[Samba] dns.keytab doesn't exist

Rowland penny rpenny at samba.org
Fri Dec 11 08:58:50 UTC 2020 

On 11/12/2020 08:33, Dan Egli via samba wrote:
> Packaged samba? You could say that. Gentoo downloads the source 
> tarball, add some patches, then compiles and installs it. As for 
> samba_upgradedns I'm not familiar with that and certainly didn't see 
> it on the setup page for BIND.  But I ran it just now:
>
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/bind-dns/dns/HOME.EGLIFAMILY.NAME.zone
> /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method 
> is deprecated, use 'warning' instead
>   logger.warn("DNS records will be automatically created")
> DNS records will be automatically created
> DNS partitions already exist
> Adding dns-pluto account
> BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf 
> manually.
> See /var/lib/samba/bind-dns/named.conf for an example configuration 
> include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further documentation 
> required for secure DNS updates
> Finished upgrading DNS
> You have switched to using BIND9_DLZ as your dns backend, but still 
> have the internal dns starting. Please make sure you add '-dns' to 
> your server services line in your smb.conf.
>
> I imagine that's because the script looks for up to bind 9.12, but the 
> latest is 9.16. So I manually edited my named.conf file:
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
> support.
> #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba/bind-dns/named.conf";
>
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
>     database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
> };
>
> Hope that's correct. After running the samba_dnsupgrade I have TWO 
> dns.keytab files:
> locate dns.keytab
> /var/lib/samba/bind-dns/dns.keytab
> /var/lib/samba/private/dns.keytab
>
> Which should I be looking at? Also, named is giving me headaches with 
> the samba_dlz stuff. Here's the error I get when I try to start named:
>
> Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect to 
> Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable to 
> open tdb '/var/lib/samba/private/dns/sam.ldb': Permission denied: 
> Operations error
> Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create call 
> result=25 #refs=0
>
> the directory /var/lib /samba/private/dns does exist, owned by 
> root:named and having permissions 770, so why can't named create the 
> file?
>
>
> Thanks!
>
> On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
>
>> Hi Dan,
>>
>> have you run
>>
>> samba_upgradedns --dns-backend=BIND9_DLZ
>>
>> already? That should create all necessary files. Or depending upon
>> your Samba version, could you please check for
>> /var/lib/samba/private/dns.keytab?
>>
>> May I assume that you are using a packaged build of Samba?
>>
>> Best regards
>>
>> Johannes
>>
>>
>> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
>> samba at lists.samba.org>:
>>
>>> I was reading on the samba wiki about how to use bind9_dlz as the DNS
>>> backend for an AD Domain, but in the setup instructions for bind given
>>> in the wiki it says to be sure to include the line tkey-gssapi-keytab
>>> "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file, in the
>>> options section. That's great, except I don't HAVE a dns.keytab file
>>> anywhere on the system. I've looked at the page carefully and nothing
>>> says where the file comes from. Only that it's in the
>>> /var/lib/samba/bind-dns directory, but on my system that directory is
>>> empty. Is this something that bind is going to create or something? I'm
>>> a bit lost. Any help is appreciated!
>>>
>>> In case anyone is wondering, I'm using bind because the system already
>>> has bind on it to serve internet DNS requests. So rather than try to
>>> figure out how to let samba maintain it's own internal DNS cache and
>>> still have the main one, I just figured I'd let bind handle the whole
>>> thing.
>>>
>>> -- 
>>> Dan Egli
>>>   From my Test Server
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
It doesn't matter how you install Samba, when you join a DC you will 
never get the keytab in the bind-dns dir, the code doesn't exist to 
create it. The keytab should be created under three circumstances, when 
you provision a DC with ' --dns-backend=BIND9_DLZ', When you run 
'samba_dnsupdate' and when you join a DC with '--dns-backend=BIND9_DLZ'. 
The first two work because the code exists (the same code twice), but 
the required code isn't there when you join a new DC.

Rowland

More information about the samba mailing list