Setting up a single DC there is a dns.keytab in /var/lib/samba/bind-dns and all the permissions in /var/lib/samba/bind-dns are correctly set.
Installing the next DC there is no /var/lib/samba/bind-dns/dns.keytab file, the only place to find this file is /var/lib/samba/private. The user "bind" has no permission to dns.keytab file in this place. So bind9 will not start.
Then the permission for /var/lib/samba/bind-dns/ are wrong:
root@addc-02:/etc/bind# ls -ld /var/lib/samba/bind-dns/
drwxr-x--- 3 root root 4096 Okt 19 13:50 /var/lib/samba/bind-dns/
root@addc-01:~# ls -ld /var/lib/samba/bind-dns/
drwxrwx--- 3 root bind 4096 Okt 19 13:23 /var/lib/samba/bind-dns/
The permissions on the first DC are set correctly.
title of bug report needs correction (may not be found on a search)
typo: dns.kytab instead of dns.keytab
I just tested it with 4.14rc2 and it's still the same.
(In reply to Stefan Kania from comment #2)
The problem is that there is no code to create the keytab in the bind-dns directory when you join a DC. The code to do this is in the Samba tree, twice. Once when you provision a new DC and again in the samba_upgrade script. Based on the fact that this code will only be run on one of three occasions, provisioning a new DC, upgrading from the internal dns server to bind9 and joining another DC to an existing domain, I came up with code (that didn't touch existing code) to create the keytab in the bind-dns directory on a join, This code was rejected because it was thought that it would better to turn it into a subroutine and call this from the provision, join and the samba_upgradedns script. I declined to do this, I just couldn't justify all the extra work for code that is very likely to be only called in one of three ways and it is already there in two of those ways.
I am sorry that my code got rejected in the pursuit of perfection.
This bug was referenced in samba master:
Fixed in Samba 4.15.