samba - Dec 2020 - dns.keytab doesn't exist

?I ran the samba_dnsupgrade and it created TWO dns.keytab files. You 
said it won't create one in /var/lib/samba/bind-dns directory, but it 
did. At least, SOMETHING put a file there. Still, if you say it 
shouldn't be there, then perhaps I should rm it and point my bind config 
to the other.


On 12/11/2020 1:58 AM, Rowland penny via samba wrote:
> On 11/12/2020 08:33, Dan Egli via samba wrote:
>> Packaged samba? You could say that. Gentoo downloads the source 
>> tarball, add some patches, then compiles and installs it. As for 
>> samba_upgradedns I'm not familiar with that and certainly
didn't see
>> it on the setup page for BIND. But I ran it just now:
>>
>> Reading domain information
>> DNS accounts already exist
>> No zone file /var/lib/samba/bind-dns/dns/HOME.EGLIFAMILY.NAME.zone
>> /usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn'
method
>> is deprecated, use 'warning' instead
>> ? logger.warn("DNS records will be automatically created")
>> DNS records will be automatically created
>> DNS partitions already exist
>> Adding dns-pluto account
>> BIND version unknown, please modify 
>> /var/lib/samba/bind-dns/named.conf manually.
>> See /var/lib/samba/bind-dns/named.conf for an example configuration 
>> include file for BIND
>> and /var/lib/samba/bind-dns/named.txt for further documentation 
>> required for secure DNS updates
>> Finished upgrading DNS
>> You have switched to using BIND9_DLZ as your dns backend, but still 
>> have the internal dns starting. Please make sure you add '-dns'
to
>> your server services line in your smb.conf.
>>
>> I imagine that's because the script looks for up to bind 9.12, but 
>> the latest is 9.16. So I manually edited my named.conf file:
>> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen 
>> support.
>> #
>> # This file should be included in your main BIND configuration file
>> #
>> # For example with
>> # include "/var/lib/samba/bind-dns/named.conf";
>>
>> #
>> # This configures dynamically loadable zones (DLZ) from AD schema
>> # Uncomment only single database line, depending on your BIND version
>> #
>> dlz "AD DNS Zone" {
>> ??? database "dlopen /usr/lib/samba/bind9/dlz_bind9_12.so";
>> };
>>
>> Hope that's correct. After running the samba_dnsupgrade I have TWO 
>> dns.keytab files:
>> locate dns.keytab
>> /var/lib/samba/bind-dns/dns.keytab
>> /var/lib/samba/private/dns.keytab
>>
>> Which should I be looking at? Also, named is giving me headaches with 
>> the samba_dlz stuff. Here's the error I get when I try to start
named:
>>
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect to 
>> Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable to 
>> open tdb '/var/lib/samba/private/dns/sam.ldb': Permission
denied:
>> Operations error
>> Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create call 
>> result=25 #refs=0
>>
>> the directory /var/lib /samba/private/dns does exist, owned by 
>> root:named and having permissions 770, so why can't named create
the
>> file?
>>
>>
>> Thanks!
>>
>> On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
>>
>>> Hi Dan,
>>>
>>> have you run
>>>
>>> samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> already? That should create all necessary files. Or depending upon
>>> your Samba version, could you please check for
>>> /var/lib/samba/private/dns.keytab?
>>>
>>> May I assume that you are using a packaged build of Samba?
>>>
>>> Best regards
>>>
>>> Johannes
>>>
>>>
>>> Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via samba <
>>> samba at lists.samba.org>:
>>>
>>>> I was reading on the samba wiki about how to use bind9_dlz as
the DNS
>>>> backend for an AD Domain, but in the setup instructions for
bind given
>>>> in the wiki it says to be sure to include the line
tkey-gssapi-keytab
>>>> "/var/lib/samba/bind-dns/dns.keytab"; in my
named.conf file, in the
>>>> options section. That's great, except I don't HAVE a
dns.keytab file
>>>> anywhere on the system. I've looked at the page carefully
and nothing
>>>> says where the file comes from. Only that it's in the
>>>> /var/lib/samba/bind-dns directory, but on my system that
directory is
>>>> empty. Is this something that bind is going to create or
something?
>>>> I'm
>>>> a bit lost. Any help is appreciated!
>>>>
>>>> In case anyone is wondering, I'm using bind because the
system already
>>>> has bind on it to serve internet DNS requests. So rather than
try to
>>>> figure out how to let samba maintain it's own internal DNS
cache and
>>>> still have the main one, I just figured I'd let bind handle
the whole
>>>> thing.
>>>>
>>>> -- 
>>>> Dan Egli
>>>> ? From my Test Server
>>>>
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:? https://lists.samba.org/mailman/options/samba
>>>>
> It doesn't matter how you install Samba, when you join a DC you will 
> never get the keytab in the bind-dns dir, the code doesn't exist to 
> create it. The keytab should be created under three circumstances, 
> when you provision a DC with ' --dns-backend=BIND9_DLZ', When you
run
> 'samba_dnsupdate' and when you join a DC with 
> '--dns-backend=BIND9_DLZ'. The first two work because the code
exists
> (the same code twice), but the required code isn't there when you join 
> a new DC.
>
> Rowland
>
>
>
-- 
Dan Egli
 From my Test Server

