[Samba] Samba 4 "TKEY is unacceptable" driving me NUTS!

Patrick Gray pgray at prevoyancegroup.com
Fri Sep 6 10:34:43 MDT 2013

I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled from git source and the latter installed from apt-get. I'm migrating from an existing Windows 2008 SBS domain controller that I want to retire (and be Windows free on the server side), and have followed the instructions on the Samba wiki for setting up Bind and migrating.

When I run a samba_dnsupate -verbose -all-names as per the wiki, all updates result in a "dns_tkey_negotiategss: TKEY is unacceptable". Syslog produces the following:

Sep  6 12:21:32 newdc samba[7735]: [2013/09/06 12:21:32.189272,  0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Sep  6 12:21:32 newdc samba[7735]:   ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT
Sep  6 12:23:29 newdc named[7690]: samba b9_putrr: unhandled record type 0

The same TKEY error occurred when I attempt a manual nsupdate. What's odd is that the updates actually appear in the Windows DNS manager when I use nsupdate or samba-tool to add entries. This works for both the new samba DC and the existing windows DC. I was going to chalk this up to gremlins and move on with life, but when I attempt to transfer or seize the naming role, from either samba or the existing Windows DC, I get:

sudo /usr/local/samba/bin/samba-tool fsmo transfer --role=naming -Uadministrator
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_GENERAL_FAILURE
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line 268, in run
    transfer_role(self.outf, role, samdb)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", line 53, in transfer_role

I believe these are related, but I cannot get the TKEY error resolved and have attempted every trick I've been able to find on this mailing list. I've tried the following based on days of googling:

  1.  Verified that apparmor isn't causing problems by setting the following in it's config:

  # Samba 4 support
  /usr/local/samba/private/** rkw,
  /usr/local/samba/private/dns.keytab rk,
  /usr/local/samba/private/dns/** rkw,
  /etc/krb5.conf r,
  /usr/local/samba/etc/smb.conf r,

  #Samba 4 BIND libraries
  /usr/local/samba/lib/bind9/dlz_bind9.so rm,
  /usr/local/samba/lib/** rm,
  /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,

  # with libdlz_bind9, named needs to access /var/tmp/DNS-${HOSTNAME}_xxx ticke$
  /var/tmp/** krw,
  /tmp/** krw,

2. Regenerated the dns.keytab
3. Ensured that the new DC is listed as the SOA record in the DNS for mydomain.local
4. Added the requested config to my named.com:

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
#tried with and without the line below, no difference
        tkey-domain "MYDOMAIN.LOCAL";
5. Attempted to transfer and seize roles from both Windows and Samba

I've run out of ideas here, and would appreciate any help or additional things to attempt. If I cannot seize the naming role, shutting down the windows box results in syslog being flooded with "Can't contact OLDDC.mydomain.local"-type errors. I want to rid the domain of all memories of SBS so I'm worried that not migrating the naming role will keep some dependency in place.

Thanks for any help!

Kind Regards,


More information about the samba mailing list