[Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Tushar Dalvi
tushar.dalvi.samba at gmail.com
Wed Dec 12 19:16:51 MST 2012
Thanks for the reply Andrew.
I had made sure the keytab was accessible to bind but it still failed.
Looked like it was an SPN issue.
samba_dnsupdate tried to use DNS/host at DOMAIN.LOCAL (not
DNS/host.domain.local at DOMAIN.LOCAL).
Using samba-tool, when I added an spn for DNS/host to the dns-host user and
exported the keytab to dns.keytab, then bind accepted the TKEY.
I am wondering what caused samba_dnsupdate to use DNS/host instead of
DNS/host.domain.local spn.
Regards,
Tushar
On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq <dumaresq at gmail.com> wrote:
> This probably means that bind can't read your dns keytab file
>
> make sure you have
> tkey-gssapi-keytab "/path to/dns.keytab"; in the options section of
> your bind config
>
> Then make sure it's readable by the bind user you might start making
> the file 666 and then sort it out later, in my case I set it chmod 600
> and chown it to the user bind, which is way more secure.
>
> also your dns.keytab file should have a lot of entries in it:
>
> klist -k /usr/local/samba/private/dns.keytab
> Keytab name: FILE:/usr/local/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 DNS/host.domain.local at DOMAIN.LOCAL
> 1 dns-host at DOMAIN.LOCAL
> 1 DNS/host.domain.local at DOMAIN.LOCAL
> 1 dns-host at DOMAIN.LOCAL
> 1 DNS/host.domain.local at DOMAIN.LOCAL
> 1 dns-host at DOMAIN.LOCAL
> 1 DNS/host.domain.local at DOMAIN.LOCAL
> 1 dns-host at DOMAIN.LOCAL
> 1 DNS/host.domain.local at DOMAIN.LOCAL
> 1 dns-host at DOMAIN.LOCAL
>
>
>
> On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi
> <tushar.dalvi.samba at gmail.com> wrote:
> > Hi,
> >
> > I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a multi-homed
> > network. I have configured the setup as per Samba4 Howto.
> > But when I try to do "samba_dnsupdate --all-names" it fails with error:
> > dns_tkey_negotiategss: TKEY is unacceptable
> >
> > The kerberos ticket being used by samba_dnsupdate shows follwoing
> > principals:
> > klist -c /tmp/tmp6cxfgY
> > Ticket cache: FILE:/tmp/tmp6cxfgY
> > Default principal: DB-SERVER$@BOM.MH.IN
> > Service principal
> > krbtgt/BOM.MH.IN
> > DNS/db-server at BOM.MH.IN
> >
> > Whereas the dns.keytab shows following principals (repeated for multiple
> > encryption algorithms)
> > klist -k private/dns.keytab:
> > DNS/db-server.bom.mh.in at BOM.MH.IN
> > dns-DB-server at BOM.MH.IN
> >
> > Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/
> > db-server at BOM.MH.IN
> >
> > I retried this thing with samba's internal DNS and there samba_dnsupdate
> > requests for DNS/db-server.bom.mh.in at BOM.MH.IN. In case of internal
> server
> > the ticket cache shows up like:
> > Service principal
> > krbtgt/BOM.MH.IN
> > DNS/db-server.bom.mh.in at BOM.MH.IN
> >
> > As the principal being used by samba_dnsupdate in case of Bind doesn't
> > contain domain name at its end, can this be the reason for Tkey failure?
> > Why is there a difference in the principal names requested by
> > samba_dnsupdate in case of Bind and Internal DNS?
> >
> > PS: I couldn't go ahead with samba's internal DNS because there I got
> Tsig
> > verify failure as already posted here:
> > http://permalink.gmane.org/gmane.network.samba.general/127722
> >
> > Thank you folks for the awesome work!
> >
> > Regards,
> > Tushar
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list