We are very sorry.  There are three codepaths, which should all use the
same code block.  Rowland even had a go at unifying them.  

Sadly the patch hasn't made it in yet, Rowland fixed the issue
perfectly well from the 'do the right thing' standpoint, but we really
need to combine the code as well (not have duplciate code) and that is
a little more involved.

The issue is that a provision and samba_upgradedns will create the
files in bind-dns, but the join was never correctly coded when the
bind-dns directory was set up.

Andrew Bartlett

On Fri, 2020-12-11 at 02:26 -0700, Dan Egli via samba
wrote:
>   I ran the samba_dnsupgrade and it created TWO dns.keytab files.
> You 
> said it won't create one in /var/lib/samba/bind-dns directory, but
> it 
> did. At least, SOMETHING put a file there. Still, if you say it 
> shouldn't be there, then perhaps I should rm it and point my bind
> config 
> to the other.
> 
> 
> On 12/11/2020 1:58 AM, Rowland penny via samba wrote:
> > On 11/12/2020 08:33, Dan Egli via samba wrote:
> > > Packaged samba? You could say that. Gentoo downloads the source 
> > > tarball, add some patches, then compiles and installs it. As for 
> > > samba_upgradedns I'm not familiar with that and certainly
didn't
> > > see 
> > > it on the setup page for BIND. But I ran it just now:
> > > 
> > > Reading domain information
> > > DNS accounts already exist
> > > No zone file /var/lib/samba/bind-
> > > dns/dns/HOME.EGLIFAMILY.NAME.zone
> > > /usr/sbin/samba_upgradedns:338: DeprecationWarning: The
'warn'
> > > method 
> > > is deprecated, use 'warning' instead
> > >   logger.warn("DNS records will be automatically
created")
> > > DNS records will be automatically created
> > > DNS partitions already exist
> > > Adding dns-pluto account
> > > BIND version unknown, please modify 
> > > /var/lib/samba/bind-dns/named.conf manually.
> > > See /var/lib/samba/bind-dns/named.conf for an example
> > > configuration 
> > > include file for BIND
> > > and /var/lib/samba/bind-dns/named.txt for further documentation 
> > > required for secure DNS updates
> > > Finished upgrading DNS
> > > You have switched to using BIND9_DLZ as your dns backend, but
> > > still 
> > > have the internal dns starting. Please make sure you add
'-dns'
> > > to 
> > > your server services line in your smb.conf.
> > > 
> > > I imagine that's because the script looks for up to bind
9.12,
> > > but 
> > > the latest is 9.16. So I manually edited my named.conf file:
> > > # This DNS configuration is for BIND 9.8.0 or later with
> > > dlz_dlopen 
> > > support.
> > > #
> > > # This file should be included in your main BIND configuration
> > > file
> > > #
> > > # For example with
> > > # include "/var/lib/samba/bind-dns/named.conf";
> > > 
> > > #
> > > # This configures dynamically loadable zones (DLZ) from AD schema
> > > # Uncomment only single database line, depending on your BIND
> > > version
> > > #
> > > dlz "AD DNS Zone" {
> > >     database "dlopen
/usr/lib/samba/bind9/dlz_bind9_12.so";
> > > };
> > > 
> > > Hope that's correct. After running the samba_dnsupgrade I
have
> > > TWO 
> > > dns.keytab files:
> > > locate dns.keytab
> > > /var/lib/samba/bind-dns/dns.keytab
> > > /var/lib/samba/private/dns.keytab
> > > 
> > > Which should I be looking at? Also, named is giving me headaches
> > > with 
> > > the samba_dlz stuff. Here's the error I get when I try to
start
> > > named:
> > > 
> > > Dec 11 08:38:06 pluto named[9417]: samba_dlz: Failed to connect
> > > to 
> > > Failed to connect to /var/lib/samba/private/dns/sam.ldb: Unable
> > > to 
> > > open tdb '/var/lib/samba/private/dns/sam.ldb': Permission
> > > denied: 
> > > Operations error
> > > Dec 11 08:38:06 pluto named[9417]: samba_dlz: FAILED dlz_create
> > > call 
> > > result=25 #refs=0
> > > 
> > > the directory /var/lib /samba/private/dns does exist, owned by 
