[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
Roel van Meer
roel at 1afa.com
Thu Aug 6 06:55:11 UTC 2015
Hi everyone,
I'm testing with a Samba4 AD network, and I have some problems with DNS on
the second DC, with which I could use a bit of your help.
I have an AD with two DC's, both Samba 4.2.3. On the first DC,
samba_dnsupdate works fine. With stock 4.2.3 I get the error
"TSIG error with server: tsig verify failure"
but the DNS updates succeed anyway, and after applying Gunther Kukkukk's patch from
https://lists.samba.org/archive/samba-technical/2013-February/090408.html
the error is gone. So no problems there.
However, on the second DC samba_dnsupdate does not work. I get the error
"dns_tkey_negotiategss: TKEY is unacceptable"
Problem is: I don't really know where to look. On the first DC (dev), the
ticket cache used by samba_dnsupdate contains:
root at dev:~# klist -c /tmp/tmpoFYYga
Ticket cache: FILE:/tmp/tmpoFYYga
Default principal: DEV$@EXAM.CORP
Valid starting Expires Service principal
08/06/2015 08:17:43 08/06/2015 18:17:43 krbtgt/EXAM.CORP at EXAM.CORP
08/06/2015 08:17:43 08/06/2015 18:17:43 DNS/dev.exam.corp at EXAM.CORP
On the second DC (dc2) the ticket cache looks like:
root at dc2:~# klist -c /tmp/tmpzCc55h
Ticket cache: FILE:/tmp/tmpzCc55h
Default principal: DC2$@EXAM.CORP
Valid starting Expires Service principal
08/06/2015 08:18:29 08/06/2015 18:18:29 krbtgt/EXAM.CORP at EXAM.CORP
08/06/2015 08:18:29 08/06/2015 18:18:29 DNS/dev.exam.corp at EXAM.CORP
which smells incorrect, because it has a service principal for dev.exam.corp
instead of dc2.exam.corp?
The file /etc/krb5.conf looks like this on both servers:
[libdefaults]
default_realm = EXAM.CORP
dns_lookup_realm = false
dns_lookup_kdc = false
Could anyone please give me a hint on where to look further, or which docs
to read to get this working?
Thanks a lot,
Roel
More information about the samba
mailing list