[Samba] tkey-gssapi-credential and bind (Samba4)

Mauricio Tavares raubvogel at gmail.com
Tue Jun 28 03:17:22 MDT 2011 

On 06/22/2011 02:26 AM, Marcel Ritter wrote:
> Hi Mauricio,
>
> the easiest way to find out, where named fails may be to
> do an "strace -f /usr/sbin/named ..." (don't forget to set/export
> the keytab environment variables before doing so).
>
> Check the output of strace for accesses to the keytab file and
> you will get some hints about what's wrong. You may also want
> to check for the files mentioned below in the apparmor list.
>
> In my apparmor config (Ubuntu 10.04) I had to add some more
> entries (the list is far from optimized, but it works for me).
>
> /opt/samba4/private/dns.keytab kr,
> /opt/samba4/private/named.conf.update kr,
> /opt/samba4/private/named.conf kr,
> /opt/samba4/private/dns/* krw,
> /var/tmp/krb5_* rw,
> /var/tmp/DNS_* rw,
>
> If you like you can send me the strace log in private, I'll have a look.
> (AFAIK the allowed size of attachments on the list is quite small).
>
	You were right about the apparmor; I disabled it temporarily for named 
and bind was happy again. I will try your list later (since I found out 
I can't do cross-realm between samba4's kerberos and our (mit) currently 
working setup, samba 4 just dropped out of my priority list).

> Bye,
>      Marcel
>
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Mauricio Tavares
> Gesendet: Dienstag, 21. Juni 2011 21:23
> An: samba at lists.samba.org
> Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4)
>
> On Tue, Jun 21, 2011 at 1:14 PM, Aaron E.<ssureshot at gmail.com>  wrote:
>> In my experience this is due to gssapi not being compiled to the
>> correct directory for bind.. I also used 11.04 and my compile path was
>> --with-gssapi=/usr/include/gssapi,, instead of /usr
>>
>        Aaron, in my case it seems to be pointing to /usr:
>
> root at sambabox:~# named -V
> BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
> '--localstatedir=/var' '--enable-threads' '--enable-largefile'
> '--with-libtool' '--enable-shared' '--enable-static'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
> '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
> '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
> '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
> root at sambabox:~#
>
>>
>>
>> On 06/21/2011 10:45 AM, Marcel Ritter wrote:
>>>
>>> Hi Mauricio,
>>>
>>> this is usually caused by one of 3 things:
>>>
>>> 1) bind is started without KRB5_KTNAME being set, and
>>>       therefore doesn't know where to look for it's keytab
>>>
>     Marcel, what I have in /etc/default/bind9 is
>
> # Samba-related stuff
> KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
> KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
> export KEYTAB_FILE
> export KRB5_KTNAME
>
> And here is what dns.keytab looks like:
>
> -rw-r----- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab
>
>>> 2) the bind user does not have access permission to the
>>>      keytab (or any directory in its path)
>>>
>        As user bind (I edited /etc/passwd temporarily) I was able to reach that file:
>
> bind at sambabox:~$ cat /var/lib/samba/private/dns.keytab HTEST.DOMAIN.COMDNStest.domain.com
> [...]
>
>>> 3) I also hat problems related to apparmor (on Ubuntu 10.04)
>>>      where the apparmor security framework prevented bind
>>>      from accessing the keytab, even if file permissions were ok
>>>
>        I edited # /etc/apparmor.d/usr.sbin.named per http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
> , adding the following lines:
>
> /var/lib/samba/private/* rw,
> /var/lib/samba/private/dns/* rw,
>
>>> Hope this helps,
>>>      Marcel
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org]
>>> Im Auftrag von Mauricio Tavares
>>> Gesendet: Dienstag, 21. Juni 2011 16:11
>>> An: samba at lists.samba.org
>>> Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
>>>
>>>        So I am in step 10 of the samba4 howto
>>> (https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb
>>> eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be
>>> current enough for this. In it we are to add
>>>
>>>     tkey-gssapi-credential "DNS/samdom.example.com";
>>>     tkey-domain "SAMDOM.EXAMPLE.COM";
>>>
>>> to /etc/bind/named.conf.options. Since my test domain is
>>> test.domain.com, I changed the above to
>>>
>>>     tkey-gssapi-credential "DNS/test.domain.com";
>>>     tkey-domain "TEST.DOMAIN.COM";
>>>
>>> In the log file I have:
>>>
>>> Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
>>> D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty
>>> zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic
>>> empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]:
>>> automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox
>>> named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
>>> 8.B.D.0.1.0.0.2.IP6.ARPA
>>> Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun
>>> 21
>>> 10:02:39 sambabox named[3302]: loading configuration: failure Jun 21
>>> 10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21
>>> 10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21
>>> 10:02:50 sambabox
>>> named[3316]: built with '--prefix=/usr'
>>> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
>>> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
>>> '--enable-largefile' '--with-libtool' '--enable-shared'
>>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
>>> '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
>>> '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
>>> '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
>>> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
>>> 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
>>>
>>> IMHO, just saying "TKEY:failure" is not very helpful. I did find out
>>> the line bind does not seem to like is the first one,
>>>
>>> tkey-gssapi-credential "DNS/test.domain.com";
>>>
>>> This is an ubuntu 11.04 machine if this matters.
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list