Hello friends!. We started to implement and configure services. Of course it is necessary that our simple Directory Service based OpenLDAP, have the basic services to function properly. Among them we have the services DNS or «DOMain Nsoul System", DHCP or » Dynamic Host Configuration Protocol«, And to NTP or «Network Time Protocol«.
The base operating system that we will use is the Debian 6 "Squeeze". Most of the methods described can be used to Ubuntu 12.04 "Precise", And in the Debian 7 "Wheezy".
Although it seems a trifle - in fact our articles make a bit long - the definitions, and the study of them by the readers are necessary. You can and some don't even read them and go straight to "chicken and rice with chicken." Big mistake. And I am not referring to the experienced ones, because they, as soon as they see the title, they know if they are interested or not.
We refer to those who start in the leadership of Business Networks. We ask them to read the definitions and follow the links, delve into the conceptual parts that are not necessarily command lines or code, and then follow the rest of the article.
In this way we will save a lot of time for both them and us, in asking and answering questions whose answers are precisely in the part of those definitions and introductions. 🙂
We also want to say once and for all that the fundamental and most important programming language for a network administrator or for a computer scientist is the English Language. :-). We cannot always provide translations, as we are not experts in the English language.
Of course, before continuing, we highly recommend reading the Introduction to this series of articles.
Definitions needed
Taken from Wikipedia:
dnsmasq. It is a lightweight DNS, TFTP and DHCP server. Its purpose is to provide DNS and DHCP services to a local area network. It is a free implementation of the DNS protocol that receives requests from clients requesting an IP address from the name of a machine. The server will respond to these requests by providing the IP.
DNS Domain Name System (o DNS, in Spanish, domain name system). It is a hierarchical nomenclature system for computers, services or any resource connected to the internet or a private network. This system associates various information with domain names assigned to each of the participants. Its most important function is to translate (resolve) human-intelligible names into binary identifiers associated with the computers connected to the network, this in order to be able to locate and address these computers worldwide.
DHCP (acronym for Dynamic Host Configuration Protocol) is a network protocol that allows nodes on a network IP get its configuration parameters automatically. It is a protocol of type client / server in which a server generally has a list of dynamic IP addresses and assigns them to clients as they become free, knowing at all times who has been in possession of that IP, how long they have had it and who has been assigned it then.
NTP o Network Time Protocol, is a protocol designed to synchronize the clocks of workstations through the network. Version 3 of this protocol is an Internet Draft Standard, formalized in RFC 1305. The NTP version 4 protocol is an important revision of the mentioned standard, and is under development, but has not yet been formalized in an RFC. A simple version of NTP (SNTP) version 4 is described in RFC 2030
ISC-DHCP-SERVER (Internet Software Consortium DHCP Server). A DHCP server is a server which is a free implementation of the DHCP protocol that receives requests from clients requesting an IP network configuration. The server will respond to these requests by providing the parameters that allow clients to configure themselves. In order for a PC to request the configuration from a server, in the PC's network configuration, select the option to obtain IP address automatically.
Kerberos is a user authentication system, which has a double objective:
- Prevent the keys from being sent through the network, with the consequent Risk of their disclosure.
- Centralize user authentication, maintaining a single user database for the entire network.
Kerberos, as a security protocol, uses Symmetric Key Cryptography, which means that the key used to encrypt is the same key used to decrypt or authenticate users. This allows two computers on an insecure network to securely prove their identity to each other. Kerberos then restricts access to only authorized users and authenticates requests to services, assuming an open distributed environment, in which users located at workstations access these services on servers distributed across a network.
What implementation of the DNS and DHCP services will we develop?
We will develop two: the one based on dnsmasq, and in the following articles the one corresponding to bind9 and ISC-DHCP-Server. For those who want to learn in detail how to implement and configure a DNS, we recommend reading the article «How to install and configure a Primary Master DNS for a LAN on Debian 6.0»
Why do we need DNS, DHCP and NTP services?
