[Samba] TKEY is unacceptable

Steve Thompson smt at vgersoft.com
Wed Feb 12 12:43:38 MST 2014

Samba 4.1.1 using BIND_DLZ (bind-9.9.1-0.1.P2) on CentOS 6.5 x86_64.

I have two domain controllers, dc-1 and dc-2, which each have three 
network interfaces. Selinux is in permissive mode, and iptables is off. 
One interface on each dc is to be shut down. So, on dc-1, I do:

# nsupdate -g
update delete europa.icse.cornell.edu A
update delete europa.icse.cornell.edu A

and this works, as confirmed by "nslookup europa.icse.cornell.edu". The 
same nsupdate operation on dc-2 fails with:

dns_tkey_negotiategss: TKEY is unacceptable

I have verified that named.conf is the same on both nodes; I am using

  tkey-gssapi-keytab "/usr/local/samba/europa/private/dns.keytab";

and the named user can read the keytabs with no issue (permissions and 
ownerships are correct). The keytabs themselves appear fine:

dc-1 # klist -k dns.keytab
    1 DNS/dc-1.europa.icse.cornell.edu at EUROPA.ICSE.CORNELL.EDU
    1 dns-dc-1 at EUROPA.ICSE.CORNELL.EDU

dc-2 # klist -k dns.keytab
    1 DNS/dc-2.europa.icse.cornell.edu at EUROPA.ICSE.CORNELL.EDU

which are similar except for the uppercase DC-2 in the second sample.

This was originally set up with Samba 4.0.3, when nsupdate worked on both 
nodes, but since the upgrade to 4.1.1, nsupdate (and also samba_dnsupdate) 
work on dc-1 but not on dc-2. Everything else samba-related seems to work 

I've compared the setup on both nodes until I am blue in the face, and 
they appear equivalent. I've also read many articles with a similar 
problem, but have found no solutions.

Could use a clue! TIA,
Steve Thompson                 E-mail:      smt AT vgersoft DOT com
Voyager Software LLC           Web:         http://www DOT vgersoft DOT com
39 Smugglers Path              VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
   "186,282 miles per second: it's not just a good idea, it's the law"

More information about the samba mailing list