samba4 from BDC to PDC

[Gémes Géza]

2011-10-20 15:08 keltezéssel, Daniele Dario írta:
> On Thu, 2011-10-20 at 14:53 +0200, Gémes Géza wrote:
>> 2011-10-20 13:43 keltezéssel, Gémes Géza írta:
>>> 2011-10-20 09:22 keltezéssel, Daniele Dario írta:
>>>> Hi all,
>>>> in my simple network I have:
>>>> - MS SBS2003 server which is PDC and master DNS (allow zone transfer to
>>>> other DNSs of the zone)
>>>> - Ubuntu 10.04 32b server VM on XEN server with samba Version
>>>> 4.0.0alpha17-GIT-ccaab14 joined to the AD domain as DC plus dhcpd
>>>> configured for ddns updates (currently to the SBS DNS) plus BIND
>>>> 9.8.0-P4 configured as slave DNS for the local domain zones
>>>> - Ubuntu 10.04 32b server with samba Version 3.4.7 joined to the AD
>>>> domain which acts as file server (for the network shares)
>>>>
>>>> My goal is to remove the SBS server so as first step I'll disable zone
>>>> transfer from the MS DNS and change the zones in BIND to master to check
>>>> if samba4 DDNS and ISC DHCPD DDNS still works but as per the samba4
>>>> how-to I need to add the tkey-gssapi-keytab
>>>> "/usr/local/samba/private/dns.keytab"; statement in named.conf.
>>>>
>>>> If I run provision on samba4 (for a new domain) at the end of the
>>>> provision the dns.keytab file is created in the samba/private directory.
>>>> Running the domain join command instead of the provision the dns.keytab
>>>> file is not created so how am I supposed to proceed?
>>>>
>>>> Thanks in advance,
>>>> Daniele.
>>>>
>>>>
>>>>
>> Sorry, some typos corrected bellow:
>>> Hi,
>>>
>>> IMHO you should check if you have
>>> /usr/local/samba/modules/bind9/dlz_bind9.so, if not check if you can
>>> find libdlz_bind9.so in the source (where you have compiled samba4), if
>>> there is one copy it to the right place. Then edit (being on Ubuntu I
>>> suppose the standard Ubuntu path) /etc/bind/named.conf.local and add the
>>> following:
>>> dlz "AD DNS Zone" {
>>>     database "dlopen /usr/local/samba/modules/bind9/dlz_bind9.so";
>>> };
>> With samba-tool user add (or the windows tools) create a
>> dns-YOURLINUXHOSTNAMEWITHOUTYOURDOMAINPART
>>> account with password never expiring
>>> with samba-tool spn add (or ktpass on windows) associate the principal
>>> names "DNS/your-ubuntu-server.your.domain" and "DNS/your.domain"
>>> with samba-tool domain exportkeytab dump the keys to a keytab (with
>>> ktutil -k keytab list you can verify the keys in it if there is any
>>> unneeded you can also delete them).
>>> Set up the tkey-gssapi-keytab option.
>>> Comment out the slave zones in bind.
>>> After a bind restart it should be able to read the rr-s directly from
>>> samba4's ad.
>>>
>>> Good luck!
>>>
>>> Cheers
>>>
>>> Geza
> Hi Geza,
> about the samba-tool spn add command, do you mean
> # samba-tool spn add DNS/your-server.your.domain dns-hostname
> # samba-tool spn add DNS/your.domain dns-hostname
> so two associations?
>
> Daniele.
>
Yes

Geza