[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable

Roel van Meer roel at 1afa.com
Thu Aug 6 06:55:11 UTC 2015

Hi everyone,

I'm testing with a Samba4 AD network, and I have some problems with DNS on  
the second DC, with which I could use a bit of your help.

I have an AD with two DC's, both Samba 4.2.3.  On the first DC,  
samba_dnsupdate works fine.  With stock 4.2.3 I get the error

  "TSIG error with server: tsig verify failure"

but the DNS updates succeed anyway, and after applying Gunther Kukkukk's patch from
the error is gone.  So no problems there.

However, on the second DC samba_dnsupdate does not work.  I get the error

  "dns_tkey_negotiategss: TKEY is unacceptable"

Problem is: I don't really know where to look.  On the first DC (dev), the  
ticket cache used by samba_dnsupdate contains:

  root at dev:~# klist -c /tmp/tmpoFYYga
  Ticket cache: FILE:/tmp/tmpoFYYga
  Default principal: DEV$@EXAM.CORP

  Valid starting       Expires              Service principal
  08/06/2015 08:17:43  08/06/2015 18:17:43  krbtgt/EXAM.CORP at EXAM.CORP
  08/06/2015 08:17:43  08/06/2015 18:17:43  DNS/dev.exam.corp at EXAM.CORP

On the second DC (dc2) the ticket cache looks like:

  root at dc2:~# klist -c /tmp/tmpzCc55h
  Ticket cache: FILE:/tmp/tmpzCc55h
  Default principal: DC2$@EXAM.CORP

  Valid starting       Expires              Service principal
  08/06/2015 08:18:29  08/06/2015 18:18:29  krbtgt/EXAM.CORP at EXAM.CORP
  08/06/2015 08:18:29  08/06/2015 18:18:29  DNS/dev.exam.corp at EXAM.CORP

which smells incorrect, because it has a service principal for dev.exam.corp  
instead of dc2.exam.corp?

The file /etc/krb5.conf looks like this on both servers: 

        default_realm = EXAM.CORP
        dns_lookup_realm = false
        dns_lookup_kdc = false

Could anyone please give me a hint on where to look further, or which docs  
to read to get this working?

Thanks a lot,


More information about the samba mailing list