TKEY unacceptable

Matthieu Patou mat at
Mon May 23 02:02:06 MDT 2011

On 23/05/2011 09:36, Andrew Bartlett wrote:
> On Sun, 2011-05-22 at 01:56 +0400, Matthieu Patou wrote:
>> Hello Andrews,
>> I faced the message dns_tkey_negotiategss: TKEY is unacceptable and
>> after searching trying some stuff without success and wishing kai had
>> finished a complete and simple DNS server I started to look at the traces.
>> I found that my client (actually a second DNS server) was requesting a
>> SPN for DNS/ when the instruction in named.txt
>> in the provision folder told me to have tkey-gssapi-credential
>> DNS/
>> I think that's the reason of the problem because as soon as I changed to
>> DNS/ it started to work !
>> See the trace between the "client DC" ( and the "DNS DC"
>> (
> Unless you have two servers claiming DNS/ then it should be identical.
Well I don't know, this appeared when I made a vampire. And in the trace 
you can see that the SPN is DNS/ when the bind 
server was instructed to check DNS/
> However, we should stop including DNS/ anywhere (we
> should also move to the BIND 9.8 instructions - do you have a record for
> what you used at your demo?)
Yeah my slides are at:

I think at least that the notes you say that the SPN should be 
DNS/<hostname>.<realm> as not everybody will be able to use bind 9.8.

> (If we do remove DNS/ then we may need some help in
> upgradeprovision for that).
Don't get this one.


Matthieu Patou
Samba Team
Private repo;a=summary

More information about the samba-technical mailing list