Gémes Géza geza at kzsdabas.hu
Sun Dec 18 05:23:41 MST 2011

2011-12-18 11:03 keltezéssel, Mohammad Ebrahim Abravi írta:
> On Sun, Dec 18, 2011 at 12:34 PM, Gémes Géza <geza at kzsdabas.hu
> <mailto:geza at kzsdabas.hu>> wrote:
>     Hi,
>     First of all as I'm not the most authoritative source of
>     information please remain on the samba-technical mailing list
>     (this thread could be beneficial to others too).
>>     run and export keytab  and chmod 777 (for test)
>>     > samba-tool domain
>>     exportkeytab/usr/local/samba/private/dns.keytab
>>     --realm=samba.example.com <http://samba.example.com>
>>     but on restart bind
>>     see this error?
>>     default realm from krb5.conf (samba.example.com
>>     <http://samba.example.com>) does not match tkey-gssapi-credential
>>     (DNS/samba4.samba.example.com <http://samba4.samba.example.com>)
>>     configuring TKEY: failure
>>      loading configuration: failure
>>     exiting (due to fatal error)
>>     what happen?
>>     On Sat, Dec 17, 2011 at 5:18 PM, Gémes Géza <geza at kzsdabas.hu
>>     <mailto:geza at kzsdabas.hu>> wrote:
>>         2011-12-17 11:23 keltezéssel, Mohammad Ebrahim Abravi írta:
>>         > Hello
>>         >
>>         > how to recreate dns.keytab
>>         (/usr/local/samba/private/dns.keytab) ?
>>         see samba-tool domain exportkeytab --help
>     Second: the error message suggest some kind of misconfiguration.
>     In order to debug it we would need the following informations:
>     Samba version: samba -V
>     Bind9 version
>     Bind9 config file
>     BTW with samba-tool domain exportkeytab --principal you can export
>     just the needed keys: DNS/your-samba4s-fully-qualified-hostname
>     (DNS/samba4.samba.example.com <http://samba4.samba.example.com> in
>     your case) and dns-samba4shorthostname (dns-samba4 in your case)
>     Regards
>     Geza
> samba -V => Version 4.0.0alpha17
> Bind9 version => 9.7.3
> bind config :
> tkey-gssapi-credential "DNS/samba4.samba.example.com
> <http://samba4.samba.example.com/>";
> tkey-domain "samba.example.com <http://samba4.samba.example.com/>";
> samba-tool domain exportkeytab --principal !?
> (NOTE: if reinstall and run provision all thing work -- but if install
> and run /samba-tool domain join/ and join to win2003, bind updating
> not work because dns.keytab not create automatically )
First of all taking into account  the pace of development, alpha 17 is
quite old, so I would suggest to use a current git checkout (most of
what advice I could give you is based on the current git version, and
not completely applicable to alpha 17 for example samba-tool domain
exportkeytab didn't have the --principal option). I will continue to
formulate my ideas based on the current git.

If you join to an existing domain being a dns server (just like windows
servers do) is not an automatic requirement (If you join a windows dc to
a domain it gives you the option to run dns or it or not). So some
manual intervention is needed. You must create a user account (named eg.
dns-"yoursambaservername") associate the spn
DNS/"fqdn-of-yoursambaserver" to it (for example samba-tool spn
add.....), and then export the keytab for it.
Unfortunately bind 9.7 will have lots of problems with synchronizing
with your windows servers ad based dns, and also quite buggy behavior
regarding the use of kerberos key based dynamic upgrades. I would
recommend upgrading to bind 9.8 with the dlz dlopen backend (which
stores the domain zones in AD)



More information about the samba-technical mailing list