TKEY unacceptable

Andrew Bartlett abartlet at
Sun May 22 23:36:15 MDT 2011

On Sun, 2011-05-22 at 01:56 +0400, Matthieu Patou wrote:
> Hello Andrews,
> I faced the message dns_tkey_negotiategss: TKEY is unacceptable and 
> after searching trying some stuff without success and wishing kai had 
> finished a complete and simple DNS server I started to look at the traces.
> I found that my client (actually a second DNS server) was requesting a 
> SPN for DNS/ when the instruction in named.txt 
> in the provision folder told me to have tkey-gssapi-credential 
> DNS/
> I think that's the reason of the problem because as soon as I changed to 
> DNS/ it started to work !
> See the trace between the "client DC" ( and the "DNS DC" 
> (

Unless you have two servers claiming DNS/ then it should be identical.

However, we should stop including DNS/ anywhere (we
should also move to the BIND 9.8 instructions - do you have a record for
what you used at your demo?)

(If we do remove DNS/ then we may need some help in
upgradeprovision for that).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list