[Samba] Samba4 AD with bind DNS / TKEY is unacceptable

Stefan Schäfer ml at fsproductions.de
Wed Sep 11 12:35:08 MDT 2013 

Hi,

i try to migrate an existing W2k3 AD to Samba4 with bind.

Everything works fine, but dnsupdate fails with error: 
"dns_tkey_negotiategss: TKEY is unaccepteable".

I found a lot of discussions around this topic, but no solution.

Envirenment:

OS: SLES11 SP3 with bind 9.9.3P2
Samba Packages from Servet: sernet-samba-4.0.9-5.suse111

I checked the following Points:

After joining the domain bind starts and replication from the w2k3 PDC 
works.

Then i changed the DNS NS RRs to get the Samba Server as the primary DNS 
and transfer all FSMO roles to the samba server.

In named.conf I made the following entries:

options {
...
       # Samba AD
       auth-nxdomain yes;
       empty-zones-enable no;
       tkey-gssapi-keytab "/var/lib/named/samba/private/dns.keytab";
}

...

include "/var/lib/named/samba/private/named.conf";

Both files are readeable for the bind system user:

ls -l /var/lib/samba/private/
insgesamt 11696
drwxrwx--- 3 root named    4096 11. Sep 18:13 dns
-rw-r----- 1 root named     987 11. Sep 18:12 dns.keytab
-rw-r--r-- 1 root root     2270 11. Sep 13:41 dns_update_list
-rw-r--r-- 1 root root      544 11. Sep 18:17 named.conf
-r--r--r-- 1 root root      312 11. Sep 19:18 named.conf.update

Changing DNS RRs manualy with samba-tool dns add|delete and so on works 
fine.

klist -k for the keytab-file gives the followin output:

Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL
    1 DNS/samba4ad.fsproductions.local at FSPRODUCTIONS.LOCAL
    1 dns-SAMBA4AD.FSPRODUCTIONS.local at FSPRODUCTIONS.LOCAL

What's wrong? Any ideas?

Stefan

More information about the samba mailing list