[Samba] [Solved] Samba with Bind and GSSAPI: configuring TKEY: failure
Dr. Lars Hanke
lars at lhanke.de
Tue Jun 10 02:17:24 MDT 2014
I think I found the issue. As it seems the 'tkey-gssapi-keytab' option
is not sufficient to point named to the proper keytab. Setting the
environment 'KRB5_KTNAME' to the keytab brought named up. No more TKEY
failure or domain mismatch and all samba stuff can be resolved.
named -4 -c /etc/bind/named.conf -g -u bind -d 65535 has been my friend
in troubleshooting this. It might be an idea to put a pointer into the
official Samba howto.
Am 10.06.2014 09:44, schrieb Rowland Penny:
> On 10/06/14 07:48, Lars Hanke wrote:
>> I tried to set up Samba using a separate Bind as described in the
>> howto. It worked about the way it was described there. Since samba
>> roots in /srv/files I had to link /srv/files/private to
>> /var/lib/samba/private in order to make the DLZ find the smb.tld
>> files. However, using the GSSAPI update I find the following in the
>> syslog when starting bind9.
>>
>> Jun 10 00:26:42 samba named[3938]: default realm from krb5.conf
>> (AD.EXAMPLE.COM) does not match tkey-gssapi-credential
>> (DNS/samba.ad.example.com)
>> Jun 10 00:26:42 samba named[3938]: configuring TKEY: failure
>> Jun 10 00:26:42 samba named[3938]: loading configuration: failure
>> Jun 10 00:26:42 samba named[3938]: exiting (due to fatal error)
>>
>> According, to several mailing list entries the first line is not
>> necessarily an error. It's strange though, since I use the krb5.conf
>> generated by the provisioning.
>>
>> Any idea how to troubleshoot what exactly bind is complaining about?
>>
>> Thanks for your help,
>> - lars.
>
> Can you please post your conf files.
>
> Rowland
>
More information about the samba
mailing list