TKEY unacceptable
Andrew Bartlett
abartlet at samba.org
Sun May 22 23:36:15 MDT 2011
On Sun, 2011-05-22 at 01:56 +0400, Matthieu Patou wrote:
> Hello Andrews,
>
> I faced the message dns_tkey_negotiategss: TKEY is unacceptable and
> after searching trying some stuff without success and wishing kai had
> finished a complete and simple DNS server I started to look at the traces.
>
> I found that my client (actually a second DNS server) was requesting a
> SPN for DNS/lenny.sub.home.matws.net when the instruction in named.txt
> in the provision folder told me to have tkey-gssapi-credential
> DNS/sub.home.matws.net.
>
> I think that's the reason of the problem because as soon as I changed to
> DNS/lenny.sub.home.matws.net it started to work !
>
> See the trace between the "client DC" (172.16.100.1) and the "DNS DC"
> (172.16.101.3).
Unless you have two servers claiming DNS/sub.home.matws.net then it should be identical.
However, we should stop including DNS/sub.home.matws.net anywhere (we
should also move to the BIND 9.8 instructions - do you have a record for
what you used at your demo?)
(If we do remove DNS/sub.home.matws.net then we may need some help in
upgradeprovision for that).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list