Samba 4.0 DNS configuration

Andrew Bartlett abartlet at
Thu Jul 7 00:13:19 MDT 2011

On Wed, 2011-07-06 at 15:38 -0600, Trever L. Adams wrote:
> On 06/11/2011 08:42 PM, Andrew Bartlett wrote:
> >
> > This isn't an issue with Samba 3.6, but with BIND and the Samba4 zone
> > you have loaded. 
> >
> > The most reliable way to fix this is to upgrade to Bind 9.8 and change
> > the gssapi settings in the name.conf to only:
> >
> > tkey-gssapi-keytab /path/to/dns.keytab
> >
> > This should then work much more reliably.  Your DNS zone is also showing
> > a bug we had for ages, where the first line contained only the realm
> > where it should be your server's full hostname.  (see the following line
> > in the new zone template).  
> >
> > @               IN SOA  hostname.realm   hostmaster (
> >
> > I suspect your provision is old, so perhaps upgrade to a current Samba4
> > git checkout and reprovision (if possible).  If you can't reprovision,
> > ensure that the servicePrinciaplNames attribute on the 'cn=dns' user has
> > a value of DNS/hostname.realm
> >
> > Andrew Barltett
> I have been able to do an upgradeprovision --full for the first time in
> a long time on this server. I now have the proper dns.keytab. However,
> any attempt at nsupdate -g (including
> /usr/local/samba/sbin/samba_dnsupdate --verbose) yields "tkey query
> failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may
> provide more information, Minor = Server not found in Kerberos database."
> I have checked permissions and cannot figure this out.

The issue here is that the name that nsupdate requests a ticket to is
not in Samba's sam.ldb.  As I mentioned in my previous mail, this name
is derived from that first line (the SOA) of the zone.  

Can you look there and see how it differs from your working servers?
Did you upgrade to BIND 9.8?


Andrew Bartlett
Andrew Bartlett <abartlet at>

More information about the samba-technical mailing list