[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
Roel van Meer
roel at 1afa.com
Thu Aug 6 07:27:56 UTC 2015
L.P.H. van Belle writes:
> check the rights on :
> /var/lib/samba/private/dns.keytab 640 root:bind
> /var/lib/samba/private/dns 750 root:bind
> /var/lib/samba/private/sam.ldb.d 750 root:bind
I'm using the internal DNS on both DC's, so I guess bind access rights
aren't the issue.
Thanks for your answer though :)
Regards,
Roel
> >-----Oorspronkelijk bericht-----
> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
> >Verzonden: donderdag 6 augustus 2015 8:55
> >Aan: samba at lists.samba.org
> >Onderwerp: [Samba] 2nd DC, internal DNS:
> >dns_tkey_negotiategss: TKEY is unacceptable
> >
> >Hi everyone,
> >
> >I'm testing with a Samba4 AD network, and I have some problems
> >with DNS on
> >the second DC, with which I could use a bit of your help.
> >
> >I have an AD with two DC's, both Samba 4.2.3. On the first DC,
> >samba_dnsupdate works fine. With stock 4.2.3 I get the error
> >
> > "TSIG error with server: tsig verify failure"
> >
> >but the DNS updates succeed anyway, and after applying Gunther
> >Kukkukk's patch from
> >https://lists.samba.org/archive/samba-technical/2013-February/0
> 90408.html
> >the error is gone. So no problems there.
> >
> >However, on the second DC samba_dnsupdate does not work. I
> >get the error
> >
> > "dns_tkey_negotiategss: TKEY is unacceptable"
> >
> >Problem is: I don't really know where to look. On the first
> >DC (dev), the
> >ticket cache used by samba_dnsupdate contains:
> >
> > root at dev:~# klist -c /tmp/tmpoFYYga
> > Ticket cache: FILE:/tmp/tmpoFYYga
> > Default principal: DEV$@EXAM.CORP
> >
> > Valid starting Expires Service principal
> > 08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP
> > 08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP
> >
> >On the second DC (dc2) the ticket cache looks like:
> >
> > root at dc2:~# klist -c /tmp/tmpzCc55h
> > Ticket cache: FILE:/tmp/tmpzCc55h
> > Default principal: DC2$@EXAM.CORP
> >
> > Valid starting Expires Service principal
> > 08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP
> > 08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP
> >
> >which smells incorrect, because it has a service principal for
> >dev.exam.corp
> >instead of dc2.exam.corp?
> >
> >The file /etc/krb5.conf looks like this on both servers:
> >
> > [libdefaults]
> > default_realm = EXAM.CORP
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> >
> >Could anyone please give me a hint on where to look further,
> >or which docs
> >to read to get this working?
> >
> >Thanks a lot,
> >
> >Roel
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list