[Samba] dns.keytab doesn't exist

Rowland penny rpenny at samba.org
Fri Dec 11 09:50:59 UTC 2020 

On 11/12/2020 09:34, Andrew Bartlett wrote:
> We are very sorry.  There are three codepaths, which should all use the
> same code block.  Rowland even had a go at unifying them.
>
> Sadly the patch hasn't made it in yet, Rowland fixed the issue
> perfectly well from the 'do the right thing' standpoint, but we really
> need to combine the code as well (not have duplciate code) and that is
> a little more involved.
>
> The issue is that a provision and samba_upgradedns will create the
> files in bind-dns, but the join was never correctly coded when the
> bind-dns directory was set up.
>
> Andrew Bartlett
>
> On Fri, 2020-12-11 at 02:26 -0700, Dan Egli via samba wrote:
>>    I ran the samba_dnsupgrade and it created TWO dns.keytab files.
>> You
>> said it won't create one in /var/lib/samba/bind-dns directory, but
>> it
>> did. At least, SOMETHING put a file there. Still, if you say it
>> shouldn't be there, then perhaps I should rm it and point my bind
>> config
>> to the other.
>>
>>
>> On 12/11/2020 1:58 AM, Rowland penny via samba wrote:
>>> On 11/12/2020 08:33, Dan Egli via samba wrote:
>>>> Packaged samba? You could say that. Gentoo downloads the source
>>>> tarball, add some patches, then compiles and installs it. As for
>>>> samba_upgradedns I'm not familiar with that and certainly didn't
>>>> see
>>>> it on the setup page for BIND. But I ran it just now:
>>>>
>>>> Reading domain information
>>>> DNS accounts already exist
>>>> No zone file /var/lib/samba/bind-
>>>> dns/dns/HOME.EGLIFAMILY.NAME.zone
>>>> /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn'
>>>> method
>>>> is deprecated, use 'warning' instead
>>>>    logger.warn("DNS records will be automatically created")
>>>> DNS records will be automatically created
>>>> DNS partitions already exist
>>>> Adding dns-pluto account
>>>> BIND version unknown, please modify
>>>> /var/lib/samba/bind-dns/named.conf manually.
>>>> See /var/lib/samba/bind-dns/named.conf for an example
>>>> configuration
>>>> include file for BIND
>>>> and /var/lib/samba/bind-dns/named.txt for further documentation
>>>> required for secure DNS updates
>>>> Finished upgrading DNS
>>>> You have switched to using BIND9_DLZ as your dns backend, but
>>>> still
>>>> have the internal dns starting. Please make sure you add '-dns'
>>>> to
>>>> your server services line in your smb.conf.
>>>>
>>>> I imagine that's because the script looks for up to bind 9.12,
>>>> but
>>>> the latest is 9.16. So I manually edited my named.conf file:
>>>> # This DNS configuration is for BIND 9.8.0 or later with
>>>> dlz_dlopen
>>>> support.
>>>> #
>>>> # This file should be included in your main BIND configuration
>>>> file
>>>> #
>>>> # For example with
>>>> # include "/var/lib/samba/bind-dns/named.conf";
>>>>
>>>> #
>>>> # This configures dynamically loadable zones (DLZ) from AD schema
>>>> # Uncomment only single database line, depending on your BIND
>>>> version
>>>> #
>>>> dlz "AD DNS Zone" {
>>>>      database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
>>>> };
>>>>
>>>> Hope that's correct. After running the samba_dnsupgrade I have
>>>> TWO
>>>> dns.keytab files:
>>>> locate dns.keytab
>>>> /var/lib/samba/bind-dns/dns.keytab
>>>> /var/lib/samba/private/dns.keytab
>>>>
>>>> Which should I be looking at? Also, named is giving me headaches
>>>> with
>>>> the samba_dlz stuff. Here's the error I get when I try to start
>>>> named:
>>>>
>>>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect
>>>> to
>>>> Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable
>>>> to
>>>> open tdb '/var/lib/samba/private/dns/sam.ldb': Permission
>>>> denied:
>>>> Operations error
>>>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create
>>>> call
>>>> result=25 #refs=0
>>>>
>>>> the directory /var/lib /samba/private/dns does exist, owned by
>>>> root:named and having permissions 770, so why can't named create
>>>> the
>>>> file?
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
>>>>
>>>>> Hi Dan,
>>>>>
>>>>> have you run
>>>>>
>>>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>>>
>>>>> already? That should create all necessary files. Or depending
>>>>> upon
>>>>> your Samba version, could you please check for
>>>>> /var/lib/samba/private/dns.keytab?
>>>>>
>>>>> May I assume that you are using a packaged build of Samba?
>>>>>
>>>>> Best regards
>>>>>
>>>>> Johannes
>>>>>
>>>>>
>>>>> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
>>>>> samba at lists.samba.org>:
>>>>>
>>>>>> I was reading on the samba wiki about how to use bind9_dlz as
>>>>>> the DNS
>>>>>> backend for an AD Domain, but in the setup instructions for
>>>>>> bind given
>>>>>> in the wiki it says to be sure to include the line tkey-
>>>>>> gssapi-keytab
>>>>>> "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file,
>>>>>> in the
>>>>>> options section. That's great, except I don't HAVE a
>>>>>> dns.keytab file
>>>>>> anywhere on the system. I've looked at the page carefully and
>>>>>> nothing
>>>>>> says where the file comes from. Only that it's in the
>>>>>> /var/lib/samba/bind-dns directory, but on my system that
>>>>>> directory is
>>>>>> empty. Is this something that bind is going to create or
>>>>>> something?
>>>>>> I'm
>>>>>> a bit lost. Any help is appreciated!
>>>>>>
>>>>>> In case anyone is wondering, I'm using bind because the
>>>>>> system already
>>>>>> has bind on it to serve internet DNS requests. So rather than
>>>>>> try to
>>>>>> figure out how to let samba maintain it's own internal DNS
>>>>>> cache and
>>>>>> still have the main one, I just figured I'd let bind handle
>>>>>> the whole
>>>>>> thing.
>>>>>>
>>>>>> -- 
>>>>>> Dan Egli
>>>>>>    From my Test Server
>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and
>>>>>> read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>
>>> It doesn't matter how you install Samba, when you join a DC you
>>> will
>>> never get the keytab in the bind-dns dir, the code doesn't exist
>>> to
>>> create it. The keytab should be created under three circumstances,
>>> when you provision a DC with ' --dns-backend=BIND9_DLZ', When you
>>> run
>>> 'samba_dnsupdate' and when you join a DC with
>>> '--dns-backend=BIND9_DLZ'. The first two work because the code
>>> exists
>>> (the same code twice), but the required code isn't there when you
>>> join
>>> a new DC.
>>>
>>> Rowland
>>>
>>>
>>>
>> -- 
>> Dan Egli
>>   From my Test Server
>>
>>
Well, you know my opinion Andrew, it isn't worth the effort for a block 
of code that isn't likely to run in any circumstances other than a 
provision, join or upgrading the DNS server. If you can prove that it 
might be used elsewhere, I will have a go at what you suggest, otherwise 
if you want it that way, you write the code 😁

Rowland

More information about the samba mailing list