[Samba] dns.keytab for Samba4 and Bind9
Adam Thorn
alt36 at cam.ac.uk
Thu Jun 30 17:30:50 MDT 2011
On Wed, 2011-06-29 at 18:55 +0100, Adam Thorn wrote:
> Hi,
>
> When provisioning a new domain, samba4
> creates /usr/local/samba/private/dns.keytab. What's the best way to
> create that file manually, when not provisioning a new domain?
>
> My use case is how one migrates from a Windows AD+DNS to samba4+bind9. I
> begin by joining a new samba4 instance as a DC to an existing Windows
> domain (so no "/source4/setup/provision"), then getting rid of the
> Windows DC and pointing my DNS clients to a bind9 server - which I'd
> like to be dynamically updated by samba.
We've figured out how to do this, so here's how we did it, given that we
couldn't find instructions elsewhere on the web. Let's say we have a
server called "smbserver" in the ad.example.com domain. First create a
base64-encoded password for an AD service account which will do the DDNS
updates; for example, we did this via a python command-line:
from base64 include b64encode
b64encode('myRandomPassword'.encode('utf-16-le'))
which will output an encoded password - copy that string, without the
quote marks which surround it. (if you'd prefer a different base64
encoder, make sure to set the character encoding correctly.) Create
dns.ldif with the following contents:
dn: CN=dns-smbserver,CN=Users,DC=ad,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: DNS Service Account for smbserver
userAccountControl: 512
accountExpires: 9223372036854775807
sAMAccountName: dns-smbserver
servicePrincipalName: DNS/smbserver.ad.example.com
servicePrincipalName: DNS/ad.example.com
clearTextPassword:: base64encodedpassword
except in place of base64encodedpassword for the clearTextPassword,
paste the base64-encoded password from earlier. We based this ldif on
source4/setup/provision_dns_add.ldif, with the modification that we
didn't set the isCriticalSystemObject attribute to TRUE, otherwise you
get an error when importing the ldif. We'll do that next; first get a
kerberos ticket (kinit domainAdminAccountName) then run
ldbadd -H ldap://smbserver -v -k yes dns.ldif
Next, cd to source4/scripting/bin/ and run
./ktpass.sh --out dns.keytab --pass myRandomPassword --princ
DNS/ad.example.com
Depending on your setup, you may also need to set the
--path-to-ldbsearch option. Move dns.keytab
to /usr/local/samba/private/, and also chown dns.keytab to bind.bind (or
named.named, or whatever's appropriate for the user which runs your bind
daemon). Also, mkdir /usr/local/samba/private/dns and chown that
directory to bind.bind. Now that the dns.keytab is in place, follow the
instructions for setting up DNS at
http://wiki.samba.org/index.php/Samba4/HOWTO.
Hopefully this'll be of use to someone else!
Adam
More information about the samba
mailing list