samba4 from BDC to PDC

Thu Oct 20 07:08:18 MDT 2011

On Thu, 2011-10-20 at 14:53 +0200, Gémes Géza wrote:
> 2011-10-20 13:43 keltezéssel, Gémes Géza írta:
> > 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
> >> Hi all,
> >> in my simple network I have:
> >> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
> >> other DNSs of the zone)
> >> - Ubuntu 10.04 32b server VM on XEN server with samba Version
> >> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
> >> configured for ddns updates (currently to the SBS DNS) plus BIND
> >> 9.8.0-P4 configured as slave DNS for the local domain zones
> >> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
> >> domain which acts as file server (for the network shares)
> >>
> >> My goal is to remove the SBS server so as first step I'll disable zone
> >> transfer from the MS DNS and change the zones in BIND to master to check
> >> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
> >> how-to I need to add the tkey-gssapi-keytab
> >> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
> >>
> >> If I run provision on samba4 (for a new domain) at the end of the
> >> provision the dns.keytab file is created in the samba/private directory.
> >> Running the domain join command instead of the provision the dns.keytab
> >> file is not created so how am I supposed to proceed?
> >>
> >> Thanks in advance,
> >> Daniele.
> >>
> >>
> >>
> Sorry, some typos corrected bellow:
> > Hi,
> >
> > IMHO you should check if you have
> > /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
> > find libdlz_bind9.so in the source (where you have compiled samba4), if
> > there is one copy it to the right place. Then edit (being on Ubuntu I
> > suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
> > following:
> > dlz "AD DNS Zone" {
> >     database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
> > };
> With samba-tool user add (or the windows tools) create a
> dns-YOURLINUXHOSTNAMEWITHOUTYOURDOMAINPART
> > account with password never expiring
> > with samba-tool spn add (or ktpass on windows) associate the principal
> > names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
> > with samba-tool domain exportkeytab dump the keys to a keytab (with
> > ktutil -k keytab list you can verify the keys in it if there is any
> > unneeded you can also delete them).
> > Set up the tkey-gssapi-keytab option.
> > Comment out the slave zones in bind.
> > After a bind restart it should be able to read the rr-s directly from
> > samba4's ad.
> >
> > Good luck!
> >
> > Cheers
> >
> > Geza
> 

Hi Geza,
about the samba-tool spn add command, do you mean
# samba-tool spn add DNS/your-server.your.domain dns-hostname
# samba-tool spn add DNS/your.domain dns-hostname
so two associations?

Daniele.