[Samba] 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable

Brady, Mike mike.brady at devnull.net.nz
Thu Aug 6 08:16:47 UTC 2015 

On 2015-08-06 18:55, Roel van Meer wrote:
> Hi everyone,
> 
> I'm testing with a Samba4 AD network, and I have some problems with
> DNS on  the second DC, with which I could use a bit of your help.
> 
> I have an AD with two DC's, both Samba 4.2.3.  On the first DC,
> samba_dnsupdate works fine.  With stock 4.2.3 I get the error
> 
>  "TSIG error with server: tsig verify failure"
> 
> but the DNS updates succeed anyway, and after applying Gunther
> Kukkukk's patch from
> https://lists.samba.org/archive/samba-technical/2013-February/090408.html
>  the error is gone.  So no problems there.
> 
> However, on the second DC samba_dnsupdate does not work.  I get the 
> error
> 
>  "dns_tkey_negotiategss: TKEY is unacceptable"
> 
> Problem is: I don't really know where to look.  On the first DC (dev),
> the  ticket cache used by samba_dnsupdate contains:
> 
>  root at dev:~# klist -c /tmp/tmpoFYYga
>  Ticket cache: FILE:/tmp/tmpoFYYga
>  Default principal: DEV$@EXAM.CORP
> 
>  Valid starting       Expires              Service principal
>  08/06/2015 08:17:43  08/06/2015 18:17:43  krbtgt/EXAM.CORP at EXAM.CORP
>  08/06/2015 08:17:43  08/06/2015 18:17:43  DNS/dev.exam.corp at EXAM.CORP
> 
> On the second DC (dc2) the ticket cache looks like:
> 
>  root at dc2:~# klist -c /tmp/tmpzCc55h
>  Ticket cache: FILE:/tmp/tmpzCc55h
>  Default principal: DC2$@EXAM.CORP
> 
>  Valid starting       Expires              Service principal
>  08/06/2015 08:18:29  08/06/2015 18:18:29  krbtgt/EXAM.CORP at EXAM.CORP
>  08/06/2015 08:18:29  08/06/2015 18:18:29  DNS/dev.exam.corp at EXAM.CORP
> 
> which smells incorrect, because it has a service principal for
> dev.exam.corp  instead of dc2.exam.corp?
> 
> The file /etc/krb5.conf looks like this on both servers:
> 
>  [libdefaults]
>        default_realm = EXAM.CORP
>        dns_lookup_realm = false
>        dns_lookup_kdc = false
> 
> 
> Could anyone please give me a hint on where to look further, or which
> docs  to read to get this working?
> 
> Thanks a lot,
> 
> Roel

https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

More information about the samba mailing list