[Samba] tkey-gssapi-credential and bind (Samba4)

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Tue Jun 21 08:45:26 MDT 2011 

Hi Mauricio,

this is usually caused by one of 3 things:

1) bind is started without KRB5_KTNAME being set, and
     therefore doesn't know where to look for it's keytab

2) the bind user does not have access permission to the
    keytab (or any directory in its path)

3) I also hat problems related to apparmor (on Ubuntu 10.04)
    where the apparmor security framework prevented bind
    from accessing the keytab, even if file permissions were ok

Hope this helps,
    Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 16:11
An: samba at lists.samba.org
Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)

      So I am in step 10 of the samba4 howto (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add

   tkey-gssapi-credential "DNS/samdom.example.com";
   tkey-domain "SAMDOM.EXAMPLE.COM";

to /etc/bind/named.conf.options. Since my test domain is test.domain.com, I changed the above to

   tkey-gssapi-credential "DNS/test.domain.com";
   tkey-domain "TEST.DOMAIN.COM";

In the log file I have:

Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='

IMHO, just saying "TKEY:failure" is not very helpful. I did find out the line bind does not seem to like is the first one,

tkey-gssapi-credential "DNS/test.domain.com";

This is an ubuntu 11.04 machine if this matters.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list