Joining a Windows 2008 R2 error

Michael Wood esiotrot at
Fri Sep 17 02:51:44 MDT 2010

On 16 September 2010 23:17, David Gonzalez <info at> wrote:
> How do I guarantee that BIND has access to keytab?, I added these lines to
> /etc/init.d/named
> KEYTAB_FILE="/usr/local/samba/private/dns.keytab"
> KRB5_KTNAME="/usr/local/samba/private/dns.keytab"
> export KEYTAB_FILE
> export KRB5_KTNAME
> As instructed, but I wouldn't know how to tell you if it has access to it.

This seems to be the main issue for me.  There's no option in named's
config to tell it where the keytab is.  I couldn't get named to look
anywhere but /etc/krb5.keytab (as far as I remember).  So I made that
a symlink to the real one and then had to tell apparmor to allow
access to it.  /etc/krb5.keytab seems to be the default path that the
Kerberos libs look, and in theory you can change this with an
environment variable.  The KEYTAB_FILE or KRB5_KTNAME environment
variable (depending on your distribution) are supposed to make that
happen, but I couldn't get it to work.  From digging around in the
code a bit it seemed like there was no way to tell the Kerberos
libraries programmatically where the keytab is.  Maybe I just wasn't
looking in the right place and I did not spend too much time on it.
It just seemed strange to me that there wouldn't be a way to do it
directly instead of setting an environment variable for the Kerberos
library to look at later.

> Well, insecure, might be, but I have BIND listening just on my local
> interface so no external access is allowed

Still, you should probably change it to a list of IPs or subnets that
can update rather than just allowing anyone who can talk to you to
update your DNS records.  You really need to trust your users, though.
 Otherwise one of them could delete all your DNS records or point them
somewhere malicious etc.

Michael Wood <esiotrot at>

More information about the samba-technical mailing list