[Samba] tkey-gssapi-credential and bind (Samba4)

Mauricio Tavares raubvogel at gmail.com
Tue Jun 21 08:11:01 MDT 2011


      So I am in step 10 of the samba4 howto
(https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
my bind9 is 9.7.3 which seems to be current enough for this. In it we
are to add

   tkey-gssapi-credential "DNS/samdom.example.com";
   tkey-domain "SAMDOM.EXAMPLE.COM";

to /etc/bind/named.conf.options. Since my test domain is
test.domain.com, I changed the above to

   tkey-gssapi-credential "DNS/test.domain.com";
   tkey-domain "TEST.DOMAIN.COM";

In the log file I have:

Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure
Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure
Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error)
Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind
Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='

IMHO, just saying "TKEY:failure" is not very helpful. I did find out
the line bind does not seem to like is the first one,

tkey-gssapi-credential "DNS/test.domain.com";

This is an ubuntu 11.04 machine if this matters.


More information about the samba mailing list