I have the keytab file, and it's pointed there. What line do I put in for the sam.ldb file? I can see where the good one and the bogus one were created. I'm perfectly content to copy the good one over the bogus one, but if there's a better option, I'd like to know about it. I have NO lines dealing with sam.ldb at all. the tkey-gssapt-keytab line already existed in my config, no worries there. Once I do all of this, in theory I should be able to start named in association with samba, right? And then samba should be able to tell named when to update the zone files for the domain, right? On 12/11/2020 12:47 PM, Rowland penny via samba wrote:> On 11/12/2020 19:32, Dan Egli via samba wrote: >> Since _I_ didn't point it anywhere, I can only wonder if it would be >> acceptable to copy the correctly created one to where samba is >> looking, since I don't know how to tell it to look in a separate >> location. I've checked the named.conf* files, and there's no line >> pointing to it at all, so it must be something internal to the code. >> If it's okay to simply copy the correct sam.ldb to where it's >> looking, then let me know, please? Or, if there's a better option I >> can use please tell me what it is. > > What you are proposing is actually what the code does, it copies the > created keytab to the new location, ensures it belongs to the correct > user & group with the correct permissions, on Debian this would be > root:bind with 0770 permissions. > > You also need to add a line similar to this to 'options' in your > named.conf files: > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > Rowland > > >-- Dan Egli From my Test Server
Andrew Bartlett
2020-Dec-11 20:39 UTC
[Samba] placing sam.ldb (was dns.keytab doesn't exist)
Please don't try and copy thole files around. You will break the hard links and you will just suffer pain. The default location comes from the smb.conf defaults, so it should already be set up in the right spot, assuming of course you are running the correct dlz plugin. Perhaps you are running an old one? Andrew Bartlett On Fri, 2020-12-11 at 13:02 -0700, Dan Egli via samba wrote:> I have the keytab file, and it's pointed there. What line do I put in > for the sam.ldb file? I can see where the good one and the bogus one > were created. I'm perfectly content to copy the good one over the bogus > one, but if there's a better option, I'd like to know about it. I have > NO lines dealing with sam.ldb at all. the tkey-gssapt-keytab line > already existed in my config, no worries there. > > Once I do all of this, in theory I should be able to start named in > association with samba, right? And then samba should be able to tell > named when to update the zone files for the domain, right? > > On 12/11/2020 12:47 PM, Rowland penny via samba wrote: > > On 11/12/2020 19:32, Dan Egli via samba wrote: > > > Since _I_ didn't point it anywhere, I can only wonder if it would be > > > acceptable to copy the correctly created one to where samba is > > > looking, since I don't know how to tell it to look in a separate > > > location. I've checked the named.conf* files, and there's no line > > > pointing to it at all, so it must be something internal to the code. > > > If it's okay to simply copy the correct sam.ldb to where it's > > > looking, then let me know, please? Or, if there's a better option I > > > can use please tell me what it is. > > > > What you are proposing is actually what the code does, it copies the > > created keytab to the new location, ensures it belongs to the correct > > user & group with the correct permissions, on Debian this would be > > root:bind with 0770 permissions. > > > > You also need to add a line similar to this to 'options' in your > > named.conf files: > > > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > > > Rowland > > > > > > > -- > Dan Egli > ?From my Test Server > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Rowland penny
2020-Dec-11 20:45 UTC
[Samba] placing sam.ldb (was dns.keytab doesn't exist)
On 11/12/2020 20:02, Dan Egli wrote:> I have the keytab file, and it's pointed there. What line do I put in > for the sam.ldb file?Nothing, it should be created for you. On my DC /var/lib/samba/bind-dns contains this: dns? dns.keytab? named.conf? named.conf.update??? named.txt The 'dns' dir contains: sam.ldb? sam.ldb.d The 'sam.ldb.d' dir contains: 'CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb' 'CN=SCHEMA,CN=CONFIGURATION,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb' 'DC=DOMAINDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb' 'DC=FORESTDNSZONES,DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb' 'DC=SAMDOM,DC=EXAMPLE,DC=COM.ldb' ?metadata.tdb> I can see where the good one and the bogus one were created. I'm > perfectly content to copy the good one over the bogus one, but if > there's a better option, I'd like to know about it. I have NO lines > dealing with sam.ldb at all. the tkey-gssapt-keytab line already > existed in my config, no worries there.Yes, but was it the correct line, I only ask because everything used to be in the private dir.> > Once I do all of this, in theory I should be able to start named in > association with samba, right?Once everything is correct, then yes.> And then samba should be able to tell named when to update the zone > files for the domain, right?something along those lines. Rowland