- DNS: To maintain a database with the names of the hosts and their IP addresses, of the computers that will be connected to our corporate network, so that we can call them by their names, instead of by their IP addresses.
- DHCP: Avoid moving to the place where the client computer is located, to configure its IP address and related parameters. Through DHCP we automatically configure the client's IP address, its subnet mask, the gateway, the DNS server whom it should consult, the IP address of the mail server on our LAN, the type of node, the NetBIOS name server and many other parameters. Obviously, with this service, we can avoid manual configuration errors of such an important aspect on client computers.
- NTP: If in the near future we decide to integrate Kerberos to our LDAP server, we will need this service. Kerberos relies heavily on the NTP protocol and DNS services.
Will we integrate DNS and DHCP services to the LDAP server?
The answer for now is NO. Initially NO. The OpenLDAP topic is a bit technical in itself. And if we complicate our lives with that type of integration at the outset, we won't get very far. Note that the clearOS, use the dnsmasq. Plant meanwhile uses the bind9 and DHCP Server without integrating them with the server LDAP.
Let's go from the simple to the complex so as not to get between the horses' legs. 🙂
Example network
Lan: 10.10.10.0/24
Dominio: amigos.cu
Servidor: mildap.amigos.cu
Sistema Operativo Servidor: Debian 6 "Squeeze
Dirección IP del servidor: 10.10.10.15
Cliente 1: debian7.amigos.cu
Cliente 2: raring.amigos.cu
Cliente 3: suse13.amigos.cu
Cliente 4: seven.amigos.cu
Dnsmasq server
We install and configure:
: ~ # aptitude install dnsmasq: ~ # mv /etc/dnsmasq.conf /etc/dnsmasq.conf.original
We edit the file that is now empty /etc/dnsmasq.conf and we leave it with the following content:
: ~ # nano /etc/dnsmasq.conf # Never pass plain names without the dot # or the domain part domain-needed domain = friends.cu # Do not pass addresses in the unrouted # address space. bogus-priv # Query the nameservers in # the order they appear in the file # /etc/resolv.conf strict-order # Responses to queries will only come from # / etc / hosts or from DHCP. local = / localnet / # EYE WITH THE INTERFACE interface = eth1 expand-hosts # Change the range according to your needs # and also the lease time of # the IP address dhcp-range = 10.10.10.150,10.10.10.200,12h # Options for RANGE # Time server dhcp-option = option: ntp-server, 10.10.10.15 # The IP of the NTP server is the same as that of the dnsmasq dhcp-option = 42,0.0.0.0 # The following options are the ones that Samba recommends for # ISC-DHCP-Server servers on your page # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt # They are adapted for the case where the Samba server # runs on the same dnsmasq server. # You can uncomment some or all of them, if you use # Windows clients and the Samba server on your LAN. # dhcp-option = 19,0 # option ip-forwarding off dhcp-option = 44,0.0.0.0 # NetBIOS-over-TCP / IP name server. WINS dhcp-option = 45,0.0.0.0 # NetBIOS Datagram Distribution Server dhcp-option = 46,8 # NetBIOS Node Type
To learn more about the dnsmasq, we recommend reading the file carefully dnsmasq.conf, which we name how dnsmasq.conf.original. It is the Pasta Bible about this service. It is in English.
We restart the service:
:~# service dnsmasq restart
Restarting DNS forwarder and DHCP server: dnsmasq.
We declare the fixed IP addresses of servers on our LAN in the file / Etc / hosts from the server itself where the dnsmasq.
: ~ # nano / etc / hosts 27.0.0.1 localhost 10.10.10.15 mildap.amigos.cu mildap 10.10.10.1 gandalf.amigos.cu gandalf 10.10.10.5 miwww.amigos.cu miwww
Every time we add a name and an IP to the file / Etc / hosts , we must force the reload of the service so that the added host is recognized by the commands host, you y nslookup, both on the server itself, and for the rest of the workstations that have acquired an IP from this server:
: ~ # service dnsmasq force-reload
Note: The file where the dnsmasq stores the IP addresses granted or "lease", is the /var/lib/misc/dnsmasq.leases.
