTHORITY SECTION:
goldenjohn.local.        86400    IN    NS    masterdns.goldenjohn.local.
goldenjohn.local.        86400    IN    NS    secondarydns.goldenjohn.local.

;; ADDITIONAL SECTION:
masterdns.goldenjohn.local. 86400    IN    A    192.168.1.101

;; Query time: 0 msec
;; SERVER: 192.168.1.102#53(192.168.1.102)
;; WHEN: Wed Aug 20 17:05:50 IST 2014
;; MSG SIZE  rcvd: 125
nslookup goldenjohn.local
Sample Output:
Server:        192.168.1.102
Address:    192.168.1.102#53

Name:    goldenjohn.local
Address: 192.168.1.101
Name:    goldenjohn.local
Address: 192.168.1.103
Name:    goldenjohn.local
Address: 192.168.1.102


Client Side Configuration
Add the DNS server details in ‘/etc/resolv.conf’ file in all client systems
vi /etc/resolv.conf
# Generated by NetworkManager
search goldenjohn.local
nameserver 192.168.1.101
nameserver 192.168.1.102
Restart network service or reboot the system.




Test DNS Server
Now, you can test the DNS server using any one of the following commands:
dig masterdns.goldenjohn.local
dig secondarydns.goldenjohn.local
dig client.goldenjohn.local
nslookup goldenjohn.local
That’s all about now. The primary and secondary DNS servers are ready to use.
Cheers!


Posted by at No comments:
Subscribe to: Posts (Atom)