[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable

L.P.H. van Belle belle at bazuin.nl
Thu Aug 6 07:23:09 UTC 2015

check the rights on :
/var/lib/samba/private/dns.keytab 640 root:bind 

/var/lib/samba/private/dns 750 root:bind 

/var/lib/samba/private/sam.ldb.d 750 root:bind


>-----Oorspronkelijk bericht-----
>Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
>Verzonden: donderdag 6 augustus 2015 8:55
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] 2nd DC, internal DNS: 
>dns_tkey_negotiategss: TKEY is unacceptable
>Hi everyone,
>I'm testing with a Samba4 AD network, and I have some problems 
>with DNS on  
>the second DC, with which I could use a bit of your help.
>I have an AD with two DC's, both Samba 4.2.3.  On the first DC,  
>samba_dnsupdate works fine.  With stock 4.2.3 I get the error
>  "TSIG error with server: tsig verify failure"
>but the DNS updates succeed anyway, and after applying Gunther 
>Kukkukk's patch from
>the error is gone.  So no problems there.
>However, on the second DC samba_dnsupdate does not work.  I 
>get the error
>  "dns_tkey_negotiategss: TKEY is unacceptable"
>Problem is: I don't really know where to look.  On the first 
>DC (dev), the  
>ticket cache used by samba_dnsupdate contains:
>  root at dev:~# klist -c /tmp/tmpoFYYga
>  Ticket cache: FILE:/tmp/tmpoFYYga
>  Default principal: DEV$@EXAM.CORP
>  Valid starting       Expires              Service principal
>  08/06/2015 08:17:43  08/06/2015 18:17:43  krbtgt/EXAM.CORP at EXAM.CORP
>  08/06/2015 08:17:43  08/06/2015 18:17:43  DNS/dev.exam.corp at EXAM.CORP
>On the second DC (dc2) the ticket cache looks like:
>  root at dc2:~# klist -c /tmp/tmpzCc55h
>  Ticket cache: FILE:/tmp/tmpzCc55h
>  Default principal: DC2$@EXAM.CORP
>  Valid starting       Expires              Service principal
>  08/06/2015 08:18:29  08/06/2015 18:18:29  krbtgt/EXAM.CORP at EXAM.CORP
>  08/06/2015 08:18:29  08/06/2015 18:18:29  DNS/dev.exam.corp at EXAM.CORP
>which smells incorrect, because it has a service principal for 
>instead of dc2.exam.corp?
>The file /etc/krb5.conf looks like this on both servers: 
>  [libdefaults]
>        default_realm = EXAM.CORP
>        dns_lookup_realm = false
>        dns_lookup_kdc = false
>Could anyone please give me a hint on where to look further, 
>or which docs  
>to read to get this working?
>Thanks a lot,
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list