[Samba] Dynamic DNS failures with Samba4

Andrew Dumaresq dumaresq at gmail.com
Sun Jan 17 14:11:51 MST 2010


I've used samba3 for years, and it mostly did exactly what I wanted, In 
the last few weeks I decided to install Samba4.  I got it installed and 
everything seems to be working as expected.  I have one small issue, and 
I'm not really sure if the problem is Samba4, bind, my client PC or 
something else I haven't considered.

I've got one Linux server, which acts as a Samba 
(4.0.0alpha9-GIT-27087e6) server and a DNS (BIND 9.6.1-P2) server, it is 
also my PDC.  I've got a number of windows clients two of which are 
currently in the Domain.  One PC which is windows XP can update its DNS 
entries with no issues:

17-Jan-2010 15:51:18.042 gss cred: "DNS/dumaresq.local at DUMARESQ.LOCAL", 
GSS_C_ACCEPT, 4294965265
17-Jan-2010 15:51:18.113 gss-api source name (accept) is 
17-Jan-2010 15:51:18.113 process_gsstkey(): dns_tsigerror_noerror

I have another PC that is windows VISTA which cannot update its DNS entries:

17-Jan-2010 15:54:25.875 gss cred: "DNS/dumaresq.local at DUMARESQ.LOCAL", 
GSS_C_ACCEPT, 4294965078
17-Jan-2010 15:54:25.876 failed gss_accept_sec_context: GSSAPI error: 
Major = Unspecified GSS failure.  Minor code may provide more 
information, Minor = Wrong principal in request.
17-Jan-2010 15:54:25.876 process_gsstkey(): dns_tsigerror_badkey

I believe I've got BIND setup correctly since it works for the Windows 
XP PC but here's the relevant configs:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
        tkey-gssapi-credential "DNS/dumaresq.local";
        tkey-domain "DUMARESQ.LOCAL";

zone "dumaresq.local" {
        type master;
        file "/etc/bind/dumaresq/db.dumaresq";
        update-policy {
                grant localhost subdomain * A AAAA;
                grant DUMARESQ.LOCAL ms-self * A AAAA;


zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/dumaresq/db.192";
        update-policy {
                grant *.LOCAL wildcard *.1.168.192.in-addr.arpa. PTR;


Here's my smb.conf file:

        netbios name            = morannon
        workgroup               = dumaresq
        realm                   = dumaresq.local
        server role             = domain controller
        log file                = /var/log/samba/log.%m
        log level               = 2
        debug level             = 2
        interfaces              = eth1 lo
        bind interfaces only    = yes

Is this a problem with Windows vista?  I'm assuming that either vista 
can't get the correct credentials from the KDC (which is Samba) or that 
Samba is delivering the wrong credentials.

I see the following entry in the samba logs for the computer that fails:

[Sun Jan 17 15:09:43 2010 EST, 2 
Kerberos: TGS-REQ aragorn$@DUMARESQ.LOCAL from for 
DNS/dumaresq.local at DUMARESQ.LOCAL [canonicalize, renewable, forwardable]

So I think samba is doing what it should.  I'm lost here, anybody have 
any thoughts?

More information about the samba mailing list