Samba 4.0 DNS configuration

Trever L. Adams trever.adams at
Wed Jul 6 15:38:36 MDT 2011

On 06/11/2011 08:42 PM, Andrew Bartlett wrote:
> This isn't an issue with Samba 3.6, but with BIND and the Samba4 zone
> you have loaded. 
> The most reliable way to fix this is to upgrade to Bind 9.8 and change
> the gssapi settings in the name.conf to only:
> tkey-gssapi-keytab /path/to/dns.keytab
> This should then work much more reliably.  Your DNS zone is also showing
> a bug we had for ages, where the first line contained only the realm
> where it should be your server's full hostname.  (see the following line
> in the new zone template).  
> @               IN SOA  hostname.realm   hostmaster (
> I suspect your provision is old, so perhaps upgrade to a current Samba4
> git checkout and reprovision (if possible).  If you can't reprovision,
> ensure that the servicePrinciaplNames attribute on the 'cn=dns' user has
> a value of DNS/hostname.realm
> Andrew Barltett
I have been able to do an upgradeprovision --full for the first time in
a long time on this server. I now have the proper dns.keytab. However,
any attempt at nsupdate -g (including
/usr/local/samba/sbin/samba_dnsupdate --verbose) yields "tkey query
failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may
provide more information, Minor = Server not found in Kerberos database."

I have checked permissions and cannot figure this out.

Any ideas?

The other two provisions I have work just fine now.

"He that demands mercy, and shows none, ruins the bridge over which he
himself is to pass." -- Thomas Adams, 1612-1653

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list