[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable - SOLVED

Rowland Penny rowlandpenny241155 at gmail.com
Thu Aug 6 08:16:01 UTC 2015 

On 06/08/15 09:08, Roel van Meer wrote:
> L.P.H. van Belle writes:
>
>> is the time in sync on your servers ?
>
> Yes it is.
>
> I managed to make it work by specifying the primary DC as nameserver 
> in /etc/resolv.conf of the secondary DC. As soon as I do that, 
> samba_dnsupdate works on the secondary. When I change it back to use 
> the local Samba as resolver, it no longer works.

As you have 2 DCs, /etc/resolv.conf on both machines should contain this:

search <your dns domain>
nameserver <your other DC>
nameserver <this DC>

i.e. each DC should use the other for DNS resolving.

Rowland

>
> So it is a DNS issue (possibly related to replication problems? I 
> don't know.)
>
> Anyway, this works. On to the next step.
>
> Thanks a lot!
>
> Roel
>
>
>> >-----Oorspronkelijk bericht-----
>> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roel van Meer
>> >Verzonden: donderdag 6 augustus 2015 9:28
>> >Aan: samba at lists.samba.org
>> >Onderwerp: Re: [Samba] 2nd DC, internal DNS:
>> >dns_tkey_negotiategss: TKEY is unacceptable
>> >
>> >L.P.H. van Belle writes:
>> >
>> >> check the rights on :
>> >> /var/lib/samba/private/dns.keytab 640 root:bind
>> >> /var/lib/samba/private/dns 750 root:bind
>> >> /var/lib/samba/private/sam.ldb.d 750 root:bind
>> >
>> >I'm using the internal DNS on both DC's, so I guess bind
>> >access rights
>> >aren't the issue.
>> >
>> >Thanks for your answer though :)
>> >
>> >Regards,
>> >
>> >Roel
>> >
>> >
>> >> >-----Oorspronkelijk bericht-----
>> >> >Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> >Roel van Meer
>> >> >Verzonden: donderdag 6 augustus 2015 8:55
>> >> >Aan: samba at lists.samba.org
>> >> >Onderwerp: [Samba] 2nd DC, internal DNS:
>> >> >dns_tkey_negotiategss: TKEY is unacceptable
>> >> >
>> >> >Hi everyone,
>> >> >
>> >> >I'm testing with a Samba4 AD network, and I have some problems
>> >> >with DNS on
>> >> >the second DC, with which I could use a bit of your help.
>> >> >
>> >> >I have an AD with two DC's, both Samba 4.2.3.  On the first DC,
>> >> >samba_dnsupdate works fine.  With stock 4.2.3 I get the error
>> >> >
>> >> >  "TSIG error with server: tsig verify failure"
>> >> >
>> >> >but the DNS updates succeed anyway, and after applying Gunther
>> >> >Kukkukk's patch from
>> >> >https://lists.samba.org/archive/samba-technical/2013-February/0
>> >> 90408.html
>> >> >the error is gone.  So no problems there.
>> >> >
>> >> >However, on the second DC samba_dnsupdate does not work.  I
>> >> >get the error
>> >> >
>> >> >  "dns_tkey_negotiategss: TKEY is unacceptable"
>> >> >
>> >> >Problem is: I don't really know where to look.  On the first
>> >> >DC (dev), the
>> >> >ticket cache used by samba_dnsupdate contains:
>> >> >
>> >> >  root at dev:~# klist -c /tmp/tmpoFYYga
>> >> >  Ticket cache: FILE:/tmp/tmpoFYYga
>> >> >  Default principal: DEV$@EXAM.CORP
>> >> >
>> >> >  Valid starting       Expires              Service principal
>> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
>> >krbtgt/EXAM.CORP at EXAM.CORP
>> >> >  08/06/2015 08:17:43  08/06/2015 18:17:43
>> >DNS/dev.exam.corp at EXAM.CORP
>> >> >
>> >> >On the second DC (dc2) the ticket cache looks like:
>> >> >
>> >> >  root at dc2:~# klist -c /tmp/tmpzCc55h
>> >> >  Ticket cache: FILE:/tmp/tmpzCc55h
>> >> >  Default principal: DC2$@EXAM.CORP
>> >> >
>> >> >  Valid starting       Expires              Service principal
>> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
>> >krbtgt/EXAM.CORP at EXAM.CORP
>> >> >  08/06/2015 08:18:29  08/06/2015 18:18:29
>> >DNS/dev.exam.corp at EXAM.CORP
>> >> >
>> >> >which smells incorrect, because it has a service principal for
>> >> >dev.exam.corp
>> >> >instead of dc2.exam.corp?
>> >> >
>> >> >The file /etc/krb5.conf looks like this on both servers:
>> >> >
>> >> >  [libdefaults]
>> >> >        default_realm = EXAM.CORP
>> >> >        dns_lookup_realm = false
>> >> >        dns_lookup_kdc = false
>> >> >
>> >> >
>> >> >Could anyone please give me a hint on where to look further,
>> >> >or which docs
>> >> >to read to get this working?
>> >> >
>> >> >Thanks a lot,
>> >> >
>> >> >Roel
>> >> >
>> >> >--
>> >> >To unsubscribe from this list go to the following URL and read the
>> >> >instructions: https://lists.samba.org/mailman/options/samba
>> >> >
>> >> >
>> >>
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >--
>> >To unsubscribe from this list go to the following URL and read the
>> >instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list