On 06/22/2011 02:26 AM, Marcel Ritter wrote:
Hi Mauricio,
the easiest way to find out, where named fails may be to
do an "strace -f /usr/sbin/named ..." (don't forget to set/export
the keytab environment variables before doing so).
Check the output of strace for accesses to the keytab file and
you will get some hints about what's wrong. You may also want
to check for the files mentioned below in the apparmor list.
In my apparmor config (Ubuntu 10.04) I had to add some more
entries (the list is far from optimized, but it works for me).
/opt/samba4/private/dns.keytab kr,
/opt/samba4/private/named.conf.update kr,
/opt/samba4/private/named.conf kr,
/opt/samba4/private/dns/* krw,
/var/tmp/krb5_* rw,
/var/tmp/DNS_* rw,
If you like you can send me the strace log in private, I'll have a look.
(AFAIK the allowed size of attachments on the list is quite small).
You were right about the apparmor; I disabled it temporarily for named
and bind was happy again. I will try your list later (since I found out
I can't do cross-realm between samba4's kerberos and our (mit) currently
working setup, samba 4 just dropped out of my priority list).
Bye,
Marcel
-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:[email protected]] Im
Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 21:23
An: [email protected]
Betreff: Re: [Samba] tkey-gssapi-credential and bind (Samba4)
On Tue, Jun 21, 2011 at 1:14 PM, Aaron E.<[email protected]> wrote:
In my experience this is due to gssapi not being compiled to the
correct directory for bind.. I also used 11.04 and my compile path was
--with-gssapi=/usr/include/gssapi,, instead of /usr
Aaron, in my case it seems to be pointing to /usr:
root@sambabox:~# named -V
BIND 9.7.3 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind'
'--localstatedir=/var' '--enable-threads' '--enable-largefile'
'--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
'--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
root@sambabox:~#
On 06/21/2011 10:45 AM, Marcel Ritter wrote:
Hi Mauricio,
this is usually caused by one of 3 things:
1) bind is started without KRB5_KTNAME being set, and
therefore doesn't know where to look for it's keytab
Marcel, what I have in /etc/default/bind9 is
# Samba-related stuff
KEYTAB_FILE="/var/lib/samba/private/dns.keytab"
KRB5_KTNAME="/var/lib/samba/private/dns.keytab"
export KEYTAB_FILE
export KRB5_KTNAME
And here is what dns.keytab looks like:
-rw-r----- 1 root bind 1.3K 2011-06-21 09:57 /var/lib/samba/private/dns.keytab
2) the bind user does not have access permission to the
keytab (or any directory in its path)
As user bind (I edited /etc/passwd temporarily) I was able to reach that
file:
bind@sambabox:~$ cat /var/lib/samba/private/dns.keytab
HTEST.DOMAIN.COMDNStest.domain.com
[...]
3) I also hat problems related to apparmor (on Ubuntu 10.04)
where the apparmor security framework prevented bind
from accessing the keytab, even if file permissions were ok
I edited # /etc/apparmor.d/usr.sbin.named per
http://blog.mycroes.nl/2010/09/installing-samba-4-on-ubuntu-maverick.html
, adding the following lines:
/var/lib/samba/private/* rw,
/var/lib/samba/private/dns/* rw,
Hope this helps,
Marcel
-----Ursprüngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]]
Im Auftrag von Mauricio Tavares
Gesendet: Dienstag, 21. Juni 2011 16:11
An: [email protected]
Betreff: [Samba] tkey-gssapi-credential and bind (Samba4)
So I am in step 10 of the samba4 howto
(https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerb
eros_DNS_dynamic_updates); my bind9 is 9.7.3 which seems to be
current enough for this. In it we are to add
tkey-gssapi-credential "DNS/samdom.example.com";
tkey-domain "SAMDOM.EXAMPLE.COM";
to /etc/bind/named.conf.options. Since my test domain is
test.domain.com, I changed the above to
tkey-gssapi-credential "DNS/test.domain.com";
tkey-domain "TEST.DOMAIN.COM";
In the log file I have:
Jun 21 10:02:39 sambabox named[3302]: automatic empty zone:
D.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic empty
zone: 8.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]: automatic
empty zone: 9.E.F.IP6.ARPA Jun 21 10:02:39 sambabox named[3302]:
automatic empty zone: A.E.F.IP6.ARPA Jun 21 10:02:39 sambabox
named[3302]: automatic empty zone: B.E.F.IP6.ARPA Jun 21 10:02:39 sambabox
named[3302]: automatic empty zone:
8.B.D.0.1.0.0.2.IP6.ARPA
Jun 21 10:02:39 sambabox named[3302]: configuring TKEY: failure Jun
21
10:02:39 sambabox named[3302]: loading configuration: failure Jun 21
10:02:39 sambabox named[3302]: exiting (due to fatal error) Jun 21
10:02:50 sambabox named[3316]: starting BIND 9.7.3 -u bind Jun 21
10:02:50 sambabox
named[3316]: built with '--prefix=/usr'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no'
'--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes'
'--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
IMHO, just saying "TKEY:failure" is not very helpful. I did find out
the line bind does not seem to like is the first one,
tkey-gssapi-credential "DNS/test.domain.com";
This is an ubuntu 11.04 machine if this matters.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