> > > root:named and having permissions 770, so why can't named
create
> > > the 
> > > file?
> > > 
> > > 
> > > Thanks!
> > > 
> > > On 12/11/2020 12:15 AM, Johannes Engel via samba wrote:
> > > 
> > > > Hi Dan,
> > > > 
> > > > have you run
> > > > 
> > > > samba_upgradedns --dns-backend=BIND9_DLZ
> > > > 
> > > > already? That should create all necessary files. Or
depending
> > > > upon
> > > > your Samba version, could you please check for
> > > > /var/lib/samba/private/dns.keytab?
> > > > 
> > > > May I assume that you are using a packaged build of Samba?
> > > > 
> > > > Best regards
> > > > 
> > > > Johannes
> > > > 
> > > > 
> > > > Am Fr., 11. Dez. 2020 um 07:28 Uhr schrieb Dan Egli via
samba <
> > > > samba at lists.samba.org>:
> > > > 
> > > > > I was reading on the samba wiki about how to use
bind9_dlz as
> > > > > the DNS
> > > > > backend for an AD Domain, but in the setup instructions
for
> > > > > bind given
> > > > > in the wiki it says to be sure to include the line
tkey-
> > > > > gssapi-keytab
> > > > > "/var/lib/samba/bind-dns/dns.keytab"; in my
named.conf file,
> > > > > in the
> > > > > options section. That's great, except I don't
HAVE a
> > > > > dns.keytab file
> > > > > anywhere on the system. I've looked at the page
carefully and
> > > > > nothing
> > > > > says where the file comes from. Only that it's in
the
> > > > > /var/lib/samba/bind-dns directory, but on my system
that
> > > > > directory is
> > > > > empty. Is this something that bind is going to create
or
> > > > > something? 
> > > > > I'm
> > > > > a bit lost. Any help is appreciated!
> > > > > 
> > > > > In case anyone is wondering, I'm using bind because
the
> > > > > system already
> > > > > has bind on it to serve internet DNS requests. So
rather than
> > > > > try to
> > > > > figure out how to let samba maintain it's own
internal DNS
> > > > > cache and
> > > > > still have the main one, I just figured I'd let
bind handle
> > > > > the whole
> > > > > thing.
> > > > > 
> > > > > -- 
> > > > > Dan Egli
> > > > >   From my Test Server
> > > > > 
> > > > > 
> > > > > -- 
> > > > > To unsubscribe from this list go to the following URL
and
> > > > > read the
> > > > > instructions: 
https://lists.samba.org/mailman/options/samba
> > > > > 
> > It doesn't matter how you install Samba, when you join a DC you
> > will 
> > never get the keytab in the bind-dns dir, the code doesn't exist
> > to 
> > create it. The keytab should be created under three circumstances, 
> > when you provision a DC with ' --dns-backend=BIND9_DLZ', When
you
> > run 
> > 'samba_dnsupdate' and when you join a DC with 
> > '--dns-backend=BIND9_DLZ'. The first two work because the code
> > exists 
> > (the same code twice), but the required code isn't there when you
> > join 
> > a new DC.
> > 
> > Rowland
> > 
> > 
> > 
> -- 
> Dan Egli
>  From my Test Server
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

On 11/12/2020 09:26, Dan Egli wrote:
> ?I ran the samba_dnsupgrade and it created TWO dns.keytab files. You 
> said it won't create one in /var/lib/samba/bind-dns directory, but it 
> did. At least, SOMETHING put a file there. Still, if you say it 
> shouldn't be there, then perhaps I should rm it and point my bind 
> config to the other.
>
No, I didn't say that, I said that you do not get the keytab in the 
bind-dns dir when you join a DC, but you do when you provision a new DC 
or run samba_dnsupdate. What the code actually does is to create the 
keytab in the private dir and then copy it to the bind-dns dir, so yes, 
you do end up with two keytabs.

There is a bug report about this: 
https://bugzilla.samba.org/show_bug.cgi?id=14535

And here is my fix: 
https://gitlab.com/samba-team/samba/-/merge_requests/1642

Which unfortunately was rejected even though it works.

Rowland