Problems (possibly bug) with dlz for bind 9.9 in 4.0.0beta3-GIT-763f9e8

Andrew Bartlett abartlet at
Mon Jul 2 04:49:15 MDT 2012

On Mon, 2012-07-02 at 04:41 -0600, Trever L. Adams wrote:
> On 07/02/2012 12:45 AM, Andrew Bartlett wrote:
> > On Mon, 2012-07-02 at 00:41 -0600, Trever L. Adams wrote:
> >> Are there any debugging/logging steps you can recommend? somepc$ was the
> >> client so did it get a ticket properly or did it fail?
> > To get that message, it seems to have got the ticket, and we decoded it.
> >
> >> Will a -d10 log.samba show anything? I should have one captured (I am
> >> willing to send it to you off list if it would).
> > Unlikely (because the ticket was correctly produced). 
> >
> > Andrew Bartlett
> >
> Andrew,
> Thank you for your help. I have not yet solved the problem, but I
> thought I would make a note of some questions I have.
> 1) Are any of the steps in named.txt for 9.7.x to be followed for
> 9.8.x/9.9.x? (namely tkey-gssapi-credential or tkey-domain)

No, the advance with 9.8/9.9 is that these are not needed. 

> 2) I think the named.txt needs to be corrected. As written, it seems to
> suggest that the line
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> is intended for 9.8.x ONLY. However, it is necessary for 9.9.x DLZ (at
> least as my post beta1 provision shows on testing removal).

Thanks.  I actually have a patch for exactly that already prepared :-)

> 3) For 9.9.x DLZ is named.conf.update needed anywhere?

No, named.conf.update isn't needed for DLZ.

As to where to go from here:  The only hint I have is to get the debug
packages for bind9 and krb5, start bind under gdb and then break on the
failing function (gss_inquire_cred) and see where it fails internally.
It will be painful, but may be the only way.  (I don't know how easy
bind is to debug, threads etc, but it's all I can suggest)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list