Internal dns server changed between RC2 & 4.1.0pre1-GIT-2c3a808

Rowland Penny repenny at
Mon Oct 15 16:02:03 MDT 2012

On 15/10/12 22:46, Rowland Penny wrote:
> On 15/10/12 20:56, Kai Blin wrote:
>> On 2012-10-15 21:48, Rowland Penny wrote:
>>> On 15/10/12 20:19, Kai Blin wrote:
>>>> On 2012-10-15 19:21, Rowland Penny wrote:
>>>>> It is one I found on the internet and altered to fit my needs, as 
>>>>> I said
>>>>> it works on RC2 but now will not work on pre1.
>>>>> basically the script is run by dhcp from dhcpd.conf, it checks a
>>>>> kerberos keytab then runs nsupdate to first delete the pc's 
>>>>> nameserver
>>>>> record (if there is one) then adds it into to the required zone. The
>>>>> script then checks to see if the record now exists.
>>>> Hm, I think we got rid of the DNS special user for RC1, but I seem to
>>>> remember Jelmer added back the code that adds it to some of the 
>>>> upgrade
>>>> scripts. Did you run any?
>>> No I didn't, I just provisioned as normal, but there is a user at
>>> CN=dns-adserver,CN=Users,DC=home,DC=lan. Should I remover this user or
>>> can I just ignore it?
>> Ah, it's a new provision. That's relevant information. Try removing that
>> user. It's been causing trouble for me in the past.
> dns user removed
>>> All the dns tests from the howto work as written. I added the reverse
>>> zone via samba-tool:
>>> samba-tool dns zonecreate -U
>>> Administrator
>> Ah, did you restart samba after that? Currently the dnsserver (the RPC
>> part that samba-tool dns talks to) doesn't thell the dns server that the
>> zone list has changed, but the list is read at startup.
> No, I didn't, but I have now, the script is now failing on both trying 
> to add to forward zone & to the reverse zone, I just get:
> dns_tkey_negotiategss: TKEY is unacceptable
> I come back to my original question, why is the TKEY acceptable to RC2 
> but not to  4.1.0pre1-GIT-2c3a808
> I have tried to use wireshark to get the info required, but cannot 
> seem to find the right filter and if I don't  use a filter, there 
> doesn't seem to be anything in the capture about dhcp, my script, 
> nsupdate or the name server.
>>> I then added the reverse record for the server:
>> Cheers,
>> Kai
> Thanks again
> Rowland

OK, I tried adding the records with samba-tool and this works, so how 
does samba-tool do it, what TKEY does it use??


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list