[Samba] Fwd: samba_dnsupdate principal and TKEY unacceptable
Andrew Dumaresq
dumaresq at gmail.com
Thu Dec 13 09:32:03 MST 2012
Probably the way you do revers dns lookups, but I couldn't say for sure....
Krb is very dependent on DNS both forward and reverse.
On Wed, Dec 12, 2012 at 9:16 PM, Tushar Dalvi
<tushar.dalvi.samba at gmail.com> wrote:
> Thanks for the reply Andrew.
> I had made sure the keytab was accessible to bind but it still failed.
> Looked like it was an SPN issue.
>
> samba_dnsupdate tried to use DNS/host at DOMAIN.LOCAL (not
> DNS/host.domain.local at DOMAIN.LOCAL).
> Using samba-tool, when I added an spn for DNS/host to the dns-host user and
> exported the keytab to dns.keytab, then bind accepted the TKEY.
> I am wondering what caused samba_dnsupdate to use DNS/host instead of
> DNS/host.domain.local spn.
>
> Regards,
> Tushar
>
>
> On Tue, Dec 11, 2012 at 7:03 PM, Andrew Dumaresq <dumaresq at gmail.com> wrote:
>>
>> This probably means that bind can't read your dns keytab file
>>
>> make sure you have
>> tkey-gssapi-keytab "/path to/dns.keytab"; in the options section of
>> your bind config
>>
>> Then make sure it's readable by the bind user you might start making
>> the file 666 and then sort it out later, in my case I set it chmod 600
>> and chown it to the user bind, which is way more secure.
>>
>> also your dns.keytab file should have a lot of entries in it:
>>
>> klist -k /usr/local/samba/private/dns.keytab
>> Keytab name: FILE:/usr/local/samba/private/dns.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 1 DNS/host.domain.local at DOMAIN.LOCAL
>> 1 dns-host at DOMAIN.LOCAL
>> 1 DNS/host.domain.local at DOMAIN.LOCAL
>> 1 dns-host at DOMAIN.LOCAL
>> 1 DNS/host.domain.local at DOMAIN.LOCAL
>> 1 dns-host at DOMAIN.LOCAL
>> 1 DNS/host.domain.local at DOMAIN.LOCAL
>> 1 dns-host at DOMAIN.LOCAL
>> 1 DNS/host.domain.local at DOMAIN.LOCAL
>> 1 dns-host at DOMAIN.LOCAL
>>
>>
>>
>> On Sun, Dec 9, 2012 at 3:52 PM, Tushar Dalvi
>> <tushar.dalvi.samba at gmail.com> wrote:
>> > Hi,
>> >
>> > I am trying to run samba with bind_dlz (bind-9.9.1 - P1) on a
>> > multi-homed
>> > network. I have configured the setup as per Samba4 Howto.
>> > But when I try to do "samba_dnsupdate --all-names" it fails with error:
>> > dns_tkey_negotiategss: TKEY is unacceptable
>> >
>> > The kerberos ticket being used by samba_dnsupdate shows follwoing
>> > principals:
>> > klist -c /tmp/tmp6cxfgY
>> > Ticket cache: FILE:/tmp/tmp6cxfgY
>> > Default principal: DB-SERVER$@BOM.MH.IN
>> > Service principal
>> > krbtgt/BOM.MH.IN
>> > DNS/db-server at BOM.MH.IN
>> >
>> > Whereas the dns.keytab shows following principals (repeated for multiple
>> > encryption algorithms)
>> > klist -k private/dns.keytab:
>> > DNS/db-server.bom.mh.in at BOM.MH.IN
>> > dns-DB-server at BOM.MH.IN
>> >
>> > Wireshark shows that samba_dnsupdate requests TGS-REQ for DNS/
>> > db-server at BOM.MH.IN
>> >
>> > I retried this thing with samba's internal DNS and there samba_dnsupdate
>> > requests for DNS/db-server.bom.mh.in at BOM.MH.IN. In case of internal
>> > server
>> > the ticket cache shows up like:
>> > Service principal
>> > krbtgt/BOM.MH.IN
>> > DNS/db-server.bom.mh.in at BOM.MH.IN
>> >
>> > As the principal being used by samba_dnsupdate in case of Bind doesn't
>> > contain domain name at its end, can this be the reason for Tkey failure?
>> > Why is there a difference in the principal names requested by
>> > samba_dnsupdate in case of Bind and Internal DNS?
>> >
>> > PS: I couldn't go ahead with samba's internal DNS because there I got
>> > Tsig
>> > verify failure as already posted here:
>> > http://permalink.gmane.org/gmane.network.samba.general/127722
>> >
>> > Thank you folks for the awesome work!
>> >
>> > Regards,
>> > Tushar
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list