[Samba] dns.keytab doesn't exist

Dan Egli dan at newideatest.site
Fri Dec 11 10:00:11 UTC 2020 

So you're saying it really doen't matter which I use? Okay, I'll just 
use the one in private vs. the one in bind-dns. Now if I can only figure 
out why it's complaining about the sam.ldb file:

Dec 11 09:07:10 pluto named[733]: samba_dlz: Unable to get basedn for 
/var/lib/samba/private/dns/sam.ldb - NULL Base DN invalid for a base search

That's causing named to terminate with an error:

Dec 11 09:07:10 pluto named[733]: samba_dlz: FAILED dlz_create call 
result=25 #refs=0
Dec 11 09:07:10 pluto named[733]: dlz_dlopen of 'AD DNS Zone' failed
Dec 11 09:07:10 pluto named[733]: SDLZ driver failed to load.
Dec 11 09:07:10 pluto named[733]: DLZ driver failed to load.
Dec 11 09:07:10 pluto named[733]: loading configuration: failure
Dec 11 09:07:10 pluto named[733]: exiting (due to fatal error)
Dec 11 09:07:11 pluto systemd[1]: named.service: Main process exited, 
code=exited, status=1/FAILURE
Dec 11 09:07:11 pluto systemd[1]: named.service: Failed with result 
'exit-code'.

Any tips?

On 12/11/2020 2:37 AM, Rowland penny via samba wrote:
> On 11/12/2020 09:26, Dan Egli wrote:
>>  I ran the samba_dnsupgrade and it created TWO dns.keytab files. You 
>> said it won't create one in /var/lib/samba/bind-dns directory, but it 
>> did. At least, SOMETHING put a file there. Still, if you say it 
>> shouldn't be there, then perhaps I should rm it and point my bind 
>> config to the other.
>>
> No, I didn't say that, I said that you do not get the keytab in the 
> bind-dns dir when you join a DC, but you do when you provision a new 
> DC or run samba_dnsupdate. What the code actually does is to create 
> the keytab in the private dir and then copy it to the bind-dns dir, so 
> yes, you do end up with two keytabs.
>
> There is a bug report about this: 
> https://bugzilla.samba.org/show_bug.cgi?id=14535
>
> And here is my fix: 
> https://gitlab.com/samba-team/samba/-/merge_requests/1642
>
> Which unfortunately was rejected even though it works.
>
> Rowland
>
>
>
-- 
Dan Egli
 From my Test Server

More information about the samba mailing list