[Samba] TKEY is unacceptible [SEC=UNOFFICIAL]

Tue Jul 22 00:56:35 MDT 2014

On Tue, 2014-07-22 at 05:08 +0000, Thamm, Russell wrote:
> UNOFFICIAL
> 
> Thanks Steve,
> 
> I really appreciate your response.
> 
> It would probably be sensible to have the hostname information in the user documentation.
User documentation? This is open source;)

> 
> After getting hostname to work properly, samba_upgradedns still creates the wrong dns account. So I gather that it's too late for me to recover from this mistake.
Hi
Unfortunately, no one else has answered so if it's just us and you want
a decision on where to spend your time, we'd go for a new join: Restore
the original DC from its backup to a point _before_ the join, remove the
private directory from the wrong-dns DC and join anew. There may well be
a way to recover from a wrong hostname situation, but you could be
waiting days for any clues.
> 
> I have searched the web concerning Samba4 and .local. I have found several recommendations against using .local but the reasons provided seem irrelevant to my situation. I have found no one claiming that it can't be used.
Not a big deal I don't think, but when things are not working it's best to remove any possible gotchas, no matter how insignificant they may be.

Oh, BTW when you get it joined, you'll need to kick start it into
replicating. We made a check list:
http://linuxcostablanca.blogspot.com.es/2014/06/samba4-dc-replication-on-ubuntu.html

Cheers,
Steve

> Cheers
> Russell
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
> Sent: Monday, 21 July, 2014 4:03 p.m.
> To: samba at lists.samba.org
> Subject: Re: [Samba] TKEY is unacceptible [SEC=UNOFFICIAL]
> 
> On Mon, 2014-07-21 at 03:16 +0000, Thamm, Russell wrote:
> 
> > 
> > I concluded  that the dns account should be dns-sambabox and not the 
> > current dns-sambabox.MyDomain.local
> > 
> > samba-tool spn list dns-sambabox.mydomain.local returns a spn of
> >       DNS/SAMBABOX.MyDomain.local.mydomain.local.
> 
> Hi
> Kerberos appends the domain name to the hostname, so you have either /etc/hostname, /etc/hosts or /etc/resolv.conf wrong. Or, maybe all three. In your case, hostname is returning fqdn which is why you have the wrong keys. 
> hostname
> hostname -f
> hostname -s
> and
> hostname -d
> must be perfect before you provision or join.
> 
> But in any case, you cannot use a .local domain.
> Cheers,
> Steve
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.