[Samba] dns.keytab doesn't exist

Dan Egli dan at newideatest.site
Fri Dec 11 09:26:41 UTC 2020 

  I ran the samba_dnsupgrade and it created TWO dns.keytab files. You 
said it won't create one in /var/lib/samba/bind-dns directory, but it 
did. At least, SOMETHING put a file there. Still, if you say it 
shouldn't be there, then perhaps I should rm it and point my bind config 
to the other.


On 12/11/2020 1:58 AM, Rowland penny via samba wrote:
> On 11/12/2020 08:33, Dan Egli via samba wrote:
>> Packaged samba? You could say that. Gentoo downloads the source 
>> tarball, add some patches, then compiles and installs it. As for 
>> samba_upgradedns I'm not familiar with that and certainly didn't see 
>> it on the setup page for BIND. But I ran it just now:
>>
>> Reading domain information
>> DNS accounts already exist
>> No zone file /var/lib/samba/bind-dns/dns/HOME.EGLIFAMILY.NAME.zone
>> /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method 
>> is deprecated, use 'warning' instead
>>   logger.warn("DNS records will be automatically created")
>> DNS records will be automatically created
>> DNS partitions already exist
>> Adding dns-pluto account
>> BIND version unknown, please modify 
>> /var/lib/samba/bind-dns/named.conf manually.
>> See /var/lib/samba/bind-dns/named.conf for an example configuration 
>> include file for BIND
>> and /var/lib/samba/bind-dns/named.txt for further documentation 
>> required for secure DNS updates
>> Finished upgrading DNS
>> You have switched to using BIND9_DLZ as your dns backend, but still 
>> have the internal dns starting. Please make sure you add '-dns' to 
>> your server services line in your smb.conf.
>>
>> I imagine that's because the script looks for up to bind 9.12, but 
>> the latest is 9.16. So I manually edited my named.conf file:
>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
>> support.
>> #
>> # This file should be included in your main BIND configuration file
>> #
>> # For example with
>> # include "/var/lib/samba/bind-dns/named.conf";
>>
>> #
>> # This configures dynamically loadable zones (DLZ) from AD schema
>> # Uncomment only single database line, depending on your BIND version
>> #
>> dlz "AD DNS Zone" {
>>     database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
>> };
>>
>> Hope that's correct. After running the samba_dnsupgrade I have TWO 
>> dns.keytab files:
>> locate dns.keytab
>> /var/lib/samba/bind-dns/dns.keytab
>> /var/lib/samba/private/dns.keytab
>>
>> Which should I be looking at? Also, named is giving me headaches with 
>> the samba_dlz stuff. Here's the error I get when I try to start named:
>>
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect to 
>> Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable to 
>> open tdb '/var/lib/samba/private/dns/sam.ldb': Permission denied: 
>> Operations error
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create call 
>> result=25 #refs=0
>>
>> the directory /var/lib /samba/private/dns does exist, owned by 
>> root:named and having permissions 770, so why can't named create the 
>> file?
>>
>>
>> Thanks!
>>
>> On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
>>
>>> Hi Dan,
>>>
>>> have you run
>>>
>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> already? That should create all necessary files. Or depending upon
>>> your Samba version, could you please check for
>>> /var/lib/samba/private/dns.keytab?
>>>
>>> May I assume that you are using a packaged build of Samba?
>>>
>>> Best regards
>>>
>>> Johannes
>>>
>>>
>>> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
>>> samba at lists.samba.org>:
>>>
>>>> I was reading on the samba wiki about how to use bind9_dlz as the DNS
>>>> backend for an AD Domain, but in the setup instructions for bind given
>>>> in the wiki it says to be sure to include the line tkey-gssapi-keytab
>>>> "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file, in the
>>>> options section. That's great, except I don't HAVE a dns.keytab file
>>>> anywhere on the system. I've looked at the page carefully and nothing
>>>> says where the file comes from. Only that it's in the
>>>> /var/lib/samba/bind-dns directory, but on my system that directory is
>>>> empty. Is this something that bind is going to create or something? 
>>>> I'm
>>>> a bit lost. Any help is appreciated!
>>>>
>>>> In case anyone is wondering, I'm using bind because the system already
>>>> has bind on it to serve internet DNS requests. So rather than try to
>>>> figure out how to let samba maintain it's own internal DNS cache and
>>>> still have the main one, I just figured I'd let bind handle the whole
>>>> thing.
>>>>
>>>> -- 
>>>> Dan Egli
>>>>   From my Test Server
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
> It doesn't matter how you install Samba, when you join a DC you will 
> never get the keytab in the bind-dns dir, the code doesn't exist to 
> create it. The keytab should be created under three circumstances, 
> when you provision a DC with ' --dns-backend=BIND9_DLZ', When you run 
> 'samba_dnsupdate' and when you join a DC with 
> '--dns-backend=BIND9_DLZ'. The first two work because the code exists 
> (the same code twice), but the required code isn't there when you join 
> a new DC.
>
> Rowland
>
>
>
-- 
Dan Egli
 From my Test Server

More information about the samba mailing list