dns.keytab file

Rowland penny rpenny at samba.org
Mon Oct 19 12:55:10 UTC 2020

On 19/10/2020 13:46, Alexander Bokovoy wrote:
> On ma, 19 loka 2020, Rowland penny via samba-technical wrote:
>> On 19/10/2020 13:07, Stefan Kania via samba-technical wrote:
>>> Am 19.10.20 um 03:38 schrieb Andrew Bartlett:
>>>> On Sat, 2020-10-17 at 09:47 +0200, Stefan Kania wrote:
>>>>> Hi Andrew,
>>>>> Am 16.10.20 um 22:37 schrieb Andrew Bartlett:
>>>>>> I just saw this with a customer yesterday.
>>>>> I see this every time I setup a new domain, I also wrote it into my
>>>>> Samba4 book. If it's a bug should I write bugreport?
>>>> Yes.
>>> Done
>>> https://bugzilla.samba.org/show_bug.cgi?id=14535
>>> I hope I did it right :-)
>> OK, I 'think' I have tracked this down. During the join, 'setup_bind9_dns'
>> from sambadns.py is called, this in turn calls 'secretsdb_setup_dns'. This
>> actually removes any existing 'dns.keytab' from the private and bind-dns
>> dirs, it then goes on to create the keytab via the commit, but only in the
>> private dir.
>> Now to consider how to create the keytab in the bind-dns dir, is it that the
>> incorrect path is being passed ? Or just move it to the correct destination
>> (does anything rely on the dns.keytab being in the private dir ?), or do
>> something else ?
> Looking into source4/dns_server/dlz_bind9.c, it accepts dns.keytba in
> either path, first checking BIND's path, then Samba's private directory.
> Since the process runs under BIND user (named:named in Fedora, for
> example), it wouldn't have access to Samba's private directory.
> Our source4/setup/named.txt talks about BIND's path (DNS_KEYTAB_ABS is
> expanded to use BIND's path):
> $ git grep DNS_KEYTAB_ABS
> python/samba/provision/sambadns.py:            "DNS_KEYTAB_ABS": os.path.join(binddns_dir, keytab_name),
> source4/setup/named.txt:tkey-gssapi-keytab "${DNS_KEYTAB_ABS}";
> source4/setup/named.txt:chcon -t named_conf_t ${DNS_KEYTAB_ABS}
> The logic was that if you ran Samba set up before 4.8.0,
> samba_upgradedns script helps to upgrade to a newer setup as explained
> in 8f2dee256e281c438105689b073f09685f161b16:
> commit 8f2dee256e281c438105689b073f09685f161b16
> Author: Andreas Schneider <asn at samba.org>
> Date:   Thu Aug 10 15:37:54 2017 +0200
>      python:samba: Use 'binddns dir' in samba-tool and samba_upgradedns
>      This provisions the bind_dlz files in the 'binddns dir'. If you want to
>      migrate to the new files strcuture you can run samba_upgradedns!
>      BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957
> So I think the right path is BIND's path.
On a new DC joined using BIND9_DLZ, the dns.keytab does not get created 
in the bind-dns dir, it is created in the private dir, so I think what 
you are saying is that the wrong path is being passed to 
'secretsdb_setup_dns' ?


More information about the samba-technical mailing list