NTP server
Primary source consulted: "Server configuration with GNU / Linux. January 2012 edition. Author: Joel Barrios Dueñas ».
We install and configure:
:~# aptitude install ntp
:~# cp /etc/ntp.conf /etc/ntp.conf.original
:~# cp /dev/null /etc/ntp.conf
We edit the file that is now empty /etc/ntp.conf and we leave it with the following content:
# The default policy is set for any # time server used: time synchronization # with the sources is allowed, but without allowing the source # to query (noquery), or modify the service on the # system (nomodify) and declining provide log # messages (notrap). restrict default nomodify notrap noquery # Allow all access to the system # return interface. restrict 127.0.0.1 # The local network is allowed to synchronize with the server # but without allowing them to modify the system configuration #, and without using them as equals to synchronize. restrict 10.10.10.0 mask 255.255.255.0 nomodify notrap # Undisciplined local clock. # This is an emulated driver that is used only as a # backup when none of the actual fonts are # available. fudge 127.127.1.0 stratum 10 server 127.127.1.0 # Variation file. driftfile / var / lib / ntp / drift broadcastdelay 0.008 ## IF YOU HAVE INTERNET ACCESS # List of stratum 1 or 2 time servers. # It is recommended to have at least 3 servers listed. # More servers at: # http://kopernix.com/?q=ntp # http://www.eecis.udel.edu/~mills/ntp/servers.html ## If you have internet access, uncomment of the following 3 lines #server 0.pool.ntp.org #server 1.pool.ntp.org #server 2.pool.ntp.org # Permissions to be assigned for each time server. # In the examples, sources are not allowed to query, # modify the service on the system, or send registration # messages. ## If you have internet access, uncomment the following 3 lines #restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery #restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery #restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery # Dissemination to customers is activated broadcastclient
We restart the NTP service:
:~# service ntp restart
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
NTP client
:~# aptitude install ntp
:~# cp /etc/ntp.conf /etc/ntp.conf.original
:~# cp /dev/null /etc/ntp.conf
We edit the file that is now empty /etc/ntp.conf and we leave it with the following content:
server mildap.amigos.cu
Checks on the Client
For example, let's take our client debian7.amigos.cu, to which we have previously installed the openssh-server package.
root @ debian7: ~ # ssh-debian7
root @ debian7's password: [----] root @ debian7: ~ # ifconfig
eth0 Link encap: Ethernet HWaddr 52: 54: 00: 8f: ee: f6
inet addr: 10.10.10.153 Bcast: 10.10.10.255 Mask: 255.255.255.0
inet6 addr: fe80 :: 5054: ff: fe8f: eef6 / 64 Scope: Link UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1 RX packets: 4967 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 906 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 1000 RX bytes: 6705409 (6.3 MiB) TX bytes: 93635 (91.4 KiB) Interrupt: 10 Base address: 0x6000 lo Link encap: Local Loopback inet addr: 127.0.0.1. 255.0.0.0 Mask: 6 inet1 addr: :: 128/16436 Scope: Host UP LOOPBACK RUNNING MTU: 1 Metric: 8 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 8 TX packets: 0 errors: 0 dropped : 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 480 RX bytes: 480.0 (480 B) TX bytes: 480.0 (XNUMX B)
We have already verified that you acquired an IP address from the dnsmasq installed on our OpenLDAP server. Therefore, that service works correctly. Now let's check the NTP service, which can take several seconds:
: ~ # ntpdate -u mildap.amigos.cu 25 Jan 20:07:00 ntpdate [4608]: step time server 10.10.10.15 offset -0.633909 sec
Regarding the NTP service, everything works OK.
