[Samba] dns.keytab doesn't exist

Andrew Bartlett abartlet at samba.org
Fri Dec 11 09:34:16 UTC 2020 

We are very sorry.  There are three codepaths, which should all use the
same code block.  Rowland even had a go at unifying them.  

Sadly the patch hasn't made it in yet, Rowland fixed the issue
perfectly well from the 'do the right thing' standpoint, but we really
need to combine the code as well (not have duplciate code) and that is
a little more involved.

The issue is that a provision and samba_upgradedns will create the
files in bind-dns, but the join was never correctly coded when the
bind-dns directory was set up.

Andrew Bartlett

On Fri, 2020-12-11 at 02:26 -0700, Dan Egli via samba wrote:
>   I ran the samba_dnsupgrade and it created TWO dns.keytab files.
> You 
> said it won't create one in /var/lib/samba/bind-dns directory, but
> it 
> did. At least, SOMETHING put a file there. Still, if you say it 
> shouldn't be there, then perhaps I should rm it and point my bind
> config 
> to the other.
> 
> 
> On 12/11/2020 1:58 AM, Rowland penny via samba wrote:
> > On 11/12/2020 08:33, Dan Egli via samba wrote:
> > > Packaged samba? You could say that. Gentoo downloads the source 
> > > tarball, add some patches, then compiles and installs it. As for 
> > > samba_upgradedns I'm not familiar with that and certainly didn't
> > > see 
> > > it on the setup page for BIND. But I ran it just now:
> > > 
> > > Reading domain information
> > > DNS accounts already exist
> > > No zone file /var/lib/samba/bind-
> > > dns/dns/HOME.EGLIFAMILY.NAME.zone
> > > /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn'
> > > method 
> > > is deprecated, use 'warning' instead
> > >   logger.warn("DNS records will be automatically created")
> > > DNS records will be automatically created
> > > DNS partitions already exist
> > > Adding dns-pluto account
> > > BIND version unknown, please modify 
> > > /var/lib/samba/bind-dns/named.conf manually.
> > > See /var/lib/samba/bind-dns/named.conf for an example
> > > configuration 
> > > include file for BIND
> > > and /var/lib/samba/bind-dns/named.txt for further documentation 
> > > required for secure DNS updates
> > > Finished upgrading DNS
> > > You have switched to using BIND9_DLZ as your dns backend, but
> > > still 
> > > have the internal dns starting. Please make sure you add '-dns'
> > > to 
> > > your server services line in your smb.conf.
> > > 
> > > I imagine that's because the script looks for up to bind 9.12,
> > > but 
> > > the latest is 9.16. So I manually edited my named.conf file:
> > > # This DNS configuration is for BIND 9.8.0 or later with
> > > dlz_dlopen 
> > > support.
> > > #
> > > # This file should be included in your main BIND configuration
> > > file
> > > #
> > > # For example with
> > > # include "/var/lib/samba/bind-dns/named.conf";
> > > 
> > > #
> > > # This configures dynamically loadable zones (DLZ) from AD schema
> > > # Uncomment only single database line, depending on your BIND
> > > version
> > > #
> > > dlz "AD DNS Zone" {
> > >     database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
> > > };
> > > 
> > > Hope that's correct. After running the samba_dnsupgrade I have
> > > TWO 
> > > dns.keytab files:
> > > locate dns.keytab
> > > /var/lib/samba/bind-dns/dns.keytab
> > > /var/lib/samba/private/dns.keytab
> > > 
> > > Which should I be looking at? Also, named is giving me headaches
> > > with 
> > > the samba_dlz stuff. Here's the error I get when I try to start
> > > named:
> > > 
> > > Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect
> > > to 
> > > Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable
> > > to 
> > > open tdb '/var/lib/samba/private/dns/sam.ldb': Permission
> > > denied: 
> > > Operations error
> > > Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create
> > > call 
> > > result=25 #refs=0
> > > 
> > > the directory /var/lib /samba/private/dns does exist, owned by 
> > > root:named and having permissions 770, so why can't named create
> > > the 
> > > file?
> > > 
> > > 
> > > Thanks!
> > > 
> > > On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
> > > 
> > > > Hi Dan,
> > > > 
> > > > have you run
> > > > 
> > > > samba_upgradedns --dns-backend=BIND9_DLZ
> > > > 
> > > > already? That should create all necessary files. Or depending
> > > > upon
> > > > your Samba version, could you please check for
> > > > /var/lib/samba/private/dns.keytab?
> > > > 
> > > > May I assume that you are using a packaged build of Samba?
> > > > 
> > > > Best regards
> > > > 
> > > > Johannes
> > > > 
> > > > 
> > > > Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
> > > > samba at lists.samba.org>:
> > > > 
> > > > > I was reading on the samba wiki about how to use bind9_dlz as
> > > > > the DNS
> > > > > backend for an AD Domain, but in the setup instructions for
> > > > > bind given
> > > > > in the wiki it says to be sure to include the line tkey-
> > > > > gssapi-keytab
> > > > > "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file,
> > > > > in the
> > > > > options section. That's great, except I don't HAVE a
> > > > > dns.keytab file
> > > > > anywhere on the system. I've looked at the page carefully and
> > > > > nothing
> > > > > says where the file comes from. Only that it's in the
> > > > > /var/lib/samba/bind-dns directory, but on my system that
> > > > > directory is
> > > > > empty. Is this something that bind is going to create or
> > > > > something? 
> > > > > I'm
> > > > > a bit lost. Any help is appreciated!
> > > > > 
> > > > > In case anyone is wondering, I'm using bind because the
> > > > > system already
> > > > > has bind on it to serve internet DNS requests. So rather than
> > > > > try to
> > > > > figure out how to let samba maintain it's own internal DNS
> > > > > cache and
> > > > > still have the main one, I just figured I'd let bind handle
> > > > > the whole
> > > > > thing.
> > > > > 
> > > > > -- 
> > > > > Dan Egli
> > > > >   From my Test Server
> > > > > 
> > > > > 
> > > > > -- 
> > > > > To unsubscribe from this list go to the following URL and
> > > > > read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > > 
> > It doesn't matter how you install Samba, when you join a DC you
> > will 
> > never get the keytab in the bind-dns dir, the code doesn't exist
> > to 
> > create it. The keytab should be created under three circumstances, 
> > when you provision a DC with ' --dns-backend=BIND9_DLZ', When you
> > run 
> > 'samba_dnsupdate' and when you join a DC with 
> > '--dns-backend=BIND9_DLZ'. The first two work because the code
> > exists 
> > (the same code twice), but the required code isn't there when you
> > join 
> > a new DC.
> > 
> > Rowland
> > 
> > 
> > 
> -- 
> Dan Egli
>  From my Test Server
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

More information about the samba mailing list