Andreas Oster
2012-Jan-14 11:12 UTC
[Samba] Question regarding creation of dns.keytab for joined Samba4 server
Hello all, I have migrated an old Win2k Active Directory to a Samba4 only domain. Because the provision step has not been used I now do not have the dns.keytab file for secure dynamic DNS updates with bind9. I have found a useful link here: http://us.generation-nt.com/answer/samba-dns-keytab-samba4-bind9-help-203936221.html but I am not sure if this is the right way to manually create the missing AD entries and dns.keytab file. One thing I am worried about is, that I do have two samba servers. How does the ldif file need to look like to allow both servers to update DNS entries ? dn: CN=dns-smbserver,CN=Users,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user description: DNS Service Account for smbserver userAccountControl: 512 accountExpires: 9223372036854775807 sAMAccountName: dns-smbserver servicePrincipalName: DNS/smbserver1.example.com ???? servicePrincipalName: DNS/smbserver2.example.com ???? servicePrincipalName: DNS/example.com clearTextPassword:: base64encodedpassword What should the named.conf entry look like ? tkey-gssapi-credential "DNS/smbserver1.example.com"; tkey-domain "EXAMPLE.COM"; but what about smbserver2 ? Thank you for your kind help best regards Andreas
Andreas Oster
2012-Jan-14 14:57 UTC
[Samba] Question regarding creation of dns.keytab for joined Samba4 server
Andreas Oster <aoster <at> novanetwork.de> writes:> > Hello all, > > I have migrated an old Win2k ActiveDirectory to a Samba4 only> domain. Because the provision stephas not been used I now do> not have the dns.keytab file for securedynamic DNS updates> with bind9. I have found a useful linkhere:> > http://us.generation-nt.com/answer/samba-dns-keytab-samba4-bind9-help- 203936221.html> > but I am not sure if this is the right wayto manually create> the missing AD entries and dns.keytabfile.> > One thing I am worried about is, that Ido have two samba servers.> How does the ldif file need to look liketo allow both servers to> update DNS entries ? > > dn: CN=dns-smbserver,CN=Users,DC=example,DC=co m> objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > description: DNS Service Account forsmbserver> userAccountControl: 512 > accountExpires: 9223372036854775807 > sAMAccountName: dns-smbserver > servicePrincipalName: DNS/smbserver1.example.com ????> servicePrincipalName: DNS/smbserver2.example.com ????> servicePrincipalName: DNS/example.com> clearTextPassword::base64encodedpassword> > What should the named.conf entry looklike ?> > tkey-gssapi-credential "DNS/smbserver1.example.com";> tkey-domain "EXAMPLE.COM"; > > but what about smbserver2 ? > > Thank you for your kind help > > best regards > > Andreas >Hello all, I have found some information in a previous post by Andrew Bartlett. There he pointed out, that only one samba server can send DNS updates to bind9. But what happens if the first server is not functional ? best regards Andreas