In my experience this is due to gssapi not being compiled to the correct
directory for bind.. I also used 11.04 and my compile path was
--with-gssapi=/usr/include/gssapi,, instead of /usr
On 06/21/2011 10:45 AM, Marcel Ritter wrote:
Hi Mauricio,
this is usually caused by one of 3 things:
1) bind is started without KRB5_KTNAME being set, and
therefore doesn't know where to look for it's keytab
2) the bind user does not have access permission to the
keytab (or any directory in its path)
3) I also hat problems related to apparmor (on Ubuntu 10.04)
where the apparmor security framework prevented bind
from accessing the keytab, even if file permissions were ok
Hope this helps,
Marcel
-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:[email protected]] Im
Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 16:11
An: [email protected]
Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
So I am in step 10 of the samba4 howto
(https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates);
my bind9 is 9.7.3 which seems to be current enough for this. In it we are to add
tkey-gssapi-credential "DNS/samdom.example.com";
tkey-domain "SAMDOM.EXAMPLE.COM";
to /etc/bind/named.conf.options. Since my test domain is test.domain.com, I
changed the above to
tkey-gssapi-credential "DNS/test.domain.com";
tkey-domain "TEST.DOMAIN.COM";
In the log file I have:
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone: D.F.IP6.ARPA Jun 21
10:02:39 sambabox named[3302]: automatic empty zone: 8.E.F.IP6.ARPA Jun 21
10:02:39 sambabox named[3302]: automatic empty zone: 9.E.F.IP6.ARPA Jun 21
10:02:39 sambabox named[3302]: automatic empty zone: A.E.F.IP6.ARPA Jun 21
10:02:39 sambabox named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21
10:02:39 sambabox named[3302]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun 21 10:02:39
sambabox named[3302]: loading configuration: failure Jun 21 10:02:39 sambabox
named[3302]: exiting (due to fatal error) Jun 21 10:02:50 sambabox named[3316]:
starting BIND 9.7.3 -u bind Jun 21 10:02:50 sambabox named[3316]: built with
'--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
IMHO, just saying "TKEY:failure" is not very helpful. I did find out the line
bind does not seem to like is the first one,
tkey-gssapi-credential "DNS/test.domain.com";
This is an ubuntu 11.04 machine if this matters.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
