TKEY unacceptable

Matthieu Patou mat at samba.org
Mon May 23 02:02:06 MDT 2011


On 23/05/2011 09:36, Andrew Bartlett wrote:
> On Sun, 2011-05-22 at 01:56 +0400, Matthieu Patou wrote:
>> Hello Andrews,
>>
>> I faced the message dns_tkey_negotiategss: TKEY is unacceptable and
>> after searching trying some stuff without success and wishing kai had
>> finished a complete and simple DNS server I started to look at the traces.
>>
>> I found that my client (actually a second DNS server) was requesting a
>> SPN for DNS/lenny.sub.home.matws.net when the instruction in named.txt
>> in the provision folder told me to have tkey-gssapi-credential
>> DNS/sub.home.matws.net.
>>
>> I think that's the reason of the problem because as soon as I changed to
>> DNS/lenny.sub.home.matws.net it started to work !
>>
>> See the trace between the "client DC" (172.16.100.1) and the "DNS DC"
>> (172.16.101.3).
> Unless you have two servers claiming DNS/sub.home.matws.net then it should be identical.
Well I don't know, this appeared when I made a vampire. And in the trace 
you can see that the SPN is DNS/lenny.sub.home.matws.net when the bind 
server was instructed to check DNS/sub.home.matws.net
>
> However, we should stop including DNS/sub.home.matws.net anywhere (we
> should also move to the BIND 9.8 instructions - do you have a record for
> what you used at your demo?)
Yeah my slides are at: http://www.matws.net/pres/sambaxp_2011/

I think at least that the notes you say that the SPN should be 
DNS/<hostname>.<realm> as not everybody will be able to use bind 9.8.


>
> (If we do remove DNS/sub.home.matws.net then we may need some help in
> upgradeprovision for that).
Don't get this one.

Matthieu.

-- 
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary




More information about the samba-technical mailing list