[Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable

[Andrew Dumaresq]

This probably means that bind can't read your dns keytab file

make sure you have
tkey-gssapi-keytab "/path to/dns.keytab"; in the options section of
your bind config

Then make sure it's readable by the bind user you might start making
the file 666 and then sort it out later, in my case I set it chmod 600
and chown it to the user bind, which is way more secure.

also your dns.keytab file should have a lot of entries in it:

 klist -k /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 DNS/host.domain.local at DOMAIN.LOCAL
   1 dns-host at DOMAIN.LOCAL
   1 DNS/host.domain.local at DOMAIN.LOCAL
   1 dns-host at DOMAIN.LOCAL
   1 DNS/host.domain.local at DOMAIN.LOCAL
   1 dns-host at DOMAIN.LOCAL
   1 DNS/host.domain.local at DOMAIN.LOCAL
   1 dns-host at DOMAIN.LOCAL
   1 DNS/host.domain.local at DOMAIN.LOCAL
   1 dns-host at DOMAIN.LOCAL



On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi
<tushar.dalvi.samba at gmail.com> wrote:
> Hi,
>
> I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed
> network. I have configured the setup as per Samba4 Howto.
> But when I try to do "samba_dnsupdate --all-names" it fails with error:
> dns_tkey_negotiategss: TKEY is unacceptable
>
> The kerberos ticket being used by samba_dnsupdate shows follwoing
> principals:
>  klist -c /tmp/tmp6cxfgY
> Ticket cache: FILE:/tmp/tmp6cxfgY
> Default principal: DB-SERVER$@BOM.MH.IN
> Service principal
> krbtgt/BOM.MH.IN
> DNS/db-server at BOM.MH.IN
>
> Whereas the dns.keytab shows following principals (repeated for multiple
> encryption algorithms)
> klist -k private/dns.keytab:
> DNS/db-server.bom.mh.in at BOM.MH.IN
> dns-DB-server at BOM.MH.IN
>
> Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/
> db-server at BOM.MH.IN
>
> I retried this thing with samba's internal DNS and there samba_dnsupdate
> requests for DNS/db-server.bom.mh.in at BOM.MH.IN. In case of internal server
> the ticket cache shows up like:
> Service principal
> krbtgt/BOM.MH.IN
> DNS/db-server.bom.mh.in at BOM.MH.IN
>
> As the principal being used by samba_dnsupdate in case of Bind doesn't
> contain domain name at its end, can this be the reason for Tkey failure?
> Why is there a difference in the principal names requested by
> samba_dnsupdate in case of Bind and Internal DNS?
>
> PS: I couldn't go ahead with samba's internal DNS because there I got Tsig
> verify failure as already posted here:
> http://permalink.gmane.org/gmane.network.samba.general/127722
>
> Thank you folks for the awesome work!
>
> Regards,
> Tushar
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba