[Samba] keytab question.

[Rowland Penny]

On 04/03/14 11:10, L.P.H. van Belle wrote:
> Hai,
>   
> Im working on my dhcp server + dns setup with samba4.
>   
> i've exported the keytabs
>   
> samba-tool domain exportkeytab /home/krb5.keytab.samba4
>   
> when i read the contents of this keytab
>   
> ktutil
> rkt /home/krb5.keytab.samba4
> list
>
>     1    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     2    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     4    1        Administrator at INTERNAL.DOMAIN.TLD
>     5    1        Administrator at INTERNAL.DOMAIN.TLD
>     6    1        Administrator at INTERNAL.DOMAIN.TLD
>     7    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>     8    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>     9    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>    10    1               krbtgt at INTERNAL.DOMAIN.TLD
>    11    1               krbtgt at INTERNAL.DOMAIN.TLD
>    12    1               krbtgt at INTERNAL.DOMAIN.TLD
>   
>    
> and i look at : The keytab samba genereted.
>    ktutil
>    rkt /var/lib/samba/private/secrets.keytab
>    list
>     1    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     2    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     4    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     5    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     6    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     7    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     8    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     9    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>    10    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>    11    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>    12    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>    13    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>    14    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>    15    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>   
>   
> in the krb5.conf i need to define the default keytab name
>   
>   default_keytab_name = FILE:/etc/krb5.keytab
>
> but now the question, which keytab should i use?
> I know i have to configure our DNS server to support dynamic DNS updates in the clear (insecure) by using the allow-update directive
>   
> i've seen the update policy
>   
> cat /var/lib/samba/private/named.conf.update
> /* this file is auto-generated - do not edit */
> update-policy {
>          grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
>          grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
>          grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
> };
>
>
> but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> this is the "logical" to pik.
>   
> so, whats advided, and what do you use?
>   
>   
> this part is not clear for me.
>   
> Best regards,
>   
> Louis
>   
>   
>   
Hi Louis, I would suggest starting here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

and after reading this, if you are still confused, email me off list and 
I will try to help you, I have been running samba4, bind9 and dhcp for 
over 12 months.

Rowland