[Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable

Tushar Dalvi tushar.dalvi.samba at gmail.com
Sun Dec 9 13:52:09 MST 2012


Hi,

I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed
network. I have configured the setup as per Samba4 Howto.
But when I try to do "samba_dnsupdate --all-names" it fails with error:
dns_tkey_negotiategss: TKEY is unacceptable

The kerberos ticket being used by samba_dnsupdate shows follwoing
principals:
 klist -c /tmp/tmp6cxfgY
Ticket cache: FILE:/tmp/tmp6cxfgY
Default principal: DB-SERVER$@BOM.MH.IN
Service principal
krbtgt/BOM.MH.IN
DNS/db-server at BOM.MH.IN

Whereas the dns.keytab shows following principals (repeated for multiple
encryption algorithms)
klist -k private/dns.keytab:
DNS/db-server.bom.mh.in at BOM.MH.IN
dns-DB-server at BOM.MH.IN

Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/
db-server at BOM.MH.IN

I retried this thing with samba's internal DNS and there samba_dnsupdate
requests for DNS/db-server.bom.mh.in at BOM.MH.IN. In case of internal server
the ticket cache shows up like:
Service principal
krbtgt/BOM.MH.IN
DNS/db-server.bom.mh.in at BOM.MH.IN

As the principal being used by samba_dnsupdate in case of Bind doesn't
contain domain name at its end, can this be the reason for Tkey failure?
Why is there a difference in the principal names requested by
samba_dnsupdate in case of Bind and Internal DNS?

PS: I couldn't go ahead with samba's internal DNS because there I got Tsig
verify failure as already posted here:
http://permalink.gmane.org/gmane.network.samba.general/127722

Thank you folks for the awesome work!

Regards,
Tushar


More information about the samba mailing list