[Samba] dnsupdate: TKEY is unacceptable

Lars Hanke debian at lhanke.de
Wed Jun 11 00:20:27 MDT 2014

I set up samba with BIND9_DLZ as described in the official howto. Bind 
seems to resolve all the provisioned names and the very basic samba 
connectivity seems to be established. According to the howto I tried:

samba_dnsupdate --verbose --all-names

and I get

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1

for each entry. The smb.conf global section:

         workgroup = AD
         realm = AD.EXAMPLE.COM
         netbios name = SAMBA
         server role = active directory domain controller
         private dir = /srv/files/private
         lock directory = /srv/files
         state directory = /srv/files/state
         cache directory = /srv/files/cache
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes

And Bind9 is started with

export KRB5_KTNAME=/srv/files/private/dns.keytab

and it hs the following settings in named.conf.options:

tkey-gssapi-keytab "/srv/files/private/dns.keytab";
tkey-gssapi-credential "DNS/samba.ad.example.com";
tkey-domain "AD.EXAMPLE.COM";

Any idea hot to troubleshoot this situation?

Thanks for your help,
  - lars.

More information about the samba mailing list