[Samba] Fixing dns_tkey_gssnegotiate: TKEY is unacceptable but stuck on check_spn_alias_collision
Matthew Schumacher
matt.s at aptalaska.net
Fri Aug 5 19:51:56 UTC 2022
Hello all,
When trying to run samba_dnsupdate I get "dns_tkey_gssnegotiate: TKEY is
unacceptable" I see the webpage about this at
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
and when verifying my keytab file I get a number of accounts:
klist -k /var/lib/samba/bind-dns/dns.keytab
Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
1 dns-dc-2-wsll at AD.DOMAIN.NET
1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
1 dns-dc-2-wsll at AD.DOMAIN.NET
1 DNS/dc-2-wsll.ad.domain.net at AD.DOMAIN.NET
1 dns-dc-2-wsll at AD.DOMAIN.NET
I decided I would cleanup and try again so I:
rm /usr/local/samba/private/dns.keytab
then
samba-tool user delete dns-dc-2-wsll
Which seems to work, as I get
Deleted user dns-dc-2-wsll
But then when I reset the dns settings with:
samba_upgradedns --dns-backend=BIND9_DLZ
I see:
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/AD.DOMAIN.NET.zone (normal)
DNS partitions already exist
Adding dns-dc-2-wsll account
check_spn_alias_collision: trying to add SPN
'DNS/dc-2-wsll.ad.domain.net' on
'CN=dns-dc-2-wsll,CN=Users,DC=ad,DC=domain,DC=net' when
'host/dc-2-wsll.ad.domain.net' is on 'CN=dc-2-wsll,OU=Domain
Controllers,DC=ad,DC=domain,DC=net'
See /var/lib/samba/bind-dns/named.conf for an example configuration
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required
for secure DNS updates
Finished upgrading DNS
I'm trying to figure out how to clean this up and reset DNS so I can get
it work. Any ideas?
Matt
More information about the samba
mailing list