samba - Dec 2020 - dns.keytab doesn't exist

So you're saying it really doen't matter which I use? Okay, I'll
just
use the one in private vs. the one in bind-dns. Now if I can only figure 
out why it's complaining about the sam.ldb file:

Dec 11 09:07:10 pluto named[733]: samba_dlz: Unable to get basedn for 
/var/lib/samba/private/dns/sam.ldb - NULL Base DN invalid for a base search

That's causing named to terminate with an error:

Dec 11 09:07:10 pluto named[733]: samba_dlz: FAILED dlz_create call 
result=25 #refs=0
Dec 11 09:07:10 pluto named[733]: dlz_dlopen of 'AD DNS Zone' failed
Dec 11 09:07:10 pluto named[733]: SDLZ driver failed to load.
Dec 11 09:07:10 pluto named[733]: DLZ driver failed to load.
Dec 11 09:07:10 pluto named[733]: loading configuration: failure
Dec 11 09:07:10 pluto named[733]: exiting (due to fatal error)
Dec 11 09:07:11 pluto systemd[1]: named.service: Main process exited, 
code=exited, status=1/FAILURE
Dec 11 09:07:11 pluto systemd[1]: named.service: Failed with result 
'exit-code'.

Any tips?

On 12/11/2020 2:37 AM, Rowland penny via samba wrote:
> On 11/12/2020 09:26, Dan Egli wrote:
>> ?I ran the samba_dnsupgrade and it created TWO dns.keytab files. You 
>> said it won't create one in /var/lib/samba/bind-dns directory, but
it
>> did. At least, SOMETHING put a file there. Still, if you say it 
>> shouldn't be there, then perhaps I should rm it and point my bind 
>> config to the other.
>>
> No, I didn't say that, I said that you do not get the keytab in the 
> bind-dns dir when you join a DC, but you do when you provision a new 
> DC or run samba_dnsupdate. What the code actually does is to create 
> the keytab in the private dir and then copy it to the bind-dns dir, so 
> yes, you do end up with two keytabs.
>
> There is a bug report about this: 
> https://bugzilla.samba.org/show_bug.cgi?id=14535
>
> And here is my fix: 
> https://gitlab.com/samba-team/samba/-/merge_requests/1642
>
> Which unfortunately was rejected even though it works.
>
> Rowland
>
>
>
-- 
Dan Egli
 From my Test Server

On Fri, 2020-12-11 at 03:00 -0700, Dan Egli via samba
wrote:
> So you're saying it really doen't matter which I use? Okay,
I'll
> just 
> use the one in private vs. the one in bind-dns. Now if I can only
> figure 
> out why it's complaining about the sam.ldb file:
After running samba_upgradedns then use the one in bind-dns.  It should
have the most recent password.
> Dec 11 09:07:10 pluto named[733]: samba_dlz: Unable to get basedn
> for 
> /var/lib/samba/private/dns/sam.ldb - NULL Base DN invalid for a base
> search
We moved to /var/lib/samba/bind-dns/sam.ldb (but forget to update the
keytab code, hence the rest of this). 

The error below is because I've not yet backported:
https://bugzilla.samba.org/show_bug.cgi?id=14579
> That's causing named to terminate with an error:
> 
> Dec 11 09:07:10 pluto named[733]: samba_dlz: FAILED dlz_create call 
> result=25 #refs=0
> Dec 11 09:07:10 pluto named[733]: dlz_dlopen of 'AD DNS Zone'
failed
> Dec 11 09:07:10 pluto named[733]: SDLZ driver failed to load.
> Dec 11 09:07:10 pluto named[733]: DLZ driver failed to load.
> Dec 11 09:07:10 pluto named[733]: loading configuration: failure
> Dec 11 09:07:10 pluto named[733]: exiting (due to fatal error)
> Dec 11 09:07:11 pluto systemd[1]: named.service: Main process
> exited, 
> code=exited, status=1/FAILURE
> Dec 11 09:07:11 pluto systemd[1]: named.service: Failed with result 
> 'exit-code'.
> 
> Any tips?
> 
> On 12/11/2020 2:37 AM, Rowland penny via samba wrote:
> > On 11/12/2020 09:26, Dan Egli wrote:
> > >  I ran the samba_dnsupgrade and it created TWO dns.keytab files.
> > > You 
> > > said it won't create one in /var/lib/samba/bind-dns
directory,
> > > but it 
> > > did. At least, SOMETHING put a file there. Still, if you say it 
> > > shouldn't be there, then perhaps I should rm it and point my
> > > bind 
> > > config to the other.
> > > 
> > No, I didn't say that, I said that you do not get the keytab in
> > the 
> > bind-dns dir when you join a DC, but you do when you provision a
> > new 
> > DC or run samba_dnsupdate. What the code actually does is to
> > create 
> > the keytab in the private dir and then copy it to the bind-dns dir,
> > so 
> > yes, you do end up with two keytabs.
> > 
> > There is a bug report about this: 
> > https://bugzilla.samba.org/show_bug.cgi?id=14535
> > 
> > And here is my fix: 
> > https://gitlab.com/samba-team/samba/-/merge_requests/1642
> > 
> > Which unfortunately was rejected even though it works.
> > 
> > Rowland
> > 
> > 
> > 
> -- 
> Dan Egli
>  From my Test Server
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba