[Samba] dns.keytab for Samba4 and Bind9

Adam Thorn alt36 at cam.ac.uk
Thu Jun 30 17:30:50 MDT 2011

On Wed, 2011-06-29 at 18:55 +0100, Adam Thorn wrote:
> Hi,
> When provisioning a new domain, samba4
> creates /usr/local/samba/private/dns.keytab. What's the best way to
> create that file manually, when not provisioning a new domain?
> My use case is how one migrates from a Windows AD+DNS to samba4+bind9. I
> begin by joining a new samba4 instance as a DC to an existing Windows
> domain (so no "/source4/setup/provision"), then getting rid of the
> Windows DC and pointing my DNS clients to a bind9 server - which I'd
> like to be dynamically updated by samba.

We've figured out how to do this, so here's how we did it, given that we
couldn't find instructions elsewhere on the web. Let's say we have a
server called "smbserver" in the ad.example.com domain. First create a
base64-encoded password for an AD service account which will do the DDNS
updates; for example, we did this via a python command-line:
from base64 include b64encode

which will output an encoded password - copy that string, without the
quote marks which surround it. (if you'd prefer a different base64
encoder, make sure to set the character encoding correctly.) Create
dns.ldif with the following contents:

dn: CN=dns-smbserver,CN=Users,DC=ad,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: DNS Service Account for smbserver
userAccountControl: 512
accountExpires: 9223372036854775807
sAMAccountName: dns-smbserver
servicePrincipalName: DNS/smbserver.ad.example.com
servicePrincipalName: DNS/ad.example.com
clearTextPassword:: base64encodedpassword

except in place of base64encodedpassword for the clearTextPassword,
paste the base64-encoded password from earlier. We based this ldif on
source4/setup/provision_dns_add.ldif, with the modification that we
didn't set the isCriticalSystemObject attribute to TRUE, otherwise you
get an error when importing the ldif. We'll do that next; first get a
kerberos ticket (kinit domainAdminAccountName) then run

ldbadd -H ldap://smbserver -v -k yes dns.ldif

Next, cd to source4/scripting/bin/ and run

./ktpass.sh --out dns.keytab --pass myRandomPassword --princ

Depending on your setup, you may also need to set the
--path-to-ldbsearch option. Move dns.keytab
to /usr/local/samba/private/, and also chown dns.keytab to bind.bind (or
named.named, or whatever's appropriate for the user which runs your bind
daemon). Also, mkdir /usr/local/samba/private/dns and chown that
directory to bind.bind. Now that the dns.keytab is in place, follow the
instructions for setting up DNS at

Hopefully this'll be of use to someone else!


More information about the samba mailing list