Other checks:
root @ debian7: ~ # say gandalf.amigos.cu ; << >> DiG 9.8.4-rpz2 + rl005.12-P1 << >> gandalf.amigos.cu [----] ;; QUESTION SECTION:; gandalf.amigos.cu. IN A [----] ;; ANSWER SECTION: gandalf.amigos.cu. 0 IN A 10.10.10.1 [----] root @ debian7: ~ # say gandalf [----] ;; QUESTION SECTION:; gandalf. IN A [----] ;; ANSWER SECTION: gandalf. 0 IN A 10.10.10.1 [----] root @ debian7: ~ # say miwww [----] ;; QUESTION SECTION:; miwww. IN A [----] ;; ANSWER SECTION: miwww. 0 IN A 10.10.10.5 [----] root @ debian7: ~ # say debian7 [----] ;; QUESTION SECTION:; debian7. IN A [----] ;; ANSWER SECTION: debian7. 0 IN A 10.10.10.153 [----] root @ debian7: ~ # mildap host mildap.amigos.cu has address 10.10.10.15 Host mildap.amigos.cu not found: 5 (REFUSED) Host mildap.amigos.cu not found: 5 (REFUSED) root @ debian7: ~ # host mildap.amigos.cu mildap.amigos.cu has address 10.10.10.15 Host mildap.amigos.cu.amigos.cu not found: 5 (REFUSED) Host mildap.amigos.cu.amigos.cu not found: 5 (REFUSED)
And since the two services installed and configured work very well, we close communications for today until the next installment of the article on how to implement DNS and DHCP services by updating DNS, based on Bind9 and ISC-DHCP-Server, for those managing slightly larger and more complicated networks.
Until next time, friends !!!
I save it to PDF to read it better later: / it's quite long
I don't know why reading "dnsmasq" I thought it said "dnscrypt", I had discovered it by reading perseo's blog and implemented it just in case
regards
Thanks Friend, I have always said that your posts are very educational and very interesting, I really appreciate your collaboration, speaking of sharing knowledge, otherwise thank you very much, Greetings
@firecold, Thank you very much for your words of consideration to what I write. They push me to continue.
Thanks to ALL for commenting
With this series of articles I am going to put on my shorts to see if I get out of 389 from work that already gives more headaches than a hangover.
Greetings, Fico!
Hello friend @dhunter !!!. Suppose the 389 Directory Server (uses Kerberos) and Samba, along with DHCP and DNS, offer Windows clients on a network, pretty much the functionality you would get with a Windows 2003 domain controller. It is like starting from the very complex to implement a solution in a network for small and medium companies. And that's practically what most Admins are used to.
I try and will try in the articles to walk from the simple to the complex so that people realize that, in a computer network, the philosophy of Microsoft networks is not necessary or essential. In fact, the WWW Village doesn't use it at all.
Follow the articles and you will see. Cheers
Hello, a query, the client and ntp server can run on a single server, that is, that the ntp server is synchronized with the internet servers, and that at the same time it uses the client to update the time of the same server?
I see that here you have an ntp.conf file for the client and another for the server, how do I make everything run on the same computer?
regards
@vidagnu: If you read again and slowly you will realize that the NTP Server can also be synchronized with other NTP servers on the Internet.
In a corporate or private network, the logical thing is for clients to synchronize the clock with the NTP server on that network, not with those on the Internet.
In this way, traffic is reduced and the LAN works with the time that the local NTP server synchronized with the Internet servers.
It looks like a tongue twister but it is. It is about establishing a cascade synchronization. That is, the NTP Server on the LAN synchronizes its clock with the NTP Servers on the Internet, and the clients on the LAN do it with their local server.
Good evening, I have read some of your publications and they seem excellent to me, but in this one I have a little doubt, at what moment do I give DHCP addressing to the debian7 team, I think from what I understand the IP assignment by DHCP to the team is given it the mildap server, if so I could not do it, sorry for the inconvenience, greetings.