[Samba] TKEY is unacceptible [SEC=UNOFFICIAL]

Thamm, Russell russell.thamm at dsto.defence.gov.au
Mon Jul 21 23:08:13 MDT 2014


Thanks Steve,

I really appreciate your response.

It would probably be sensible to have the hostname information in the user documentation.

After getting hostname to work properly, samba_upgradedns still creates the wrong dns account. So I gather that it's too late for me to recover from this mistake.

I have searched the web concerning Samba4 and .local. I have found several recommendations against using .local but the reasons provided seem irrelevant to my situation. I have found no one claiming that it can't be used.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, 21 July, 2014 4:03 p.m.
To: samba at lists.samba.org
Subject: Re: [Samba] TKEY is unacceptible [SEC=UNOFFICIAL]

On Mon, 2014-07-21 at 03:16 +0000, Thamm, Russell wrote:

> I concluded  that the dns account should be dns-sambabox and not the 
> current dns-sambabox.MyDomain.local
> samba-tool spn list dns-sambabox.mydomain.local returns a spn of
>       DNS/SAMBABOX.MyDomain.local.mydomain.local.

Kerberos appends the domain name to the hostname, so you have either /etc/hostname, /etc/hosts or /etc/resolv.conf wrong. Or, maybe all three. In your case, hostname is returning fqdn which is why you have the wrong keys. 
hostname -f
hostname -s
hostname -d
must be perfect before you provision or join.

But in any case, you cannot use a .local domain.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.

More information about the samba mailing list