[Samba] A and/or PTR record deleted after pc wake-up

steve steve at steve-ss.com
Thu Mar 6 05:32:21 MST 2014 

On Thu, 2014-03-06 at 13:06 +0100, L.P.H. van Belle wrote:
>  Hai, 
> 
> thanks for al the responces. 
> 
> I did only check with the windows rats tools. 
> i just deleted my install and im going for bind 9.9.5. from debian sid. ( rebuild to wheezy ) 
> 
> >The machine key has been used to authenticate. named must have had
> >access to the dns keytab too.
> 
> yes, thats correct, i did set the default keytab to servname$@internal.domain.tld. 
> check it with all tested the wiki discribed. 
> pointed it to default keytab file. 
> 
> this was my krb5.conf 
> 
> [libdefaults]
>         default_realm = INTERNAL.DOMAIN.TLD
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         ticket_lifetime = 30d
>         forwardable = yes
>         default_keytab_name = FILE:/etc/krb5.keytab
> 
> [realms]
>  INTERNAL.DOMAIN.TLD = {
>   kdc = rtd-dc1.INTERNAL.DOMAIN.TLD:88
>   admin_server = rtd-dc1.INTERNAL.DOMAIN.TLD:749
>   default_domain = INTERNAL.DOMAIN.TLD
>  }
> 
> [domain_realm]
>  .INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
>  INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> the bind config contained also :
>       tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> 
> i used the following to export the keys.
> # export the kerberos keys
> samba-tool domain exportkeytab /tmp/krb5.keytab
> the i looked whats in there
> ktutil
> 	: rkt /tmp/krb5.keytab
> 	: list 
> 	-> output 
> 	: wkt /etc/krb5.keytab
> 	: quit
> 
> for isc bind we need bind as owner on keytab 
> chown bind /etc/krb5.keytab
> 
> and i did set the default keytab
> kinit -k -t /etc/krb5.keytab RTD-DC1$@INTERNAL.DOMAIN.TLD
> 
> i check which users did have rights. 
> i looked in the /var/lib/samba/named.update file 
> the are 3 which had rights to update the dns. 
> 
> can someone tell if above procedure is correct.
> or should i set the default keytab next install to 
> /var/lib/samba/private/dns.keytab 
> and not export-ing it an setting it again. 

The latter. Forget anything about exporting keytabs or doing anything
else with them. The only keytab you need, dns.keytab under private, is
created by the provision. Simply make sure named can read it and write
to the dns partitions themselves.
HTH
Steve

[We've been trying to reproduce your dns denied error on the ddns as per
the original post, but can't. Did you get a chance to go through our
suggestion with samba-tool dns to check the Admin-pc box before you
deleted?]

More information about the samba mailing list