samba - Dec 2020 - dns.keytab doesn't exist

Hi Dan,

have you run

samba_upgradedns --dns-backend=BIND9_DLZ

already? That should create all necessary files. Or depending upon
your Samba version, could you please check for
/var/lib/samba/private/dns.keytab?

May I assume that you are using a packaged build of Samba?

Best regards

Johannes


Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
samba at lists.samba.org>:
> I was reading on the samba wiki about how to use bind9_dlz as the DNS
> backend for an AD Domain, but in the setup instructions for bind given
> in the wiki it says to be sure to include the line tkey-gssapi-keytab
> "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file, in
the
> options section. That's great, except I don't HAVE a dns.keytab
file
> anywhere on the system. I've looked at the page carefully and nothing
> says where the file comes from. Only that it's in the
> /var/lib/samba/bind-dns directory, but on my system that directory is
> empty. Is this something that bind is going to create or something? I'm
> a bit lost. Any help is appreciated!
>
> In case anyone is wondering, I'm using bind because the system already
> has bind on it to serve internet DNS requests. So rather than try to
> figure out how to let samba maintain it's own internal DNS cache and
> still have the main one, I just figured I'd let bind handle the whole
> thing.
>
> --
> Dan Egli
>  From my Test Server
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Packaged samba? You could say that. Gentoo downloads the source tarball, 
add some patches, then compiles and installs it. As for samba_upgradedns 
I'm not familiar with that and certainly didn't see it on the setup page
for BIND.? But I ran it just now:

Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/HOME.EGLIFAMILY.NAME.zone
/usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is
deprecated, use 'warning' instead
 ? logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
Adding dns-pluto account
BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf 
manually.
See /var/lib/samba/bind-dns/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required 
for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have 
the internal dns starting. Please make sure you add '-dns' to your 
server services line in your smb.conf.

I imagine that's because the script looks for up to bind 9.12, but the 
latest is 9.16. So I manually edited my named.conf file:
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
 ??? database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
};

Hope that's correct. After running the samba_dnsupgrade I have TWO 
dns.keytab files:
locate dns.keytab
/var/lib/samba/bind-dns/dns.keytab
/var/lib/samba/private/dns.keytab

Which should I be looking at? Also, named is giving me headaches with 
the samba_dlz stuff. Here's the error I get when I try to start named:

Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect to 
Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable to open 
tdb '/var/lib/samba/private/dns/sam.ldb': Permission denied: Operations 
error
Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create call 
result=25 #refs=0

the directory /var/lib /samba/private/dns does exist, owned by 
root:named and having permissions 770, so why can't named create the file?


Thanks!

On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
> Hi Dan,
>
> have you run
>
> samba_upgradedns --dns-backend=BIND9_DLZ
>
> already? That should create all necessary files. Or depending upon
> your Samba version, could you please check for
> /var/lib/samba/private/dns.keytab?
>
> May I assume that you are using a packaged build of Samba?
>
> Best regards
>
> Johannes
>
>
> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
> samba at lists.samba.org>:
>
>> I was reading on the samba wiki about how to use bind9_dlz as the DNS
>> backend for an AD Domain, but in the setup instructions for bind given
>> in the wiki it says to be sure to include the line tkey-gssapi-keytab
>> "/var/lib/samba/bind-dns/dns.keytab"; in my named.conf file,
in the
>> options section. That's great, except I don't HAVE a dns.keytab
file
>> anywhere on the system. I've looked at the page carefully and
nothing
>> says where the file comes from. Only that it's in the
>> /var/lib/samba/bind-dns directory, but on my system that directory is
>> empty. Is this something that bind is going to create or something?
I'm
>> a bit lost. Any help is appreciated!
>>
>> In case anyone is wondering, I'm using bind because the system
already
>> has bind on it to serve internet DNS requests. So rather than try to
>> figure out how to let samba maintain it's own internal DNS cache
and
>> still have the main one, I just figured I'd let bind handle the
whole
>> thing.
>>
>> --
>> Dan Egli
>>   From my Test Server
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
-- 
Dan Egli
 From my Test Server