Bug 14181 - on domain join with dns-backend=BIND9_DLZ, dns.keytab is created in private directory
Summary: on domain join with dns-backend=BIND9_DLZ, dns.keytab is created in private d...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.10
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-11-05 01:05 UTC by Val Kulkov
Modified: 2022-09-06 08:03 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Val Kulkov 2019-11-05 01:05:36 UTC

kinit -p administrator
samba-tool domain join samdom.example.dom DC -k yes --dns-backend=BIND9_DLZ --option='idmap_ldb:use rfc2307 = yes' --option="password hash userPassword schemes = CryptSHA256"

succeeds and generates entries in binddir/dns/. However, dns.keytab file is placed into private/ directory instead of binddir/, which is where it belongs.

Additionally, dns.keytab is owned by root.root and has 0700 permissions. It probably should be owned by named. Most Bind9 installations run the daemon as named.
Comment 1 Val Kulkov 2019-11-05 05:41:25 UTC
To be more specific, in my case:

private = /var/lib/samba/private
binddir = /var/lib/samba/bind-dns
Comment 2 Andrew Bartlett 2021-03-18 23:56:21 UTC
Joseph can you take a look at finishing the MR and finalising this?
Comment 3 Samba QA Contact 2021-06-11 08:29:29 UTC
This bug was referenced in samba master:

Comment 4 Jo Sutton 2022-09-06 08:03:49 UTC
Fixed in Samba 4.15.