[Samba] keytab question.
Andrew Bartlett
abartlet at samba.org
Tue Mar 4 20:21:13 MST 2014
On Tue, 2014-03-04 at 11:51 +0000, Rowland Penny wrote:
> On 04/03/14 11:10, L.P.H. van Belle wrote:
> > Hai,
> >
> > Im working on my dhcp server + dns setup with samba4.
> >
> > i've exported the keytabs
> >
> > samba-tool domain exportkeytab /home/krb5.keytab.samba4
> >
> > when i read the contents of this keytab
> >
> > ktutil
> > rkt /home/krb5.keytab.samba4
> > list
> >
> > 1 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 2 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 3 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 4 1 Administrator at INTERNAL.DOMAIN.TLD
> > 5 1 Administrator at INTERNAL.DOMAIN.TLD
> > 6 1 Administrator at INTERNAL.DOMAIN.TLD
> > 7 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> > 8 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> > 9 1 dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> > 10 1 krbtgt at INTERNAL.DOMAIN.TLD
> > 11 1 krbtgt at INTERNAL.DOMAIN.TLD
> > 12 1 krbtgt at INTERNAL.DOMAIN.TLD
> >
> >
> > and i look at : The keytab samba genereted.
> > ktutil
> > rkt /var/lib/samba/private/secrets.keytab
> > list
> > 1 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
> > 2 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> > 3 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 4 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
> > 5 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> > 6 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 7 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
> > 8 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> > 9 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 10 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
> > 11 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> > 12 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> > 13 1 HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
> > 14 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
> > 15 1 RTD-DC1$@INTERNAL.DOMAIN.TLD
> >
> >
> > in the krb5.conf i need to define the default keytab name
> >
> > default_keytab_name = FILE:/etc/krb5.keytab
> >
> > but now the question, which keytab should i use?
> > I know i have to configure our DNS server to support dynamic DNS updates in the clear (insecure) by using the allow-update directive
> >
> > i've seen the update policy
> >
> > cat /var/lib/samba/private/named.conf.update
> > /* this file is auto-generated - do not edit */
> > update-policy {
> > grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
> > grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
> > grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
> > };
> >
> >
> > but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> > this is the "logical" to pik.
> >
> > so, whats advided, and what do you use?
> >
> >
> > this part is not clear for me.
> >
> > Best regards,
> >
> > Louis
> >
> >
> >
> Hi Louis, I would suggest starting here:
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
> and after reading this, if you are still confused, email me off list and
> I will try to help you, I have been running samba4, bind9 and dhcp for
> over 12 months.
BTW, tested patches to make this easier - say by having our internal DNS
server accept static TKEY requests - are most welcome. We would love
for this to be easier, but just have not had the time.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list