[Samba] tkey-gssapi-credential and bind (Samba4)

Mauricio Tavares raubvogel at gmail.com
Tue Jun 21 13:22:40 MDT 2011


On Tue, Jun 21, 2011 at 1:14 PM, Aaron E. <ssureshot at gmail.com> wrote:
> In my experience this is due to gssapi not being compiled to the correct
> directory for bind.. I also used 11.04 and my compile path was
> --with-gssapi=/usr/include/gssapi,, instead of /usr
>
      Aaron, in my case it seems to be pointing to /usr:

root at sambabox:~# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root at sambabox:~#

>
>
> On 06/21/2011 10:45 AM, Marcel Ritter wrote:
>>
>> Hi Mauricio,
>>
>> this is usually caused by one of 3 things:
>>
>> 1) bind is started without KRB5_KTNAME being set, and
>>      therefore doesn't know where to look for it's keytab
>>
   Marcel, what I have in /etc/default/bind9 is

# Samba-related stuff
KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

And here is what dns.keytab looks like:

-rw-r----- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab

>> 2) the bind user does not have access permission to the
>>     keytab (or any directory in its path)
>>
      As user bind (I edited /etc/passwd temporarily) I was able to
reach that file:

bind at sambabox:~$ cat /var/lib/samba/private/dns.keytab
HTEST.DOMAIN.COMDNStest.domain.com
[...]

>> 3) I also hat problems related to apparmor (on Ubuntu 10.04)
>>     where the apparmor security framework prevented bind
>>     from accessing the keytab, even if file permissions were ok
>>
      I edited # /etc/apparmor.d/usr.sbin.named per
http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
, adding the following lines:

/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,

>> Hope this helps,
>>     Marcel
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von Mauricio Tavares
>> Gesendet: Dienstag, 21. Juni 2011 16:11
>> An: samba at lists.samba.org
>> Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
>>
>>       So I am in step 10 of the samba4 howto
>> (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
>> my bind9 is 9.7.3 which seems to be current enough for this. In it we are
>> to add
>>
>>    tkey-gssapi-credential "DNS/samdom.example.com";
>>    tkey-domain "SAMDOM.EXAMPLE.COM";
>>
>> to /etc/bind/named.conf.options. Since my test domain is test.domain.com,
>> I changed the above to
>>
>>    tkey-gssapi-credential "DNS/test.domain.com";
>>    tkey-domain "TEST.DOMAIN.COM";
>>
>> In the log file I have:
>>
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
>> 8.B.D.0.1.0.0.2.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21
>> 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21
>> 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 10:02:50
>> sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox
>> named[3316]: built with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
>> '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
>> '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
>> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
>>
>> IMHO, just saying "TKEY:failure" is not very helpful. I did find out the
>> line bind does not seem to like is the first one,
>>
>> tkey-gssapi-credential "DNS/test.domain.com";
>>
>> This is an ubuntu 11.04 machine if this matters.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list