samba - Mar 2014 - keytab question.

Hai, 
?
Im working on my dhcp server + dns setup with samba4.? 
?
i've exported the?keytabs 
?
samba-tool domain exportkeytab?/home/krb5.keytab.samba4 
?
when i read the contents of this keytab
?
ktutil 
rkt /home/krb5.keytab.samba4 
list

?? 1??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?? 2??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?? 3??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?? 4??? 1??????? Administrator at INTERNAL.DOMAIN.TLD
?? 5??? 1??????? Administrator at INTERNAL.DOMAIN.TLD
?? 6??? 1??????? Administrator at INTERNAL.DOMAIN.TLD
?? 7??? 1????????? dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
?? 8??? 1????????? dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
?? 9??? 1????????? dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
? 10??? 1?????????????? krbtgt at INTERNAL.DOMAIN.TLD
? 11??? 1?????????????? krbtgt at INTERNAL.DOMAIN.TLD
? 12??? 1?????????????? krbtgt at INTERNAL.DOMAIN.TLD
?
? 
and i look at : The keytab?samba genereted.? 
? ktutil
? rkt /var/lib/samba/private/secrets.keytab
? list
?? 1??? 1???????? HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
?? 2??? 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
?? 3??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?? 4??? 1???????? HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
?? 5??? 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
?? 6??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?? 7??? 1???????? HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
?? 8??? 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
?? 9??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
? 10??? 1???????? HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
? 11??? 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
? 12??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
? 13??? 1???????? HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
? 14??? 1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
? 15??? 1???????????? RTD-DC1$@INTERNAL.DOMAIN.TLD
?
?
in the krb5.conf i need to define the default keytab name 
?
?default_keytab_name = FILE:/etc/krb5.keytab

but now the question, which keytab should i use? 
I know?i have to configure our DNS server to support dynamic DNS updates in the
clear (insecure) by using the allow-update directive
?
i've seen the update policy 
?
cat /var/lib/samba/private/named.conf.update
/* this file is auto-generated - do not edit */
update-policy {
??????? grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
??????? grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
??????? grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
};


but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
this is the "logical" to pik. 
?
so, whats advided, and what do you use? 
?
?
this part is not clear for me. 
?
Best regards, 
?
Louis
?
?
?

On 04/03/14 11:10, L.P.H. van Belle wrote:
> Hai,
>   
> Im working on my dhcp server + dns setup with samba4.
>   
> i've exported the keytabs
>   
> samba-tool domain exportkeytab /home/krb5.keytab.samba4
>   
> when i read the contents of this keytab
>   
> ktutil
> rkt /home/krb5.keytab.samba4
> list
>
>     1    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     2    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     4    1        Administrator at INTERNAL.DOMAIN.TLD
>     5    1        Administrator at INTERNAL.DOMAIN.TLD
>     6    1        Administrator at INTERNAL.DOMAIN.TLD
>     7    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>     8    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>     9    1          dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
>    10    1               krbtgt at INTERNAL.DOMAIN.TLD
>    11    1               krbtgt at INTERNAL.DOMAIN.TLD
>    12    1               krbtgt at INTERNAL.DOMAIN.TLD
>   
>    
> and i look at : The keytab samba genereted.
>    ktutil
>    rkt /var/lib/samba/private/secrets.keytab
>    list
>     1    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     2    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     3    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     4    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     5    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     6    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>     7    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>     8    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>     9    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>    10    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>    11    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>    12    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>    13    1         HOST/rtd-dc1 at INTERNAL.DOMAIN.TLD
>    14    1 HOST/rtd-dc1.INTERNAL.DOMAIN.TLD at INTERNAL.DOMAIN.TLD
>    15    1             RTD-DC1$@INTERNAL.DOMAIN.TLD
>   
>   
> in the krb5.conf i need to define the default keytab name
>   
>   default_keytab_name = FILE:/etc/krb5.keytab
>
> but now the question, which keytab should i use?
> I know i have to configure our DNS server to support dynamic DNS updates in
the clear (insecure) by using the allow-update directive
>   
> i've seen the update policy
>   
> cat /var/lib/samba/private/named.conf.update
> /* this file is auto-generated - do not edit */
> update-policy {
>          grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
>          grant Administrator at INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV
CNAME;
>          grant RTD-DC1$@INTERNAL.DOMAIN.TLD wildcard * A AAAA SRV CNAME;
> };
>
>
> but i was thinking i needed the user : dns-RTD-DC1 at INTERNAL.DOMAIN.TLD
> this is the "logical" to pik.
>   
> so, whats advided, and what do you use?
>   
>   
> this part is not clear for me.
>   
> Best regards,
>   
> Louis
>   
>   
>   
Hi Louis, I would suggest starting here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

and after reading this, if you are still confused, email me off list and 
I will try to help you, I have been running samba4, bind9 and dhcp for 
over 12 months.

Rowland