[Samba] A and/or PTR record deleted after pc wake-up
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 6 06:53:31 MST 2014
Hai Steve.
> Did you get a chance to go through our
>suggestion with samba-tool dns to check the Admin-pc box before you
>deleted?]
no, sorry, i already deleted samba before i saw you email.
I go try with the keytab as you sugested.
but if i export it, and i checked it with the named.update in samba.
did see :
grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
this is why i did the export and did run :
kinit -k -t /etc/krb5.keytab RTD-DC1$@INTERNAL.DOMAIN.TLD
so should work imo.
but, i go try again.
thanks for looking into this.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>Namens steve
>Verzonden: donderdag 6 maart 2014 13:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] A and/or PTR record deleted after pc wake-up
>
>On Thu, 2014-03-06 at 13:06 +0100, L.P.H. van Belle wrote:
>> Hai,
>>
>> thanks for al the responces.
>>
>> I did only check with the windows rats tools.
>> i just deleted my install and im going for bind 9.9.5. from
>debian sid. ( rebuild to wheezy )
>>
>> >The machine key has been used to authenticate. named must have had
>> >access to the dns keytab too.
>>
>> yes, thats correct, i did set the default keytab to
>servname$@internal.domain.tld.
>> check it with all tested the wiki discribed.
>> pointed it to default keytab file.
>>
>> this was my krb5.conf
>>
>> [libdefaults]
>> default_realm = INTERNAL.DOMAIN.TLD
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 30d
>> forwardable = yes
>> default_keytab_name = FILE:/etc/krb5.keytab
>>
>> [realms]
>> INTERNAL.DOMAIN.TLD = {
>> kdc = rtd-dc1.INTERNAL.DOMAIN.TLD:88
>> admin_server = rtd-dc1.INTERNAL.DOMAIN.TLD:749
>> default_domain = INTERNAL.DOMAIN.TLD
>> }
>>
>> [domain_realm]
>> .INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
>> INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> the bind config contained also :
>> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>>
>> i used the following to export the keys.
>> # export the kerberos keys
>> samba-tool domain exportkeytab /tmp/krb5.keytab
>> the i looked whats in there
>> ktutil
>> : rkt /tmp/krb5.keytab
>> : list
>> -> output
>> : wkt /etc/krb5.keytab
>> : quit
>>
>> for isc bind we need bind as owner on keytab
>> chown bind /etc/krb5.keytab
>>
>> and i did set the default keytab
>> kinit -k -t /etc/krb5.keytab RTD-DC1$@INTERNAL.DOMAIN.TLD
>>
>> i check which users did have rights.
>> i looked in the /var/lib/samba/named.update file
>> the are 3 which had rights to update the dns.
>>
>> can someone tell if above procedure is correct.
>> or should i set the default keytab next install to
>> /var/lib/samba/private/dns.keytab
>> and not export-ing it an setting it again.
>
>The latter. Forget anything about exporting keytabs or doing anything
>else with them. The only keytab you need, dns.keytab under private, is
>created by the provision. Simply make sure named can read it and write
>to the dns partitions themselves.
>HTH
>Steve
>
>[We've been trying to reproduce your dns denied error on the
>ddns as per
>the original post, but can't. Did you get a chance to go through our
>suggestion with samba-tool dns to check the Admin-pc box before you
>deleted?]
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list