[Samba] TKEY is unacceptible [SEC=UNOFFICIAL]

Thamm, Russell russell.thamm at dsto.defence.gov.au
Sun Jul 20 21:16:04 MDT 2014


I have a SAMBA4 box (CentOS 6.5, SAMBA 4.1.7) that joined a 2003 domain and I have transferred (not seized) all FSMO roles to the samba box. I demoted the 2003 DC (had to forceremoval). The Samba box now is the sole DC and DNS server on the network.

I followed the instructions in https://lists.samba.org/archive/samba-technical/2014-February/097703.html for repairing the domain after the forced demotion.

Everything is working well except for dns dynamic updates.

I've been struggling with the dreaded "dns_key_negotiategss: TKEY is unacceptable" for several days.

Using strace, I've convinced myself that named can access all the necessary files. So it seems that the only alternative is that dns.keytab itself is the problem.

My dns.keytab had 5 pairs of keys of the form

DNS/sambabox.mydomain.local at MYDOMAIN.LOCAL<mailto:DNS/sambabox.mydomain.local at MYDOMAIN.LOCAL>
dns-SAMBABOX.MyDomain.local at MYDOMAIN.LOCAL<mailto:dns-SAMBABOX.MyDomain.local at MYDOMAIN.LOCAL>

with the types (des-cbc-crc, des-cdc-md5, arcfour-hmac, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96)

When I searched the web on how to regenerate the keytab file, there seem to be several incompatible answers.

After reading


I concluded  that the dns account should be dns-sambabox and not the current dns-sambabox.MyDomain.local

samba-tool spn list dns-sambabox.mydomain.local returns a spn of

Stupidly  I tried:

samba-tool user create dns-sambabox -random-password
samba-tool user setexpiry -noexpiry dns-sambabox
samba-tool spn add DNS/sambabox.mydomain.local  dns-sambabox
samba-tool domain exportkeytab newdns.keytab --principal=dns-sambabox
samba-tool domain exportkeytab newdns.keytab --principal=DNS/sambabox.mydomain.local
mv dns.keytab dns.keytab.old
mv new.keytab dns.keytab
chgrp named dns.keytab
chmod 640 dns.keytab

and restarted bind.

Not only has this not fixed the problem, it has completely broken internal DNS. When I switch back to internal, samba won't even start.

Could not find DNS/sambabox.mydomain.local in secrets database.

I guess that the spn I added above is responsible. The old account name is still in the secrets database with the spn mentioned in the error message.

Clearly I have no idea how to repair this and I expect that if I try, I will just break it worse. So I'd be grateful for advise on fixing the secrets database.

I'd also be grateful for any hints on debugging the TKEY error.

IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.

More information about the samba mailing list