[Samba] Question regarding creation of dns.keytab for joined Samba4 server

Andreas Oster aoster at novanetwork.de
Sat Jan 14 04:12:19 MST 2012

Hello all,

I have migrated an old Win2k Active Directory to a Samba4 only
domain. Because the provision step has not been used I now do
not have the dns.keytab file for secure dynamic DNS updates
with bind9. I have found a useful link here:


but I am not sure if this is the right way to manually create
the missing AD entries and dns.keytab file.

One thing I am worried about is, that I do have two samba servers.
How does the ldif file need to look like to allow both servers to
update DNS entries ?

dn: CN=dns-smbserver,CN=Users,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: DNS Service Account for smbserver
userAccountControl: 512
accountExpires: 9223372036854775807
sAMAccountName: dns-smbserver
servicePrincipalName: DNS/smbserver1.example.com     ????
servicePrincipalName: DNS/smbserver2.example.com     ????
servicePrincipalName: DNS/example.com
clearTextPassword:: base64encodedpassword

What should the named.conf entry look like ?

tkey-gssapi-credential "DNS/smbserver1.example.com";
tkey-domain "EXAMPLE.COM";

but what about smbserver2 ?

Thank you for your kind help

best regards


More information about the samba mailing list