[Samba] tkey-gssapi-credential and bind (Samba4)

Aaron E. ssureshot at gmail.com
Tue Jun 21 11:14:39 MDT 2011


In my experience this is due to gssapi not being compiled to the correct 
directory for bind.. I also used 11.04 and my compile path was 
--with-gssapi=/usr/include/gssapi,, instead of /usr



On 06/21/2011 10:45 AM, Marcel Ritter wrote:
> Hi Mauricio,
>
> this is usually caused by one of 3 things:
>
> 1) bind is started without KRB5_KTNAME being set, and
>       therefore doesn't know where to look for it's keytab
>
> 2) the bind user does not have access permission to the
>      keytab (or any directory in its path)
>
> 3) I also hat problems related to apparmor (on Ubuntu 10.04)
>      where the apparmor security framework prevented bind
>      from accessing the keytab, even if file permissions were ok
>
> Hope this helps,
>      Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Mauricio Tavares
> Gesendet: Dienstag, 21. Juni 2011 16:11
> An: samba at lists.samba.org
> Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
>
>        So I am in step 10 of the samba4 howto (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
> my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add
>
>     tkey-gssapi-credential "DNS/samdom.example.com";
>     tkey-domain "SAMDOM.EXAMPLE.COM";
>
> to /etc/bind/named.conf.options. Since my test domain is test.domain.com, I changed the above to
>
>     tkey-gssapi-credential "DNS/test.domain.com";
>     tkey-domain "TEST.DOMAIN.COM";
>
> In the log file I have:
>
> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
> 8.B.D.0.1.0.0.2.IP6.ARPA
> Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox named[3316]: built with '--prefix=/usr'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
> '--enable-largefile' '--with-libtool' '--enable-shared'
> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
> '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
> '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
> '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
>
> IMHO, just saying "TKEY:failure" is not very helpful. I did find out the line bind does not seem to like is the first one,
>
> tkey-gssapi-credential "DNS/test.domain.com";
>
> This is an ubuntu 11.04 machine if this matters.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list