[Samba] tkey-gssapi-credential and bind (Samba4)

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Wed Jun 22 00:26:11 MDT 2011 

Hi Mauricio,

the easiest way to find out, where named fails may be to
do an "strace -f /usr/sbin/named ..." (don't forget to set/export
the keytab environment variables before doing so).

Check the output of strace for accesses to the keytab file and
you will get some hints about what's wrong. You may also want
to check for the files mentioned below in the apparmor list.

In my apparmor config (Ubuntu 10.04) I had to add some more
entries (the list is far from optimized, but it works for me).

/opt/samba4/private/dns.keytab kr,
/opt/samba4/private/named.conf.update kr,
/opt/samba4/private/named.conf kr,
/opt/samba4/private/dns/* krw,
/var/tmp/krb5_* rw,
/var/tmp/DNS_* rw,

If you like you can send me the strace log in private, I'll have a look.
(AFAIK the allowed size of attachments on the list is quite small).

Bye,
    Marcel

-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 21:23
An: samba at lists.samba.org
Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4)

On Tue, Jun 21, 2011 at 1:14 PM, Aaron E. <ssureshot at gmail.com> wrote:
> In my experience this is due to gssapi not being compiled to the 
> correct directory for bind.. I also used 11.04 and my compile path was 
> --with-gssapi=/usr/include/gssapi,, instead of /usr
>
      Aaron, in my case it seems to be pointing to /usr:

root at sambabox:~# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root at sambabox:~#

>
>
> On 06/21/2011 10:45 AM, Marcel Ritter wrote:
>>
>> Hi Mauricio,
>>
>> this is usually caused by one of 3 things:
>>
>> 1) bind is started without KRB5_KTNAME being set, and
>>      therefore doesn't know where to look for it's keytab
>>
   Marcel, what I have in /etc/default/bind9 is

# Samba-related stuff
KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME

And here is what dns.keytab looks like:

-rw-r----- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab

>> 2) the bind user does not have access permission to the
>>     keytab (or any directory in its path)
>>
      As user bind (I edited /etc/passwd temporarily) I was able to reach that file:

bind at sambabox:~$ cat /var/lib/samba/private/dns.keytab HTEST.DOMAIN.COMDNStest.domain.com
[...]

>> 3) I also hat problems related to apparmor (on Ubuntu 10.04)
>>     where the apparmor security framework prevented bind
>>     from accessing the keytab, even if file permissions were ok
>>
      I edited # /etc/apparmor.d/usr.sbin.named per http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
, adding the following lines:

/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,

>> Hope this helps,
>>     Marcel
>>
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org 
>> [mailto:samba-bounces at lists.samba.org]
>> Im Auftrag von Mauricio Tavares
>> Gesendet: Dienstag, 21. Juni 2011 16:11
>> An: samba at lists.samba.org
>> Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
>>
>>       So I am in step 10 of the samba4 howto 
>> (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb
>> eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be 
>> current enough for this. In it we are to add
>>
>>    tkey-gssapi-credential "DNS/samdom.example.com";
>>    tkey-domain "SAMDOM.EXAMPLE.COM";
>>
>> to /etc/bind/named.conf.options. Since my test domain is 
>> test.domain.com, I changed the above to
>>
>>    tkey-gssapi-credential "DNS/test.domain.com";
>>    tkey-domain "TEST.DOMAIN.COM";
>>
>> In the log file I have:
>>
>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: 
>> D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty 
>> zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic 
>> empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: 
>> automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox 
>> named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
>> 8.B.D.0.1.0.0.2.IP6.ARPA
>> Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 
>> 21
>> 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21
>> 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21 
>> 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21 
>> 10:02:50 sambabox
>> named[3316]: built with '--prefix=/usr'
>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>> '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>> '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
>> '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
>> '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
>> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
>>
>> IMHO, just saying "TKEY:failure" is not very helpful. I did find out 
>> the line bind does not seem to like is the first one,
>>
>> tkey-gssapi-credential "DNS/test.domain.com";
>>
>> This is an ubuntu 11.04 machine if this matters.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list