?I ran the samba_dnsupgrade and it created TWO dns.keytab files. You
said it won't create one in /var/lib/samba/bind-dns directory, but it
did. At least, SOMETHING put a file there. Still, if you say it
shouldn't be there, then perhaps I should rm it and point my bind config
to the other.
On 12/11/2020 1:58 AM, Rowland penny via samba wrote:> On 11/12/2020 08:33, Dan Egli via samba wrote:
>> Packaged samba? You could say that. Gentoo downloads the source
>> tarball, add some patches, then compiles and installs it. As for
>> samba_upgradedns I'm not familiar with that and certainly
didn't see
>> it on the setup page for BIND. But I ran it just now:
>>
>> Reading domain information
>> DNS accounts already exist
>> No zone file /var/lib/samba/bind-dns/dns/HOME.EGLIFAMILY.NAME.zone
>> /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn'
method
>> is deprecated, use 'warning' instead
>> ? logger.warn("DNS records will be automatically created")
>> DNS records will be automatically created
>> DNS partitions already exist
>> Adding dns-pluto account
>> BIND version unknown, please modify
>> /var/lib/samba/bind-dns/named.conf manually.
>> See /var/lib/samba/bind-dns/named.conf for an example configuration
>> include file for BIND
>> and /var/lib/samba/bind-dns/named.txt for further documentation
>> required for secure DNS updates
>> Finished upgrading DNS
>> You have switched to using BIND9_DLZ as your dns backend, but still
>> have the internal dns starting. Please make sure you add '-dns'
to
>> your server services line in your smb.conf.
>>
>> I imagine that's because the script looks for up to bind 9.12, but
>> the latest is 9.16. So I manually edited my named.conf file:
>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
>> support.
>> #
>> # This file should be included in your main BIND configuration file
>> #
>> # For example with
>> # include "/var/lib/samba/bind-dns/named.conf";
>>
>> #
>> # This configures dynamically loadable zones (DLZ) from AD schema
>> # Uncomment only single database line, depending on your BIND version
>> #
>> dlz "AD DNS Zone" {
>> ??? database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
>> };
>>
>> Hope that's correct. After running the samba_dnsupgrade I have TWO
>> dns.keytab files:
>> locate dns.keytab
>> /var/lib/samba/bind-dns/dns.keytab
>> /var/lib/samba/private/dns.keytab
>>
>> Which should I be looking at? Also, named is giving me headaches with
>> the samba_dlz stuff. Here's the error I get when I try to start
named:
>>
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect to
>> Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable to
>> open tdb '/var/lib/samba/private/dns/sam.ldb': Permission
denied:
>> Operations error
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create call
>> result=25 #refs=0
>>
>> the directory /var/lib /samba/private/dns does exist, owned by
>> root:named and having permissions 770, so why can't named create
the
>> file?
>>
>>
>> Thanks!
>>
>> On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
>>
>>> Hi Dan,
>>>
>>> have you run
>>>
>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> already? That should create all necessary files. Or depending upon
>>> your Samba version, could you please check for
>>> /var/lib/samba/private/dns.keytab?
>>>
>>> May I assume that you are using a packaged build of Samba?
>>>
>>> Best regards
>>>
>>> Johannes
>>>
>>>
>>> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
>>> samba at lists.samba.org>:
>>>
>>>> I was reading on the samba wiki about how to use bind9_dlz as
the DNS
>>>> backend for an AD Domain, but in the setup instructions for
bind given
>>>> in the wiki it says to be sure to include the line
tkey-gssapi-keytab
>>>> "/var/lib/samba/bind-dns/dns.keytab"; in my
named.conf file, in the
>>>> options section. That's great, except I don't HAVE a
dns.keytab file
>>>> anywhere on the system. I've looked at the page carefully
and nothing
>>>> says where the file comes from. Only that it's in the
>>>> /var/lib/samba/bind-dns directory, but on my system that
directory is
>>>> empty. Is this something that bind is going to create or
something?
>>>> I'm
>>>> a bit lost. Any help is appreciated!
>>>>
>>>> In case anyone is wondering, I'm using bind because the
system already
>>>> has bind on it to serve internet DNS requests. So rather than
try to
>>>> figure out how to let samba maintain it's own internal DNS
cache and
>>>> still have the main one, I just figured I'd let bind handle
the whole
>>>> thing.
>>>>
>>>> --
>>>> Dan Egli
>>>> ? From my Test Server
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:? https://lists.samba.org/mailman/options/samba
>>>>
> It doesn't matter how you install Samba, when you join a DC you will
> never get the keytab in the bind-dns dir, the code doesn't exist to
> create it. The keytab should be created under three circumstances,
> when you provision a DC with ' --dns-backend=BIND9_DLZ', When you
run
> 'samba_dnsupdate' and when you join a DC with
> '--dns-backend=BIND9_DLZ'. The first two work because the code
exists
> (the same code twice), but the required code isn't there when you join
> a new DC.
>
> Rowland
>
>
>
--
Dan Egli
From my Test Server