dns.keytab file

Alexander Bokovoy ab at samba.org
Mon Oct 19 12:46:59 UTC 2020 

On ma, 19 loka 2020, Rowland penny via samba-technical wrote:
> On 19/10/2020 13:07, Stefan Kania via samba-technical wrote:
> > 
> > Am 19.10.20 um 03:38 schrieb Andrew Bartlett:
> > > On Sat, 2020-10-17 at 09:47 +0200, Stefan Kania wrote:
> > > > Hi Andrew,
> > > > 
> > > > Am 16.10.20 um 22:37 schrieb Andrew Bartlett:
> > > > > I just saw this with a customer yesterday.
> > > > I see this every time I setup a new domain, I also wrote it into my
> > > > Samba4 book. If it's a bug should I write bugreport?
> > > Yes.
> > Done
> > https://bugzilla.samba.org/show_bug.cgi?id=14535
> > I hope I did it right :-)
> 
> OK, I 'think' I have tracked this down. During the join, 'setup_bind9_dns'
> from sambadns.py is called, this in turn calls 'secretsdb_setup_dns'. This
> actually removes any existing 'dns.keytab' from the private and bind-dns
> dirs, it then goes on to create the keytab via the commit, but only in the
> private dir.
> 
> Now to consider how to create the keytab in the bind-dns dir, is it that the
> incorrect path is being passed ? Or just move it to the correct destination
> (does anything rely on the dns.keytab being in the private dir ?), or do
> something else ?

Looking into source4/dns_server/dlz_bind9.c, it accepts dns.keytba in
either path, first checking BIND's path, then Samba's private directory.
Since the process runs under BIND user (named:named in Fedora, for
example), it wouldn't have access to Samba's private directory.

Our source4/setup/named.txt talks about BIND's path (DNS_KEYTAB_ABS is
expanded to use BIND's path):

$ git grep DNS_KEYTAB_ABS
python/samba/provision/sambadns.py:            "DNS_KEYTAB_ABS": os.path.join(binddns_dir, keytab_name),
source4/setup/named.txt:tkey-gssapi-keytab "${DNS_KEYTAB_ABS}";
source4/setup/named.txt:chcon -t named_conf_t ${DNS_KEYTAB_ABS}

The logic was that if you ran Samba set up before 4.8.0,
samba_upgradedns script helps to upgrade to a newer setup as explained
in 8f2dee256e281c438105689b073f09685f161b16:

commit 8f2dee256e281c438105689b073f09685f161b16
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Aug 10 15:37:54 2017 +0200

    python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns

    This provisions the bind_dlz files in the 'binddns dir'. If you want to
    migrate to the new files strcuture you can run samba_upgradedns!

    BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

So I think the right path is BIND's path.


-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list